[Samba] Samba 4 AD share: Access denied

Dale Schroeder dale at BriannasSaladDressing.com
Thu Jul 24 13:41:59 MDT 2014


Ryan,

Assuming this is a verbatim copy of your config, should not "idmap 
config SAMDOM" actually be "idmap config TRUEVINE"?

Dale

On 07/24/2014 10:25 AM, Ryan Ashley wrote:
> I have been using Samba4 for ages and love it as a DC and a 
> print-server. I just setup my first member-server designed solely to 
> host file shares, and have hit an issue. Group policy is mapping it 
> correctly for the users in the group, but those users are getting an 
> access denied message from their Windows 7 Pro 64bit clients when 
> accessing the share. I have configured ACLs and the box resolves users 
> and groups. Everything works, except for the shares. Below I attached 
> all of the information I believe to be useful. Ask if you need more, 
> and thank you for your help!
>
> smb.conf:
> ======
> [global]
>   netbios name = FS01
>   workgroup = TRUEVINE
>   security = ADS
>   realm = TRUEVINE.LAN
>   encrypt passwords = yes
>
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config SAMDOM:backend = ad
>   idmap config SAMDOM:schema_mode = rfc2307
>   idmap config SAMDOM:range = 500-40000
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   auth methods = winbind
>
> [install$]
>   path = /home/shared/install
>   comment = "Software installation files"
>   read only = no
>
> [staff$]
>   path = /home/shared/staff
>   comment = "Staff file share"
>   read only = no
>
> [fbc$]
>   path = /home/shared/fbc
>   comment = "Family Bible College file share"
>   read only = no
>
>
>
> ACL List:
> ======
> root at fs01:~# getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: reachfp
> # group: administration
> # flags: ss-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:administration:rwx
> group:domain\040admins:rwx
> group:70028:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:administration:rwx
> default:group:domain\040admins:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# getfacl /home/shared/fbc/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/fbc/
> # owner: reachfp
> # group: fbc
> # flags: ss-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:fbc:rwx
> group:domain\040admins:rwx
> group:70028:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:fbc:rwx
> default:group:domain\040admins:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
>
>
> NSSwitch:
> ======
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, 
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
>
> FS Permissions:
> ==========
> root at fs01:~# l /home/shared
> total 40
> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>
>
>
> As you can see, I even tried changing the directory permissions to 777 
> and still no go. The users in the "administration" group are getting 
> the drive mapped but are being denied access to it. Same for FBC. I 
> have worked on this for days now and cannot get anywhere. What should 
> I try next?



More information about the samba mailing list