[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sun Jul 27 09:28:30 MDT 2014
I understand and I should have stated more clearly that I have been
going through those results for over a week now. Nothing seems to help.
Funny thing is that creating a second virtual file-server and using
share authentication works fine. Yet another reason I am leaning towards
group issues. If the file-server is share-level the Windows 7 boxes are
happy. As soon as it goes AD and uses AD groups, they stop working. I
have not tried user-level security yet. Then again I may have user-level
and share-level confused. It has been a long week. I will keep searching
but so far nothing I have found and tried works.
Is there a way to get an actual reason for the denial? If it flat-out
told me a reason I could troubleshoot. Right now I am just shooting in
random directions hoping to hit something since all I get is "Access
Denied". Is it possible to see is S4 is denying the connection via a log
or something, or if Windows 7 is being stupid... again?
On 7/27/2014 10:57 AM, Rowland Penny wrote:
> On 27/07/14 15:15, Ryan Ashley wrote:
>> That solution is for Windows 8. That also is not our issue. The
>> WIndows 7 Pro 64bit workstations see the server and shares, and they
>> map the shares according to group policy, but then everybody gets
>> access denied, despite being in the domain groups for which the
>> shares were created. Funny thing is that if I logon as domain admin,
>> I get to access the shares. Due to this, I fully believe the S4
>> server is ignoring or not accounting for group membership. The
>> "reachfp" account is the domain admin. This is also the default owner
>> of files on the shares. The group "administration" contains many
>> members and does not grant access, despite the group being granted
>> full control. This lead e into believing I am still dealing with a
>> permissions issue and not another issue. If it was the other issue, I
>> would assume domain admin could not see the share or access it. Is
>> that about right?
>>
>> On 7/27/2014 4:56 AM, Rowland Penny wrote:
>>> On 26/07/14 22:20, Ryan Ashley wrote:
>>>> Alright, I just read the responses. I have two pickup trucks and
>>>> one is older and acting up, so I have been working on it. On to the
>>>> responses! Also, I sent this once by accident to Rowland. Still not
>>>> used to having to change the reply field to the list. My apologies.
>>>>
>>>> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I
>>>> can undo it if needed. I believe 700028 is "SYSTEM". The
>>>> directories and files are owned by "administration", "domain
>>>> admins", and "SYSTEM". Same for the other share, except "fbc"
>>>> instead of "administration". And I used the linked article as a
>>>> guide for setting up these shares, so it has been used up. I only
>>>> set the sticky bits after it wasn't working. I was trying to get it
>>>> working and wanted a standard user and group. Either way, that was
>>>> the guide I used before posting to this list.
>>>>
>>>> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>>>>> On 26/07/14 10:04, steve wrote:
>>>>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>>>>> brought up nmbd, smbd, and winbindd. All TDB files were
>>>>>>>> regenerated
>>>>>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>>>>>> share access appears to only be granted to the owner. I need this
>>>>>>>> fixed ASAP. I am out of ideas now.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>>>>> insignificant.
>>>>>>>>>
>>>>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>>>>> exhausted when I did this. I will make the change now. Could
>>>>>>>>>> this
>>>>>>>>>> cause my issues though?
>>>>>>>>> In a word, yes. It appears to be essential.
>>>>>>>>>
>>>>>>>>> To answer the question in your list email, if you should have any
>>>>>>>>> further problems, the cache tdb's may have to be regenerated.
>>>>>>>>> There
>>>>>>>>> are probably some SAMDOM entries in the default backend, but
>>>>>>>>> this may
>>>>>>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>>>>>>> can't offer any specific advice because I don't have the
>>>>>>>>> ability to
>>>>>>>>> use the ad backend here. We have no Samba DC's nor Windows
>>>>>>>>> DC's with
>>>>>>>>> SFU installed.
>>>>>>>>>
>>>>>>>>> Good luck,
>>>>>>>>> Dale
>>>>>>>>>
>>>>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>>>>> Ryan,
>>>>>>>>>>>
>>>>>>>>>>> Assuming this is a verbatim copy of your config, should not
>>>>>>>>>>> "idmap
>>>>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>>>>
>>>>>>>>>>> Dale
>>>>>>>>>>>
>>>>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>>>>> print-server. I just setup my first member-server designed
>>>>>>>>>>>> solely
>>>>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>>>>> mapping it correctly for the users in the group, but those
>>>>>>>>>>>> users
>>>>>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>>>>>> 64bit clients when accessing the share. I have configured
>>>>>>>>>>>> ACLs and
>>>>>>>>>>>> the box resolves users and groups. Everything works, except
>>>>>>>>>>>> for
>>>>>>>>>>>> the shares. Below I attached all of the information I
>>>>>>>>>>>> believe to
>>>>>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>>>>>
>>>>>>>>>>>> smb.conf:
>>>>>>>>>>>> ======
>>>>>>>>>>>> [global]
>>>>>>>>>>>> netbios name = FS01
>>>>>>>>>>>> workgroup = TRUEVINE
>>>>>>>>>>>> security = ADS
>>>>>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>>>>>> encrypt passwords = yes
>>>>>>>>>>>>
>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>>>>>>
>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>> winbind trusted domains only = no
>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>
>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>>> auth methods = winbind
>>>>>>>>>>>>
>>>>>>>>>>>> [install$]
>>>>>>>>>>>> path = /home/shared/install
>>>>>>>>>>>> comment = "Software installation files"
>>>>>>>>>>>> read only = no
>>>>>>>>>>>>
>>>>>>>>>>>> [staff$]
>>>>>>>>>>>> path = /home/shared/staff
>>>>>>>>>>>> comment = "Staff file share"
>>>>>>>>>>>> read only = no
>>>>>>>>>>>>
>>>>>>>>>>>> [fbc$]
>>>>>>>>>>>> path = /home/shared/fbc
>>>>>>>>>>>> comment = "Family Bible College file share"
>>>>>>>>>>>> read only = no
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ACL List:
>>>>>>>>>>>> ======
>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>> # group: administration
>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>> user::rwx
>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>> group::rwx
>>>>>>>>>>>> group:administration:rwx
>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>> other::rwx
>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>> default:group::---
>>>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>
>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>> # group: fbc
>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>> user::rwx
>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>> group::rwx
>>>>>>>>>>>> group:fbc:rwx
>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>> other::rwx
>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>> default:group::---
>>>>>>>>>>>> default:group:fbc:rwx
>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> NSSwitch:
>>>>>>>>>>>> ======
>>>>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>>>>> #
>>>>>>>>>>>> # Example configuration of GNU Name Service Switch
>>>>>>>>>>>> functionality.
>>>>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>>>>> installed, try:
>>>>>>>>>>>> # `info libc "Name Service Switch"' for information about
>>>>>>>>>>>> this file.
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>
>>>>>>>>>>>> hosts: files dns
>>>>>>>>>>>> networks: files
>>>>>>>>>>>>
>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>> services: db files
>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>
>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> FS Permissions:
>>>>>>>>>>>> ==========
>>>>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>>>>> total 40
>>>>>>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14
>>>>>>>>>>>> install
>>>>>>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00
>>>>>>>>>>>> lost+found
>>>>>>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> As you can see, I even tried changing the directory
>>>>>>>>>>>> permissions to
>>>>>>>>>>>> 777 and still no go. The users in the "administration"
>>>>>>>>>>>> group are
>>>>>>>>>>>> getting the drive mapped but are being denied access to it.
>>>>>>>>>>>> Same
>>>>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>>>>> anywhere. What should I try next?
>>>>>>> You seem to have 'flags' set on the directories, as I have never
>>>>>>> seen
>>>>>>> this before I read the manpage and found this means that all
>>>>>>> files in
>>>>>>> the directory will be owned by whoever owns the directory. I do
>>>>>>> not know
>>>>>>> how you set the 'flags' but I suggest you find out how to remove
>>>>>>> them, I
>>>>>>> think that this will cure your problem.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Hi
>>>>>> @Rowland
>>>>>> chmod u-s <folder>
>>>>>> and
>>>>>> chmod g-s <folder>
>>>>>
>>>>> Hi, I actually knew that ;-) I was trying to get the OP to read up
>>>>> on getfacl a bit more.
>>>>>>
>>>>>> I think that's OK, but I've suggested removing everything and
>>>>>> starting
>>>>>> with only the sticky bit on group:
>>>>>> chmod g+s
>>>>>> in combination with the group rw acl. That is all we are using
>>>>>> here for
>>>>>> our group access share. What we are not seeing here are the
>>>>>> xacls, but
>>>>>> the OP is doing it on the samba side. The group rw maps fine in
>>>>>> windows.
>>>>>> It also looks as though windows has had its say too as there is a
>>>>>> builtin acl set too.
>>>>>> Cheers,
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>>
>>>>> I would also suggest that the OP has a read here:
>>>>>
>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>> OK, after a bit more thought, I decided that as everything seems to
>>> be correct it is probably a windows problem. A quick internet search
>>> turned this up:
>>>
>>> http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162
>>>
>>>
>>> Have a look, I think that it may fix your problems.
>>>
>>> Rowland
>>
> You are missing the point, I probably could have chosen a better
> target but I only spent about 30secs on the search:
>
> windows 7 64 bit access denied samba
>
> This returns About 116,000 results, here's another one:
>
> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>
>
> Try looking into this before dismissing it out of hand and insisting
> that samba is the problem.
>
> Rowland
More information about the samba
mailing list