[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Sun Jul 27 08:57:35 MDT 2014


On 27/07/14 15:15, Ryan Ashley wrote:
> That solution is for Windows 8. That also is not our issue. The 
> WIndows 7 Pro 64bit workstations see the server and shares, and they 
> map the shares according to group policy, but then everybody gets 
> access denied, despite being in the domain groups for which the shares 
> were created. Funny thing is that if I logon as domain admin, I get to 
> access the shares. Due to this, I fully believe the S4 server is 
> ignoring or not accounting for group membership. The "reachfp" account 
> is the domain admin. This is also the default owner of files on the 
> shares. The group "administration" contains many members and does not 
> grant access, despite the group being granted full control. This lead 
> e into believing I am still dealing with a permissions issue and not 
> another issue. If it was the other issue, I would assume domain admin 
> could not see the share or access it. Is that about right?
>
> On 7/27/2014 4:56 AM, Rowland Penny wrote:
>> On 26/07/14 22:20, Ryan Ashley wrote:
>>> Alright, I just read the responses. I have two pickup trucks and one 
>>> is older and acting up, so I have been working on it. On to the 
>>> responses! Also, I sent this once by accident to Rowland. Still not 
>>> used to having to change the reply field to the list. My apologies.
>>>
>>> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I 
>>> can undo it if needed. I believe 700028 is "SYSTEM". The directories 
>>> and files are owned by "administration", "domain admins", and 
>>> "SYSTEM". Same for the other share, except "fbc" instead of 
>>> "administration". And I used the linked article as a guide for 
>>> setting up these shares, so it has been used up. I only set the 
>>> sticky bits after it wasn't working. I was trying to get it working 
>>> and wanted a standard user and group. Either way, that was the guide 
>>> I used before posting to this list.
>>>
>>> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>>>> On 26/07/14 10:04, steve wrote:
>>>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>>>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>>>>> share access appears to only be granted to the owner. I need this
>>>>>>> fixed ASAP. I am out of ideas now.
>>>>>>>
>>>>>>>
>>>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>>>> insignificant.
>>>>>>>>
>>>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>>>> exhausted when I did this. I will make the change now. Could this
>>>>>>>>> cause my issues though?
>>>>>>>> In a word, yes.  It appears to be essential.
>>>>>>>>
>>>>>>>> To answer the question in your list email, if you should have any
>>>>>>>> further problems, the cache tdb's may have to be regenerated. 
>>>>>>>> There
>>>>>>>> are probably some SAMDOM entries in the default backend, but 
>>>>>>>> this may
>>>>>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>>>>>> can't offer any specific advice because I don't have the 
>>>>>>>> ability to
>>>>>>>> use the ad backend here.  We have no Samba DC's nor Windows 
>>>>>>>> DC's with
>>>>>>>> SFU installed.
>>>>>>>>
>>>>>>>> Good luck,
>>>>>>>> Dale
>>>>>>>>
>>>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>>>> Ryan,
>>>>>>>>>>
>>>>>>>>>> Assuming this is a verbatim copy of your config, should not 
>>>>>>>>>> "idmap
>>>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>>>
>>>>>>>>>> Dale
>>>>>>>>>>
>>>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>>>> print-server. I just setup my first member-server designed 
>>>>>>>>>>> solely
>>>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>>>> mapping it correctly for the users in the group, but those 
>>>>>>>>>>> users
>>>>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>>>>> 64bit clients when accessing the share. I have configured 
>>>>>>>>>>> ACLs and
>>>>>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>>>>>> the shares. Below I attached all of the information I 
>>>>>>>>>>> believe to
>>>>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>>>>
>>>>>>>>>>> smb.conf:
>>>>>>>>>>> ======
>>>>>>>>>>> [global]
>>>>>>>>>>>    netbios name = FS01
>>>>>>>>>>>    workgroup = TRUEVINE
>>>>>>>>>>>    security = ADS
>>>>>>>>>>>    realm = TRUEVINE.LAN
>>>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>>>
>>>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>>>    idmap config SAMDOM:range = 500-40000
>>>>>>>>>>>
>>>>>>>>>>>    winbind nss info = rfc2307
>>>>>>>>>>>    winbind trusted domains only = no
>>>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>>>    winbind enum users = yes
>>>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>>>
>>>>>>>>>>>    vfs objects = acl_xattr
>>>>>>>>>>>    map acl inherit = yes
>>>>>>>>>>>    store dos attributes = yes
>>>>>>>>>>>    auth methods = winbind
>>>>>>>>>>>
>>>>>>>>>>> [install$]
>>>>>>>>>>>    path = /home/shared/install
>>>>>>>>>>>    comment = "Software installation files"
>>>>>>>>>>>    read only = no
>>>>>>>>>>>
>>>>>>>>>>> [staff$]
>>>>>>>>>>>    path = /home/shared/staff
>>>>>>>>>>>    comment = "Staff file share"
>>>>>>>>>>>    read only = no
>>>>>>>>>>>
>>>>>>>>>>> [fbc$]
>>>>>>>>>>>    path = /home/shared/fbc
>>>>>>>>>>>    comment = "Family Bible College file share"
>>>>>>>>>>>    read only = no
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ACL List:
>>>>>>>>>>> ======
>>>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>> # group: administration
>>>>>>>>>>> # flags: ss-
>>>>>>>>>>> user::rwx
>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>> group::rwx
>>>>>>>>>>> group:administration:rwx
>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>> mask::rwx
>>>>>>>>>>> other::rwx
>>>>>>>>>>> default:user::rwx
>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>> default:group::---
>>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>> default:other::---
>>>>>>>>>>>
>>>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>> # group: fbc
>>>>>>>>>>> # flags: ss-
>>>>>>>>>>> user::rwx
>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>> group::rwx
>>>>>>>>>>> group:fbc:rwx
>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>> mask::rwx
>>>>>>>>>>> other::rwx
>>>>>>>>>>> default:user::rwx
>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>> default:group::---
>>>>>>>>>>> default:group:fbc:rwx
>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>> default:other::---
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> NSSwitch:
>>>>>>>>>>> ======
>>>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>>>> #
>>>>>>>>>>> # Example configuration of GNU Name Service Switch 
>>>>>>>>>>> functionality.
>>>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>>>> installed, try:
>>>>>>>>>>> # `info libc "Name Service Switch"' for information about 
>>>>>>>>>>> this file.
>>>>>>>>>>>
>>>>>>>>>>> passwd:         compat winbind
>>>>>>>>>>> group:          compat winbind
>>>>>>>>>>> shadow:         compat
>>>>>>>>>>>
>>>>>>>>>>> hosts:          files dns
>>>>>>>>>>> networks:       files
>>>>>>>>>>>
>>>>>>>>>>> protocols:      db files
>>>>>>>>>>> services:       db files
>>>>>>>>>>> ethers:         db files
>>>>>>>>>>> rpc:            db files
>>>>>>>>>>>
>>>>>>>>>>> netgroup:       nis
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> FS Permissions:
>>>>>>>>>>> ==========
>>>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>>>> total 40
>>>>>>>>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>>>>>>>>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 
>>>>>>>>>>> install
>>>>>>>>>>> drwx------   2 root    root           16384 Jul 15 10:00 
>>>>>>>>>>> lost+found
>>>>>>>>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> As you can see, I even tried changing the directory 
>>>>>>>>>>> permissions to
>>>>>>>>>>> 777 and still no go. The users in the "administration" group 
>>>>>>>>>>> are
>>>>>>>>>>> getting the drive mapped but are being denied access to it. 
>>>>>>>>>>> Same
>>>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>>>> anywhere. What should I try next?
>>>>>> You seem to have 'flags' set on the directories, as I have never 
>>>>>> seen
>>>>>> this before I read the manpage and found this means that all 
>>>>>> files in
>>>>>> the directory will be owned by whoever owns the directory. I do 
>>>>>> not know
>>>>>> how you set the 'flags' but I suggest you find out how to remove 
>>>>>> them, I
>>>>>> think that this will cure your problem.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi
>>>>> @Rowland
>>>>> chmod u-s <folder>
>>>>> and
>>>>> chmod g-s <folder>
>>>>
>>>> Hi, I actually knew that ;-) I was trying to get the OP to read up 
>>>> on getfacl a bit more.
>>>>>
>>>>> I think that's OK, but I've suggested removing everything and 
>>>>> starting
>>>>> with only the sticky bit on group:
>>>>> chmod g+s
>>>>> in combination with the group rw acl. That is all we are using 
>>>>> here for
>>>>> our group access share. What we are not seeing here are the xacls, 
>>>>> but
>>>>> the OP is doing it on the samba side. The group rw maps fine in 
>>>>> windows.
>>>>> It also looks as though windows has had its say too as there is a
>>>>> builtin acl set too.
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>> I would also suggest that the OP has a read here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs 
>>>>
>>>>
>>>> Rowland
>>>>
>>>
>> OK, after a bit more thought, I decided that as everything seems to 
>> be correct it is probably a windows problem. A quick internet search 
>> turned this up:
>>
>>  http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162 
>>
>>
>> Have a look, I think that it may fix your problems.
>>
>> Rowland
>
You are missing the point, I probably could have chosen a better target 
but I only spent about 30secs on the search:

windows 7 64 bit access denied samba

This returns About 116,000 results, here's another one:

http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html

Try looking into this before dismissing it out of hand and insisting 
that samba is the problem.

Rowland


More information about the samba mailing list