[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sun Jul 27 21:45:16 MDT 2014
They were created a global security groups. I just remoted in and
checked and they are still global security groups. Any other ideas? I
have tried about everything I can think of and can find online at this
point.
On 7/27/2014 2:57 PM, Davor Vusir wrote:
> -- Skickat från mobilusken! --
> Den 27 jul 2014 17:28 skrev "Ryan Ashley" <ryana at reachtechfp.com>:
>> I understand and I should have stated more clearly that I have been going
> through those results for over a week now. Nothing seems to help. Funny
> thing is that creating a second virtual file-server and using share
> authentication works fine. Yet another reason I am leaning towards group
> issues. If the file-server is share-level the Windows 7 boxes are happy. As
> soon as it goes AD and uses AD groups, they stop working. I have not tried
> user-level security yet. Then again I may have user-level and share-level
> confused. It has been a long week. I will keep searching but so far nothing
> I have found and tried works.
>> Is there a way to get an actual reason for the denial? If it flat-out
> told me a reason I could troubleshoot. Right now I am just shooting in
> random directions hoping to hit something since all I get is "Access
> Denied". Is it possible to see is S4 is denying the connection via a log or
> something, or if Windows 7 is being stupid... again?
> I have hade a similar problem on a combined AD DC and file server. Are the
> groups in question of scope 'Domain Local'? If so, convert them to Global.
> https://lists.samba.org/archive/samba/2014-March/180173.html
>
> Regards
> Davor
>
>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>> That solution is for Windows 8. That also is not our issue. The WIndows
> 7 Pro 64bit workstations see the server and shares, and they map the shares
> according to group policy, but then everybody gets access denied, despite
> being in the domain groups for which the shares were created. Funny thing
> is that if I logon as domain admin, I get to access the shares. Due to
> this, I fully believe the S4 server is ignoring or not accounting for group
> membership. The "reachfp" account is the domain admin. This is also the
> default owner of files on the shares. The group "administration" contains
> many members and does not grant access, despite the group being granted
> full control. This lead e into believing I am still dealing with a
> permissions issue and not another issue. If it was the other issue, I would
> assume domain admin could not see the share or access it. Is that about
> right?
>>>> On 7/27/2014 4:56 AM, Rowland Penny wrote:
>>>>> On 26/07/14 22:20, Ryan Ashley wrote:
>>>>>> Alright, I just read the responses. I have two pickup trucks and one
> is older and acting up, so I have been working on it. On to the responses!
> Also, I sent this once by accident to Rowland. Still not used to having to
> change the reply field to the list. My apologies.
>>>>>> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can
> undo it if needed. I believe 700028 is "SYSTEM". The directories and files
> are owned by "administration", "domain admins", and "SYSTEM". Same for the
> other share, except "fbc" instead of "administration". And I used the
> linked article as a guide for setting up these shares, so it has been used
> up. I only set the sticky bits after it wasn't working. I was trying to get
> it working and wanted a standard user and group. Either way, that was the
> guide I used before posting to this list.
>>>>>> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>>>>>>> On 26/07/14 10:04, steve wrote:
>>>>>>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>>>>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>>>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>>>>>>> brought up nmbd, smbd, and winbindd. All TDB files were
> regenerated
>>>>>>>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>>>>>>>> share access appears to only be granted to the owner. I need this
>>>>>>>>>> fixed ASAP. I am out of ideas now.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>>>>>>> insignificant.
>>>>>>>>>>>
>>>>>>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>>>>>>> exhausted when I did this. I will make the change now. Could
> this
>>>>>>>>>>>> cause my issues though?
>>>>>>>>>>> In a word, yes. It appears to be essential.
>>>>>>>>>>>
>>>>>>>>>>> To answer the question in your list email, if you should have any
>>>>>>>>>>> further problems, the cache tdb's may have to be regenerated.
> There
>>>>>>>>>>> are probably some SAMDOM entries in the default backend, but
> this may
>>>>>>>>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>>>>>>>>> can't offer any specific advice because I don't have the ability
> to
>>>>>>>>>>> use the ad backend here. We have no Samba DC's nor Windows DC's
> with
>>>>>>>>>>> SFU installed.
>>>>>>>>>>>
>>>>>>>>>>> Good luck,
>>>>>>>>>>> Dale
>>>>>>>>>>>
>>>>>>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>>>>>>> Ryan,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Assuming this is a verbatim copy of your config, should not
> "idmap
>>>>>>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Dale
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>>>>>>> print-server. I just setup my first member-server designed
> solely
>>>>>>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>>>>>>> mapping it correctly for the users in the group, but those
> users
>>>>>>>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>>>>>>>> 64bit clients when accessing the share. I have configured
> ACLs and
>>>>>>>>>>>>>> the box resolves users and groups. Everything works, except
> for
>>>>>>>>>>>>>> the shares. Below I attached all of the information I believe
> to
>>>>>>>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> smb.conf:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> netbios name = FS01
>>>>>>>>>>>>>> workgroup = TRUEVINE
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>>>>>>>> encrypt passwords = yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>> winbind trusted domains only = no
>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>>>>> auth methods = winbind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [install$]
>>>>>>>>>>>>>> path = /home/shared/install
>>>>>>>>>>>>>> comment = "Software installation files"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [staff$]
>>>>>>>>>>>>>> path = /home/shared/staff
>>>>>>>>>>>>>> comment = "Staff file share"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [fbc$]
>>>>>>>>>>>>>> path = /home/shared/fbc
>>>>>>>>>>>>>> comment = "Family Bible College file share"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ACL List:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>> # group: administration
>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>> group:administration:rwx
>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>> # group: fbc
>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>> group:fbc:rwx
>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>> default:group:fbc:rwx
>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> NSSwitch:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>>>>>>> #
>>>>>>>>>>>>>> # Example configuration of GNU Name Service Switch
> functionality.
>>>>>>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>>>>>>> installed, try:
>>>>>>>>>>>>>> # `info libc "Name Service Switch"' for information about
> this file.
>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> hosts: files dns
>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> FS Permissions:
>>>>>>>>>>>>>> ==========
>>>>>>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>>>>>>> total 40
>>>>>>>>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>>>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14
> install
>>>>>>>>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00
> lost+found
>>>>>>>>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As you can see, I even tried changing the directory
> permissions to
>>>>>>>>>>>>>> 777 and still no go. The users in the "administration" group
> are
>>>>>>>>>>>>>> getting the drive mapped but are being denied access to it.
> Same
>>>>>>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>>>>>>> anywhere. What should I try next?
>>>>>>>>> You seem to have 'flags' set on the directories, as I have never
> seen
>>>>>>>>> this before I read the manpage and found this means that all files
> in
>>>>>>>>> the directory will be owned by whoever owns the directory. I do
> not know
>>>>>>>>> how you set the 'flags' but I suggest you find out how to remove
> them, I
>>>>>>>>> think that this will cure your problem.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> Hi
>>>>>>>> @Rowland
>>>>>>>> chmod u-s <folder>
>>>>>>>> and
>>>>>>>> chmod g-s <folder>
>>>>>>>
>>>>>>> Hi, I actually knew that ;-) I was trying to get the OP to read up
> on getfacl a bit more.
>>>>>>>>
>>>>>>>> I think that's OK, but I've suggested removing everything and
> starting
>>>>>>>> with only the sticky bit on group:
>>>>>>>> chmod g+s
>>>>>>>> in combination with the group rw acl. That is all we are using here
> for
>>>>>>>> our group access share. What we are not seeing here are the xacls,
> but
>>>>>>>> the OP is doing it on the samba side. The group rw maps fine in
> windows.
>>>>>>>> It also looks as though windows has had its say too as there is a
>>>>>>>> builtin acl set too.
>>>>>>>> Cheers,
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I would also suggest that the OP has a read here:
>>>>>>>
>>>>>>>
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>> Rowland
>>>>>>>
>>>>> OK, after a bit more thought, I decided that as everything seems to be
> correct it is probably a windows problem. A quick internet search turned
> this up:
>>>>>
> http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162
>>>>> Have a look, I think that it may fix your problems.
>>>>>
>>>>> Rowland
>>>>
>>> You are missing the point, I probably could have chosen a better target
> but I only spent about 30secs on the search:
>>> windows 7 64 bit access denied samba
>>>
>>> This returns About 116,000 results, here's another one:
>>>
>>>
> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>> Try looking into this before dismissing it out of hand and insisting
> that samba is the problem.
>>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list