[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Jul 25 09:21:27 MDT 2014
I just realized reply sent this straight to you, Dale. Sorry about that.
I have made the changes but am not sure if it worked yet. I rebooted the
system, which happens to be a Debian Wheezy 64bit system running under
XenServer. Now I am waiting for a complaint. So far none, which is good.
I will respond again if anything fails to work.
Just for kicks, are there any TDB files I should delete now that I
changed this?
On 07/24/2014 03:41 PM, Dale Schroeder wrote:
> Ryan,
>
> Assuming this is a verbatim copy of your config, should not "idmap
> config SAMDOM" actually be "idmap config TRUEVINE"?
>
> Dale
>
> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>> I have been using Samba4 for ages and love it as a DC and a
>> print-server. I just setup my first member-server designed solely to
>> host file shares, and have hit an issue. Group policy is mapping it
>> correctly for the users in the group, but those users are getting an
>> access denied message from their Windows 7 Pro 64bit clients when
>> accessing the share. I have configured ACLs and the box resolves
>> users and groups. Everything works, except for the shares. Below I
>> attached all of the information I believe to be useful. Ask if you
>> need more, and thank you for your help!
>>
>> smb.conf:
>> ======
>> [global]
>> netbios name = FS01
>> workgroup = TRUEVINE
>> security = ADS
>> realm = TRUEVINE.LAN
>> encrypt passwords = yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 500-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> auth methods = winbind
>>
>> [install$]
>> path = /home/shared/install
>> comment = "Software installation files"
>> read only = no
>>
>> [staff$]
>> path = /home/shared/staff
>> comment = "Staff file share"
>> read only = no
>>
>> [fbc$]
>> path = /home/shared/fbc
>> comment = "Family Bible College file share"
>> read only = no
>>
>>
>>
>> ACL List:
>> ======
>> root at fs01:~# getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: reachfp
>> # group: administration
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:administration:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:administration:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# getfacl /home/shared/fbc/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/fbc/
>> # owner: reachfp
>> # group: fbc
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:fbc:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:fbc:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>>
>> NSSwitch:
>> ======
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>>
>> FS Permissions:
>> ==========
>> root at fs01:~# l /home/shared
>> total 40
>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>
>>
>>
>> As you can see, I even tried changing the directory permissions to
>> 777 and still no go. The users in the "administration" group are
>> getting the drive mapped but are being denied access to it. Same for
>> FBC. I have worked on this for days now and cannot get anywhere. What
>> should I try next?
>
More information about the samba
mailing list