[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Jul 25 20:07:37 MDT 2014 

As per suggestion, I deleted the TDB files after a reboot, then brought 
up nmbd, smbd, and winbindd. All TDB files were regenerated but the 
problem persists. I can resolve AD groups with wbinfo, but share access 
appears to only be granted to the owner. I need this fixed ASAP. I am 
out of ideas now.


On 7/25/2014 5:00 PM, Dale Schroeder wrote:
> I'll reply to you offline also, as these comments are fairly 
> insignificant.
>
> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>> You are correct. I forgot to change it. Chalk it up to being 
>> exhausted when I did this. I will make the change now. Could this 
>> cause my issues though?
> In a word, yes.  It appears to be essential.
>
> To answer the question in your list email, if you should have any 
> further problems, the cache tdb's may have to be regenerated. There 
> are probably some SAMDOM entries in the default backend, but this may 
> never be an issue since the domain doesn't exist.  Beyond that, I 
> can't offer any specific advice because I don't have the ability to 
> use the ad backend here.  We have no Samba DC's nor Windows DC's with 
> SFU installed.
>
> Good luck,
> Dale
>
>>
>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>> Ryan,
>>>
>>> Assuming this is a verbatim copy of your config, should not "idmap 
>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>
>>> Dale
>>>
>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>> I have been using Samba4 for ages and love it as a DC and a 
>>>> print-server. I just setup my first member-server designed solely 
>>>> to host file shares, and have hit an issue. Group policy is mapping 
>>>> it correctly for the users in the group, but those users are 
>>>> getting an access denied message from their Windows 7 Pro 64bit 
>>>> clients when accessing the share. I have configured ACLs and the 
>>>> box resolves users and groups. Everything works, except for the 
>>>> shares. Below I attached all of the information I believe to be 
>>>> useful. Ask if you need more, and thank you for your help!
>>>>
>>>> smb.conf:
>>>> ======
>>>> [global]
>>>>   netbios name = FS01
>>>>   workgroup = TRUEVINE
>>>>   security = ADS
>>>>   realm = TRUEVINE.LAN
>>>>   encrypt passwords = yes
>>>>
>>>>   idmap config *:backend = tdb
>>>>   idmap config *:range = 70001-80000
>>>>   idmap config SAMDOM:backend = ad
>>>>   idmap config SAMDOM:schema_mode = rfc2307
>>>>   idmap config SAMDOM:range = 500-40000
>>>>
>>>>   winbind nss info = rfc2307
>>>>   winbind trusted domains only = no
>>>>   winbind use default domain = yes
>>>>   winbind enum users = yes
>>>>   winbind enum groups = yes
>>>>
>>>>   vfs objects = acl_xattr
>>>>   map acl inherit = yes
>>>>   store dos attributes = yes
>>>>   auth methods = winbind
>>>>
>>>> [install$]
>>>>   path = /home/shared/install
>>>>   comment = "Software installation files"
>>>>   read only = no
>>>>
>>>> [staff$]
>>>>   path = /home/shared/staff
>>>>   comment = "Staff file share"
>>>>   read only = no
>>>>
>>>> [fbc$]
>>>>   path = /home/shared/fbc
>>>>   comment = "Family Bible College file share"
>>>>   read only = no
>>>>
>>>>
>>>>
>>>> ACL List:
>>>> ======
>>>> root at fs01:~# getfacl /home/shared/staff/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/staff/
>>>> # owner: reachfp
>>>> # group: administration
>>>> # flags: ss-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:administration:rwx
>>>> group:domain\040admins:rwx
>>>> group:70028:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:administration:rwx
>>>> default:group:domain\040admins:rwx
>>>> default:group:70028:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/fbc/
>>>> # owner: reachfp
>>>> # group: fbc
>>>> # flags: ss-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:fbc:rwx
>>>> group:domain\040admins:rwx
>>>> group:70028:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:fbc:rwx
>>>> default:group:domain\040admins:rwx
>>>> default:group:70028:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>>
>>>> NSSwitch:
>>>> ======
>>>> # /etc/nsswitch.conf
>>>> #
>>>> # Example configuration of GNU Name Service Switch functionality.
>>>> # If you have the `glibc-doc-reference' and `info' packages 
>>>> installed, try:
>>>> # `info libc "Name Service Switch"' for information about this file.
>>>>
>>>> passwd:         compat winbind
>>>> group:          compat winbind
>>>> shadow:         compat
>>>>
>>>> hosts:          files dns
>>>> networks:       files
>>>>
>>>> protocols:      db files
>>>> services:       db files
>>>> ethers:         db files
>>>> rpc:            db files
>>>>
>>>> netgroup:       nis
>>>>
>>>>
>>>>
>>>> FS Permissions:
>>>> ==========
>>>> root at fs01:~# l /home/shared
>>>> total 40
>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>>>> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>>>
>>>>
>>>>
>>>> As you can see, I even tried changing the directory permissions to 
>>>> 777 and still no go. The users in the "administration" group are 
>>>> getting the drive mapped but are being denied access to it. Same 
>>>> for FBC. I have worked on this for days now and cannot get 
>>>> anywhere. What should I try next?

More information about the samba mailing list