[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Thu Jul 24 09:25:05 MDT 2014
I have been using Samba4 for ages and love it as a DC and a
print-server. I just setup my first member-server designed solely to
host file shares, and have hit an issue. Group policy is mapping it
correctly for the users in the group, but those users are getting an
access denied message from their Windows 7 Pro 64bit clients when
accessing the share. I have configured ACLs and the box resolves users
and groups. Everything works, except for the shares. Below I attached
all of the information I believe to be useful. Ask if you need more, and
thank you for your help!
smb.conf:
======
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind
[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
ACL List:
======
root at fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: administration
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:administration:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:administration:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---
root at fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:fbc:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:fbc:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---
NSSwitch:
======
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
FS Permissions:
==========
root at fs01:~# l /home/shared
total 40
drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
drwx------ 2 root root 16384 Jul 15 10:00 lost+found
drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
As you can see, I even tried changing the directory permissions to 777
and still no go. The users in the "administration" group are getting the
drive mapped but are being denied access to it. Same for FBC. I have
worked on this for days now and cannot get anywhere. What should I try next?
More information about the samba
mailing list