[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Jul 25 20:07:37 MDT 2014
As per suggestion, I deleted the TDB files after a reboot, then brought
up nmbd, smbd, and winbindd. All TDB files were regenerated but the
problem persists. I can resolve AD groups with wbinfo, but share access
appears to only be granted to the owner. I need this fixed ASAP. I am
out of ideas now.
On 7/25/2014 5:00 PM, Dale Schroeder wrote:
> I'll reply to you offline also, as these comments are fairly
> insignificant.
>
> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>> You are correct. I forgot to change it. Chalk it up to being
>> exhausted when I did this. I will make the change now. Could this
>> cause my issues though?
> In a word, yes. It appears to be essential.
>
> To answer the question in your list email, if you should have any
> further problems, the cache tdb's may have to be regenerated. There
> are probably some SAMDOM entries in the default backend, but this may
> never be an issue since the domain doesn't exist. Beyond that, I
> can't offer any specific advice because I don't have the ability to
> use the ad backend here. We have no Samba DC's nor Windows DC's with
> SFU installed.
>
> Good luck,
> Dale
>
>>
>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>> Ryan,
>>>
>>> Assuming this is a verbatim copy of your config, should not "idmap
>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>
>>> Dale
>>>
>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>> I have been using Samba4 for ages and love it as a DC and a
>>>> print-server. I just setup my first member-server designed solely
>>>> to host file shares, and have hit an issue. Group policy is mapping
>>>> it correctly for the users in the group, but those users are
>>>> getting an access denied message from their Windows 7 Pro 64bit
>>>> clients when accessing the share. I have configured ACLs and the
>>>> box resolves users and groups. Everything works, except for the
>>>> shares. Below I attached all of the information I believe to be
>>>> useful. Ask if you need more, and thank you for your help!
>>>>
>>>> smb.conf:
>>>> ======
>>>> [global]
>>>> netbios name = FS01
>>>> workgroup = TRUEVINE
>>>> security = ADS
>>>> realm = TRUEVINE.LAN
>>>> encrypt passwords = yes
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 70001-80000
>>>> idmap config SAMDOM:backend = ad
>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>> idmap config SAMDOM:range = 500-40000
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> store dos attributes = yes
>>>> auth methods = winbind
>>>>
>>>> [install$]
>>>> path = /home/shared/install
>>>> comment = "Software installation files"
>>>> read only = no
>>>>
>>>> [staff$]
>>>> path = /home/shared/staff
>>>> comment = "Staff file share"
>>>> read only = no
>>>>
>>>> [fbc$]
>>>> path = /home/shared/fbc
>>>> comment = "Family Bible College file share"
>>>> read only = no
>>>>
>>>>
>>>>
>>>> ACL List:
>>>> ======
>>>> root at fs01:~# getfacl /home/shared/staff/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/staff/
>>>> # owner: reachfp
>>>> # group: administration
>>>> # flags: ss-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:administration:rwx
>>>> group:domain\040admins:rwx
>>>> group:70028:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:administration:rwx
>>>> default:group:domain\040admins:rwx
>>>> default:group:70028:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/fbc/
>>>> # owner: reachfp
>>>> # group: fbc
>>>> # flags: ss-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:fbc:rwx
>>>> group:domain\040admins:rwx
>>>> group:70028:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:fbc:rwx
>>>> default:group:domain\040admins:rwx
>>>> default:group:70028:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>>
>>>> NSSwitch:
>>>> ======
>>>> # /etc/nsswitch.conf
>>>> #
>>>> # Example configuration of GNU Name Service Switch functionality.
>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>> installed, try:
>>>> # `info libc "Name Service Switch"' for information about this file.
>>>>
>>>> passwd: compat winbind
>>>> group: compat winbind
>>>> shadow: compat
>>>>
>>>> hosts: files dns
>>>> networks: files
>>>>
>>>> protocols: db files
>>>> services: db files
>>>> ethers: db files
>>>> rpc: db files
>>>>
>>>> netgroup: nis
>>>>
>>>>
>>>>
>>>> FS Permissions:
>>>> ==========
>>>> root at fs01:~# l /home/shared
>>>> total 40
>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>
>>>>
>>>>
>>>> As you can see, I even tried changing the directory permissions to
>>>> 777 and still no go. The users in the "administration" group are
>>>> getting the drive mapped but are being denied access to it. Same
>>>> for FBC. I have worked on this for days now and cannot get
>>>> anywhere. What should I try next?
More information about the samba
mailing list