[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Thu Jul 24 09:25:05 MDT 2014


I have been using Samba4 for ages and love it as a DC and a 
print-server. I just setup my first member-server designed solely to 
host file shares, and have hit an issue. Group policy is mapping it 
correctly for the users in the group, but those users are getting an 
access denied message from their Windows 7 Pro 64bit clients when 
accessing the share. I have configured ACLs and the box resolves users 
and groups. Everything works, except for the shares. Below I attached 
all of the information I believe to be useful. Ask if you need more, and 
thank you for your help!

smb.conf:
======
[global]
   netbios name = FS01
   workgroup = TRUEVINE
   security = ADS
   realm = TRUEVINE.LAN
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SAMDOM:backend = ad
   idmap config SAMDOM:schema_mode = rfc2307
   idmap config SAMDOM:range = 500-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   auth methods = winbind

[install$]
   path = /home/shared/install
   comment = "Software installation files"
   read only = no

[staff$]
   path = /home/shared/staff
   comment = "Staff file share"
   read only = no

[fbc$]
   path = /home/shared/fbc
   comment = "Family Bible College file share"
   read only = no



ACL List:
======
root at fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: administration
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:administration:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:administration:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---

root at fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:fbc:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:fbc:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---



NSSwitch:
======
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis



FS Permissions:
==========
root at fs01:~# l /home/shared
total 40
drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
drwx------   2 root    root           16384 Jul 15 10:00 lost+found
drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff



As you can see, I even tried changing the directory permissions to 777 
and still no go. The users in the "administration" group are getting the 
drive mapped but are being denied access to it. Same for FBC. I have 
worked on this for days now and cannot get anywhere. What should I try next?


More information about the samba mailing list