[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Jul 25 09:21:27 MDT 2014 

I just realized reply sent this straight to you, Dale. Sorry about that.

I have made the changes but am not sure if it worked yet. I rebooted the 
system, which happens to be a Debian Wheezy 64bit system running under 
XenServer. Now I am waiting for a complaint. So far none, which is good. 
I will respond again if anything fails to work.

Just for kicks, are there any TDB files I should delete now that I 
changed this?

On 07/24/2014 03:41 PM, Dale Schroeder wrote:
> Ryan,
>
> Assuming this is a verbatim copy of your config, should not "idmap 
> config SAMDOM" actually be "idmap config TRUEVINE"?
>
> Dale
>
> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>> I have been using Samba4 for ages and love it as a DC and a 
>> print-server. I just setup my first member-server designed solely to 
>> host file shares, and have hit an issue. Group policy is mapping it 
>> correctly for the users in the group, but those users are getting an 
>> access denied message from their Windows 7 Pro 64bit clients when 
>> accessing the share. I have configured ACLs and the box resolves 
>> users and groups. Everything works, except for the shares. Below I 
>> attached all of the information I believe to be useful. Ask if you 
>> need more, and thank you for your help!
>>
>> smb.conf:
>> ======
>> [global]
>>   netbios name = FS01
>>   workgroup = TRUEVINE
>>   security = ADS
>>   realm = TRUEVINE.LAN
>>   encrypt passwords = yes
>>
>>   idmap config *:backend = tdb
>>   idmap config *:range = 70001-80000
>>   idmap config SAMDOM:backend = ad
>>   idmap config SAMDOM:schema_mode = rfc2307
>>   idmap config SAMDOM:range = 500-40000
>>
>>   winbind nss info = rfc2307
>>   winbind trusted domains only = no
>>   winbind use default domain = yes
>>   winbind enum users = yes
>>   winbind enum groups = yes
>>
>>   vfs objects = acl_xattr
>>   map acl inherit = yes
>>   store dos attributes = yes
>>   auth methods = winbind
>>
>> [install$]
>>   path = /home/shared/install
>>   comment = "Software installation files"
>>   read only = no
>>
>> [staff$]
>>   path = /home/shared/staff
>>   comment = "Staff file share"
>>   read only = no
>>
>> [fbc$]
>>   path = /home/shared/fbc
>>   comment = "Family Bible College file share"
>>   read only = no
>>
>>
>>
>> ACL List:
>> ======
>> root at fs01:~# getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: reachfp
>> # group: administration
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:administration:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:administration:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# getfacl /home/shared/fbc/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/fbc/
>> # owner: reachfp
>> # group: fbc
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:fbc:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:fbc:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>>
>> NSSwitch:
>> ======
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages 
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>>
>> FS Permissions:
>> ==========
>> root at fs01:~# l /home/shared
>> total 40
>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>
>>
>>
>> As you can see, I even tried changing the directory permissions to 
>> 777 and still no go. The users in the "administration" group are 
>> getting the drive mapped but are being denied access to it. Same for 
>> FBC. I have worked on this for days now and cannot get anywhere. What 
>> should I try next?
>

More information about the samba mailing list