[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Sun Jul 27 02:56:49 MDT 2014 

On 26/07/14 22:20, Ryan Ashley wrote:
> Alright, I just read the responses. I have two pickup trucks and one 
> is older and acting up, so I have been working on it. On to the 
> responses! Also, I sent this once by accident to Rowland. Still not 
> used to having to change the reply field to the list. My apologies.
>
> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can 
> undo it if needed. I believe 700028 is "SYSTEM". The directories and 
> files are owned by "administration", "domain admins", and "SYSTEM". 
> Same for the other share, except "fbc" instead of "administration". 
> And I used the linked article as a guide for setting up these shares, 
> so it has been used up. I only set the sticky bits after it wasn't 
> working. I was trying to get it working and wanted a standard user and 
> group. Either way, that was the guide I used before posting to this list.
>
> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>> On 26/07/14 10:04, steve wrote:
>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>>> share access appears to only be granted to the owner. I need this
>>>>> fixed ASAP. I am out of ideas now.
>>>>>
>>>>>
>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>> insignificant.
>>>>>>
>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>> exhausted when I did this. I will make the change now. Could this
>>>>>>> cause my issues though?
>>>>>> In a word, yes.  It appears to be essential.
>>>>>>
>>>>>> To answer the question in your list email, if you should have any
>>>>>> further problems, the cache tdb's may have to be regenerated. There
>>>>>> are probably some SAMDOM entries in the default backend, but this 
>>>>>> may
>>>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>>>> can't offer any specific advice because I don't have the ability to
>>>>>> use the ad backend here.  We have no Samba DC's nor Windows DC's 
>>>>>> with
>>>>>> SFU installed.
>>>>>>
>>>>>> Good luck,
>>>>>> Dale
>>>>>>
>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>> Ryan,
>>>>>>>>
>>>>>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>
>>>>>>>> Dale
>>>>>>>>
>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>> print-server. I just setup my first member-server designed solely
>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>> mapping it correctly for the users in the group, but those users
>>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>>> 64bit clients when accessing the share. I have configured ACLs 
>>>>>>>>> and
>>>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>>>> the shares. Below I attached all of the information I believe to
>>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>>
>>>>>>>>> smb.conf:
>>>>>>>>> ======
>>>>>>>>> [global]
>>>>>>>>>    netbios name = FS01
>>>>>>>>>    workgroup = TRUEVINE
>>>>>>>>>    security = ADS
>>>>>>>>>    realm = TRUEVINE.LAN
>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>
>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>    idmap config SAMDOM:range = 500-40000
>>>>>>>>>
>>>>>>>>>    winbind nss info = rfc2307
>>>>>>>>>    winbind trusted domains only = no
>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>    winbind enum users = yes
>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>
>>>>>>>>>    vfs objects = acl_xattr
>>>>>>>>>    map acl inherit = yes
>>>>>>>>>    store dos attributes = yes
>>>>>>>>>    auth methods = winbind
>>>>>>>>>
>>>>>>>>> [install$]
>>>>>>>>>    path = /home/shared/install
>>>>>>>>>    comment = "Software installation files"
>>>>>>>>>    read only = no
>>>>>>>>>
>>>>>>>>> [staff$]
>>>>>>>>>    path = /home/shared/staff
>>>>>>>>>    comment = "Staff file share"
>>>>>>>>>    read only = no
>>>>>>>>>
>>>>>>>>> [fbc$]
>>>>>>>>>    path = /home/shared/fbc
>>>>>>>>>    comment = "Family Bible College file share"
>>>>>>>>>    read only = no
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ACL List:
>>>>>>>>> ======
>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>> # file: home/shared/staff/
>>>>>>>>> # owner: reachfp
>>>>>>>>> # group: administration
>>>>>>>>> # flags: ss-
>>>>>>>>> user::rwx
>>>>>>>>> user:reachfp:rwx
>>>>>>>>> group::rwx
>>>>>>>>> group:administration:rwx
>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>> group:70028:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::rwx
>>>>>>>>> default:user::rwx
>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>> default:group::---
>>>>>>>>> default:group:administration:rwx
>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>> default:group:70028:rwx
>>>>>>>>> default:mask::rwx
>>>>>>>>> default:other::---
>>>>>>>>>
>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>> # owner: reachfp
>>>>>>>>> # group: fbc
>>>>>>>>> # flags: ss-
>>>>>>>>> user::rwx
>>>>>>>>> user:reachfp:rwx
>>>>>>>>> group::rwx
>>>>>>>>> group:fbc:rwx
>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>> group:70028:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::rwx
>>>>>>>>> default:user::rwx
>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>> default:group::---
>>>>>>>>> default:group:fbc:rwx
>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>> default:group:70028:rwx
>>>>>>>>> default:mask::rwx
>>>>>>>>> default:other::---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NSSwitch:
>>>>>>>>> ======
>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>> #
>>>>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>> installed, try:
>>>>>>>>> # `info libc "Name Service Switch"' for information about this 
>>>>>>>>> file.
>>>>>>>>>
>>>>>>>>> passwd:         compat winbind
>>>>>>>>> group:          compat winbind
>>>>>>>>> shadow:         compat
>>>>>>>>>
>>>>>>>>> hosts:          files dns
>>>>>>>>> networks:       files
>>>>>>>>>
>>>>>>>>> protocols:      db files
>>>>>>>>> services:       db files
>>>>>>>>> ethers:         db files
>>>>>>>>> rpc:            db files
>>>>>>>>>
>>>>>>>>> netgroup:       nis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> FS Permissions:
>>>>>>>>> ==========
>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>> total 40
>>>>>>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>>>>>>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>>>>>>>>> drwx------   2 root    root           16384 Jul 15 10:00 
>>>>>>>>> lost+found
>>>>>>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As you can see, I even tried changing the directory 
>>>>>>>>> permissions to
>>>>>>>>> 777 and still no go. The users in the "administration" group are
>>>>>>>>> getting the drive mapped but are being denied access to it. Same
>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>> anywhere. What should I try next?
>>>> You seem to have 'flags' set on the directories, as I have never seen
>>>> this before I read the manpage and found this means that all files in
>>>> the directory will be owned by whoever owns the directory. I do not 
>>>> know
>>>> how you set the 'flags' but I suggest you find out how to remove 
>>>> them, I
>>>> think that this will cure your problem.
>>>>
>>>> Rowland
>>>>
>>> Hi
>>> @Rowland
>>> chmod u-s <folder>
>>> and
>>> chmod g-s <folder>
>>
>> Hi, I actually knew that ;-) I was trying to get the OP to read up on 
>> getfacl a bit more.
>>>
>>> I think that's OK, but I've suggested removing everything and starting
>>> with only the sticky bit on group:
>>> chmod g+s
>>> in combination with the group rw acl. That is all we are using here for
>>> our group access share. What we are not seeing here are the xacls, but
>>> the OP is doing it on the samba side. The group rw maps fine in 
>>> windows.
>>> It also looks as though windows has had its say too as there is a
>>> builtin acl set too.
>>> Cheers,
>>> Steve
>>>
>>>
>>>
>> I would also suggest that the OP has a read here:
>>
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs 
>>
>>
>> Rowland
>>
>
OK, after a bit more thought, I decided that as everything seems to be 
correct it is probably a windows problem. A quick internet search turned 
this up:

  http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162

Have a look, I think that it may fix your problems.

Rowland

More information about the samba mailing list