[Samba] Samba 4 AD share: Access denied
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Jul 24 13:41:59 MDT 2014
Ryan,
Assuming this is a verbatim copy of your config, should not "idmap
config SAMDOM" actually be "idmap config TRUEVINE"?
Dale
On 07/24/2014 10:25 AM, Ryan Ashley wrote:
> I have been using Samba4 for ages and love it as a DC and a
> print-server. I just setup my first member-server designed solely to
> host file shares, and have hit an issue. Group policy is mapping it
> correctly for the users in the group, but those users are getting an
> access denied message from their Windows 7 Pro 64bit clients when
> accessing the share. I have configured ACLs and the box resolves users
> and groups. Everything works, except for the shares. Below I attached
> all of the information I believe to be useful. Ask if you need more,
> and thank you for your help!
>
> smb.conf:
> ======
> [global]
> netbios name = FS01
> workgroup = TRUEVINE
> security = ADS
> realm = TRUEVINE.LAN
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> auth methods = winbind
>
> [install$]
> path = /home/shared/install
> comment = "Software installation files"
> read only = no
>
> [staff$]
> path = /home/shared/staff
> comment = "Staff file share"
> read only = no
>
> [fbc$]
> path = /home/shared/fbc
> comment = "Family Bible College file share"
> read only = no
>
>
>
> ACL List:
> ======
> root at fs01:~# getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: reachfp
> # group: administration
> # flags: ss-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:administration:rwx
> group:domain\040admins:rwx
> group:70028:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:administration:rwx
> default:group:domain\040admins:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# getfacl /home/shared/fbc/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/fbc/
> # owner: reachfp
> # group: fbc
> # flags: ss-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:fbc:rwx
> group:domain\040admins:rwx
> group:70028:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:fbc:rwx
> default:group:domain\040admins:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
>
>
> NSSwitch:
> ======
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
>
> FS Permissions:
> ==========
> root at fs01:~# l /home/shared
> total 40
> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>
>
>
> As you can see, I even tried changing the directory permissions to 777
> and still no go. The users in the "administration" group are getting
> the drive mapped but are being denied access to it. Same for FBC. I
> have worked on this for days now and cannot get anywhere. What should
> I try next?
More information about the samba
mailing list