[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Jul 25 12:12:34 MDT 2014 

Alright, even with that change they cannot access the share. I do not have SELinux on this system to my knowledge. The only change since my initial post was changing SAMDOM in my config to TRUEVINE as was pointed out. I then rebooted the server for good measure. People in the AD group FBC are still debied access to the FBC share and people in the AD administration group are still denied access to the staff share.


Sent from my Verizon Wireless 4G LTE smartphone

<div>-------- Original message --------</div><div>From: Ryan Ashley <ryana at reachtechfp.com> </div><div>Date:2014/07/25  11:21  (GMT-05:00) </div><div>To: samba at lists.samba.org </div><div>Subject: Re: [Samba] Samba 4 AD share: Access denied </div><div>
</div>I just realized reply sent this straight to you, Dale. Sorry about that.

I have made the changes but am not sure if it worked yet. I rebooted the 
system, which happens to be a Debian Wheezy 64bit system running under 
XenServer. Now I am waiting for a complaint. So far none, which is good. 
I will respond again if anything fails to work.

Just for kicks, are there any TDB files I should delete now that I 
changed this?

On 07/24/2014 03:41 PM, Dale Schroeder wrote:
> Ryan,
>
> Assuming this is a verbatim copy of your config, should not "idmap 
> config SAMDOM" actually be "idmap config TRUEVINE"?
>
> Dale
>
> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>> I have been using Samba4 for ages and love it as a DC and a 
>> print-server. I just setup my first member-server designed solely to 
>> host file shares, and have hit an issue. Group policy is mapping it 
>> correctly for the users in the group, but those users are getting an 
>> access denied message from their Windows 7 Pro 64bit clients when 
>> accessing the share. I have configured ACLs and the box resolves 
>> users and groups. Everything works, except for the shares. Below I 
>> attached all of the information I believe to be useful. Ask if you 
>> need more, and thank you for your help!
>>
>> smb.conf:
>> ======
>> [global]
>>   netbios name = FS01
>>   workgroup = TRUEVINE
>>   security = ADS
>>   realm = TRUEVINE.LAN
>>   encrypt passwords = yes
>>
>>   idmap config *:backend = tdb
>>   idmap config *:range = 70001-80000
>>   idmap config SAMDOM:backend = ad
>>   idmap config SAMDOM:schema_mode = rfc2307
>>   idmap config SAMDOM:range = 500-40000
>>
>>   winbind nss info = rfc2307
>>   winbind trusted domains only = no
>>   winbind use default domain = yes
>>   winbind enum users = yes
>>   winbind enum groups = yes
>>
>>   vfs objects = acl_xattr
>>   map acl inherit = yes
>>   store dos attributes = yes
>>   auth methods = winbind
>>
>> [install$]
>>   path = /home/shared/install
>>   comment = "Software installation files"
>>   read only = no
>>
>> [staff$]
>>   path = /home/shared/staff
>>   comment = "Staff file share"
>>   read only = no
>>
>> [fbc$]
>>   path = /home/shared/fbc
>>   comment = "Family Bible College file share"
>>   read only = no
>>
>>
>>
>> ACL List:
>> ======
>> root at fs01:~# getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: reachfp
>> # group: administration
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:administration:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:administration:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# getfacl /home/shared/fbc/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/fbc/
>> # owner: reachfp
>> # group: fbc
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:fbc:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:fbc:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>>
>> NSSwitch:
>> ======
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages 
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>>
>> FS Permissions:
>> ==========
>> root at fs01:~# l /home/shared
>> total 40
>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>
>>
>>
>> As you can see, I even tried changing the directory permissions to 
>> 777 and still no go. The users in the "administration" group are 
>> getting the drive mapped but are being denied access to it. Same for 
>> FBC. I have worked on this for days now and cannot get anywhere. What 
>> should I try next?
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list