[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Sat Jul 26 15:20:10 MDT 2014 

Alright, I just read the responses. I have two pickup trucks and one is 
older and acting up, so I have been working on it. On to the responses! 
Also, I sent this once by accident to Rowland. Still not used to having 
to change the reply field to the list. My apologies.

Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can 
undo it if needed. I believe 700028 is "SYSTEM". The directories and 
files are owned by "administration", "domain admins", and "SYSTEM". Same 
for the other share, except "fbc" instead of "administration". And I 
used the linked article as a guide for setting up these shares, so it 
has been used up. I only set the sticky bits after it wasn't working. I 
was trying to get it working and wanted a standard user and group. 
Either way, that was the guide I used before posting to this list.

On 7/26/2014 5:36 AM, Rowland Penny wrote:
> On 26/07/14 10:04, steve wrote:
>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>> share access appears to only be granted to the owner. I need this
>>>> fixed ASAP. I am out of ideas now.
>>>>
>>>>
>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>> I'll reply to you offline also, as these comments are fairly
>>>>> insignificant.
>>>>>
>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>> exhausted when I did this. I will make the change now. Could this
>>>>>> cause my issues though?
>>>>> In a word, yes.  It appears to be essential.
>>>>>
>>>>> To answer the question in your list email, if you should have any
>>>>> further problems, the cache tdb's may have to be regenerated. There
>>>>> are probably some SAMDOM entries in the default backend, but this may
>>>>> never be an issue since the domain doesn't exist.  Beyond that, I
>>>>> can't offer any specific advice because I don't have the ability to
>>>>> use the ad backend here.  We have no Samba DC's nor Windows DC's with
>>>>> SFU installed.
>>>>>
>>>>> Good luck,
>>>>> Dale
>>>>>
>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>> Ryan,
>>>>>>>
>>>>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>
>>>>>>> Dale
>>>>>>>
>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>> print-server. I just setup my first member-server designed solely
>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>> mapping it correctly for the users in the group, but those users
>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>> 64bit clients when accessing the share. I have configured ACLs and
>>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>>> the shares. Below I attached all of the information I believe to
>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>
>>>>>>>> smb.conf:
>>>>>>>> ======
>>>>>>>> [global]
>>>>>>>>    netbios name = FS01
>>>>>>>>    workgroup = TRUEVINE
>>>>>>>>    security = ADS
>>>>>>>>    realm = TRUEVINE.LAN
>>>>>>>>    encrypt passwords = yes
>>>>>>>>
>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>    idmap config SAMDOM:range = 500-40000
>>>>>>>>
>>>>>>>>    winbind nss info = rfc2307
>>>>>>>>    winbind trusted domains only = no
>>>>>>>>    winbind use default domain = yes
>>>>>>>>    winbind enum users = yes
>>>>>>>>    winbind enum groups = yes
>>>>>>>>
>>>>>>>>    vfs objects = acl_xattr
>>>>>>>>    map acl inherit = yes
>>>>>>>>    store dos attributes = yes
>>>>>>>>    auth methods = winbind
>>>>>>>>
>>>>>>>> [install$]
>>>>>>>>    path = /home/shared/install
>>>>>>>>    comment = "Software installation files"
>>>>>>>>    read only = no
>>>>>>>>
>>>>>>>> [staff$]
>>>>>>>>    path = /home/shared/staff
>>>>>>>>    comment = "Staff file share"
>>>>>>>>    read only = no
>>>>>>>>
>>>>>>>> [fbc$]
>>>>>>>>    path = /home/shared/fbc
>>>>>>>>    comment = "Family Bible College file share"
>>>>>>>>    read only = no
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ACL List:
>>>>>>>> ======
>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>> # file: home/shared/staff/
>>>>>>>> # owner: reachfp
>>>>>>>> # group: administration
>>>>>>>> # flags: ss-
>>>>>>>> user::rwx
>>>>>>>> user:reachfp:rwx
>>>>>>>> group::rwx
>>>>>>>> group:administration:rwx
>>>>>>>> group:domain\040admins:rwx
>>>>>>>> group:70028:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::rwx
>>>>>>>> default:user::rwx
>>>>>>>> default:user:reachfp:rwx
>>>>>>>> default:group::---
>>>>>>>> default:group:administration:rwx
>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>> default:group:70028:rwx
>>>>>>>> default:mask::rwx
>>>>>>>> default:other::---
>>>>>>>>
>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>> # file: home/shared/fbc/
>>>>>>>> # owner: reachfp
>>>>>>>> # group: fbc
>>>>>>>> # flags: ss-
>>>>>>>> user::rwx
>>>>>>>> user:reachfp:rwx
>>>>>>>> group::rwx
>>>>>>>> group:fbc:rwx
>>>>>>>> group:domain\040admins:rwx
>>>>>>>> group:70028:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::rwx
>>>>>>>> default:user::rwx
>>>>>>>> default:user:reachfp:rwx
>>>>>>>> default:group::---
>>>>>>>> default:group:fbc:rwx
>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>> default:group:70028:rwx
>>>>>>>> default:mask::rwx
>>>>>>>> default:other::---
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NSSwitch:
>>>>>>>> ======
>>>>>>>> # /etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>> installed, try:
>>>>>>>> # `info libc "Name Service Switch"' for information about this 
>>>>>>>> file.
>>>>>>>>
>>>>>>>> passwd:         compat winbind
>>>>>>>> group:          compat winbind
>>>>>>>> shadow:         compat
>>>>>>>>
>>>>>>>> hosts:          files dns
>>>>>>>> networks:       files
>>>>>>>>
>>>>>>>> protocols:      db files
>>>>>>>> services:       db files
>>>>>>>> ethers:         db files
>>>>>>>> rpc:            db files
>>>>>>>>
>>>>>>>> netgroup:       nis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> FS Permissions:
>>>>>>>> ==========
>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>> total 40
>>>>>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>>>>>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>>>>>>>> drwx------   2 root    root           16384 Jul 15 10:00 
>>>>>>>> lost+found
>>>>>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> As you can see, I even tried changing the directory permissions to
>>>>>>>> 777 and still no go. The users in the "administration" group are
>>>>>>>> getting the drive mapped but are being denied access to it. Same
>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>> anywhere. What should I try next?
>>> You seem to have 'flags' set on the directories, as I have never seen
>>> this before I read the manpage and found this means that all files in
>>> the directory will be owned by whoever owns the directory. I do not 
>>> know
>>> how you set the 'flags' but I suggest you find out how to remove 
>>> them, I
>>> think that this will cure your problem.
>>>
>>> Rowland
>>>
>> Hi
>> @Rowland
>> chmod u-s <folder>
>> and
>> chmod g-s <folder>
>
> Hi, I actually knew that ;-) I was trying to get the OP to read up on 
> getfacl a bit more.
>>
>> I think that's OK, but I've suggested removing everything and starting
>> with only the sticky bit on group:
>> chmod g+s
>> in combination with the group rw acl. That is all we are using here for
>> our group access share. What we are not seeing here are the xacls, but
>> the OP is doing it on the samba side. The group rw maps fine in windows.
>> It also looks as though windows has had its say too as there is a
>> builtin acl set too.
>> Cheers,
>> Steve
>>
>>
>>
> I would also suggest that the OP has a read here:
>
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs 
>
>
> Rowland
>

More information about the samba mailing list