[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Mon Jul 28 16:33:08 MDT 2014


     More information in another winbind log. I attempted to login to a 
remote Windows 7 box with a normal user account which is in both groups 
and should get both drives. Windows logs access denied and does not map 
the drives, and I get this in the logs. At this point I am fairly sure 
winbind is having issues speaking to the DC due to a missing module 
which I can find nothing about online. I did use Google for a while 
today and cannot find a match for the phrases below, so I am stuck.

log.wb-TRUEVINE:
[2014/07/28 18:24:52.880743,  3] 
../source3/winbindd/winbindd_ads.c:597(query_user)
   ads: query_user
[2014/07/28 18:24:52.883979,  1] 
../source3/winbindd/winbindd_ads.c:710(query_user)
   nss_get_info_cached failed: NT_STATUS_NOT_FOUND

log.winbind-idmap:
[2014/07/28 18:24:52.883979,  3] 
../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
expiration Mon, 28 Jul 2014 20:14:44 EDT
[2014/07/28 18:24:52.883991,  0] 
../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
   Got sig[15] terminate (is_parent=0)
[2014/07/28 18:24:52.884011,  3] 
../source3/winbindd/idmap.c:230(idmap_init_domain)
   idmap backend ad not found
[2014/07/28 18:24:52.884072,  3] 
../source3/winbindd/idmap.c:235(idmap_init_domain)
   Could not probe idmap module ad

On 7/28/2014 11:16 AM, Ryan Ashley wrote:
> Found the problem, I believe
>
> [2014/07/28 10:14:44.828015,  3] 
> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
> expiration Mon, 28 Jul 2014 20:14:44 EDT
> [2014/07/28 10:31:37.274435,  0] 
> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
> [2014/07/28 11:02:32.032341,  3] 
> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>   idmap backend ad not found
> [2014/07/28 11:02:32.051673,  3] 
> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>   Could not probe idmap module ad
>
> As you can see, winbind is having issues with AD. What could cause 
> this? Currently I have set share permissions in Linux to 777 and am 
> running S4 4.1.10 from the v4-1-stable branch. Is this something I can 
> fix?
>
> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>> Great, so by doing "git clone git://git.samba.org/samba.git 
>> samba-master" I am by default cloning the testing branch. I am going 
>> to do a checkout on stable and try again.
>>
>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>
>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>> 4.2.0pre1-GIT-d097898
>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>> Version 4.2.0pre1-GIT-d097898
>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>> Version 4.2.0pre1-GIT-d097898
>>>> root at fs01:/usr/src/samba-master#
>>>>
>>>> I normally clone, configure, and build. Is the stable branch not 
>>>> default? Am I building a testing branch? Should I checkout on the 
>>>> stable branch?
>>>>
>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>> Alright, I was poking around this morning trying to make this 
>>>>>> work, and noticed something odd. Loads of zombie nmbd processes. 
>>>>>> Check out the dump below and tell me, what is going on here? Is 
>>>>>> this my problem?
>>>>>>
>>>>>> root at fs01:~# ps x
>>>>>>   PID TTY      STAT   TIME COMMAND
>>>>>>     1 ?        Ss     0:02 init [2]
>>>>>>     2 ?        S      0:00 [kthreadd]
>>>>>>     3 ?        S      0:00 [ksoftirqd/0]
>>>>>>     5 ?        S      0:00 [kworker/u:0]
>>>>>>     6 ?        S      0:00 [migration/0]
>>>>>>     7 ?        S      0:01 [watchdog/0]
>>>>>>     8 ?        S<     0:00 [cpuset]
>>>>>>     9 ?        S<     0:00 [khelper]
>>>>>>    10 ?        S      0:00 [kdevtmpfs]
>>>>>>    11 ?        S<     0:00 [netns]
>>>>>>    12 ?        S      0:00 [xenwatch]
>>>>>>    13 ?        S      0:00 [xenbus]
>>>>>>    14 ?        S      0:01 [sync_supers]
>>>>>>    15 ?        S      0:00 [bdi-default]
>>>>>>    16 ?        S<     0:00 [kintegrityd]
>>>>>>    17 ?        S<     0:00 [kblockd]
>>>>>>    19 ?        S      0:00 [khungtaskd]
>>>>>>    20 ?        S      0:00 [kswapd0]
>>>>>>    21 ?        SN     0:00 [ksmd]
>>>>>>    22 ?        SN     0:00 [khugepaged]
>>>>>>    23 ?        S      0:00 [fsnotify_mark]
>>>>>>    24 ?        S<     0:00 [crypto]
>>>>>>   173 ?        S      0:00 [jbd2/xvda1-8]
>>>>>>   174 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>   183 ?        S      0:00 [kworker/u:1]
>>>>>>   313 ?        Ss     0:00 udevd --daemon
>>>>>>   420 ?        S      0:00 udevd --daemon
>>>>>>   425 ?        S      0:00 udevd --daemon
>>>>>>   433 ?        S      0:00 [khubd]
>>>>>>   438 ?        S<     0:00 [kpsmoused]
>>>>>>   445 ?        S<     0:00 [ata_sff]
>>>>>>   471 ?        S      0:00 [scsi_eh_0]
>>>>>>   472 ?        S      0:00 [scsi_eh_1]
>>>>>>  1295 ?        S      0:00 [jbd2/xvda2-8]
>>>>>>  1296 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1297 ?        S      0:01 [flush-202:0]
>>>>>>  1298 ?        S      0:00 [jbd2/xvda9-8]
>>>>>>  1299 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1300 ?        S      0:00 [jbd2/xvda10-8]
>>>>>>  1301 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1302 ?        S      0:00 [jbd2/xvda8-8]
>>>>>>  1303 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1307 ?        S      0:00 [jbd2/xvda11-8]
>>>>>>  1308 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1309 ?        S      0:00 [jbd2/xvda3-8]
>>>>>>  1310 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1311 ?        S      0:00 [jbd2/xvda4-8]
>>>>>>  1312 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1313 ?        S      0:00 [jbd2/xvda5-8]
>>>>>>  1314 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1315 ?        S      0:00 [jbd2/xvda6-8]
>>>>>>  1316 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1317 ?        S      0:00 [jbd2/xvda7-8]
>>>>>>  1318 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1319 ?        S      0:00 [jbd2/xvdb1-8]
>>>>>>  1320 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>  1780 ?        Sl     0:00 /usr/sbin/rsyslogd -c5
>>>>>>  1811 ?        Ss     0:00 /usr/sbin/acpid
>>>>>>  1903 ?        Ss     0:00 /usr/sbin/cron
>>>>>>  1998 ?        Ss     0:00 /usr/sbin/sshd
>>>>>>  2022 tty1     Ss+    0:00 /sbin/getty 38400 tty1
>>>>>>  2023 tty2     Ss+    0:00 /sbin/getty 38400 tty2
>>>>>>  2024 tty3     Ss+    0:00 /sbin/getty 38400 tty3
>>>>>>  2025 tty4     Ss+    0:00 /sbin/getty 38400 tty4
>>>>>>  2026 tty5     Ss+    0:00 /sbin/getty 38400 tty5
>>>>>>  2027 tty6     Ss+    0:00 /sbin/getty 38400 tty6
>>>>>>  2041 ?        Ss     0:03 nmbd
>>>>>>  2043 ?        Ss     0:03 smbd
>>>>>>  2045 ?        Ss     0:00 winbindd
>>>>>>  2046 ?        S      0:02 winbindd
>>>>>>  2047 ?        S      0:00 winbindd
>>>>>>  2048 ?        S      0:00 winbindd
>>>>>>  2049 ?        S      0:00 smbd
>>>>>>  2067 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2085 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2109 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2127 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2145 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2163 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2185 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2203 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2223 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2241 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2263 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2281 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2299 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2317 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2339 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2357 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2375 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2393 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2415 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2433 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2451 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2469 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2491 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2509 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2527 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2545 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2567 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2585 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2603 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2621 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2643 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2661 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2679 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2697 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2719 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2737 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2755 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2773 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2795 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2813 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2831 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2849 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2871 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2889 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2907 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2925 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2946 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2964 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  2982 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3000 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3022 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3040 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3058 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3076 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3098 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3116 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3134 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3152 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3174 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3192 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3210 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3228 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3250 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3268 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3285 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3303 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3325 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3343 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3361 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3380 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3402 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3420 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3438 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3456 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3574 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3592 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3610 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3628 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3650 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3668 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3686 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3704 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3726 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3744 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3762 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3780 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3802 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3820 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3838 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3856 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3878 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3896 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3914 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3932 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3954 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3972 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  3990 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4008 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4030 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4048 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4066 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4084 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4106 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4124 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4142 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4160 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4182 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4200 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4220 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4238 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4261 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4279 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4297 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4315 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4337 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4355 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4373 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4391 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4413 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4431 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4449 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4467 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4489 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4507 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4525 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4543 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4565 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4583 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4601 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4619 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4641 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4659 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4677 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4694 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4716 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4734 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4752 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4770 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4792 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4811 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4829 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4847 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4869 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4887 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4905 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4923 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4945 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4963 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4981 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  4999 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5021 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5039 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5057 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5075 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5097 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5115 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5133 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5151 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5173 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5191 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5209 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5227 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5249 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5267 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5285 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5303 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5325 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5343 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5361 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5379 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5525 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5543 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5571 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5589 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5611 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5630 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5648 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5666 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5688 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5706 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5724 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5742 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5764 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5782 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5800 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5818 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5840 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5858 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5876 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5894 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5916 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5934 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5952 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5970 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  5992 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6010 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6028 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6046 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6068 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6086 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6104 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6122 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6144 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6161 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6179 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6197 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6219 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6238 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6256 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6274 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6296 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6314 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6332 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6350 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6372 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6390 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6408 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6426 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6448 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6466 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6484 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6502 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6524 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6542 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6560 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6578 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6600 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6618 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6636 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6654 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6676 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6694 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6712 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6730 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6752 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6770 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6789 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6807 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6829 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6847 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6852 ?        S      0:01 [kworker/0:0]
>>>>>>  6867 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6885 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6906 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6924 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6942 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6960 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  6982 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7000 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7018 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7036 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7058 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7076 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7094 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7112 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7134 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7152 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7170 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7188 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7210 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7228 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7246 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7264 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7286 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7304 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7322 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7340 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7458 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7476 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7494 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7512 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7534 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7552 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7569 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7587 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7609 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7627 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7645 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7665 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7676 ?        S      0:00 [kworker/0:2]
>>>>>>  7687 ?        Z      0:00 [nmbd] <defunct>
>>>>>>  7697 ?        Ss     0:00 sshd: root at pts/0
>>>>>>  7699 pts/0    Ss     0:00 -bash
>>>>>>  7711 ?        S      0:00 [kworker/0:1]
>>>>>>  7718 ?        S      0:00 [flush-202:16]
>>>>>>  7721 pts/0    R+     0:00 ps x
>>>>>>
>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>> I have never even played with apparmor. I do my Debian installs 
>>>>>>> using a net CD and doing the expert 64bit install. I disable 
>>>>>>> recommended and suggested packages and install only exactly what 
>>>>>>> I need, so I do not have apparmor or selinux. Good thought 
>>>>>>> though. I also tried disabling the firewall on a test PC and 
>>>>>>> still no go. This has NEVER happened before so I am lost.
>>>>>>>
>>>>>>> So where else should I look? The system in question is a domain 
>>>>>>> member server, can resolve users and groups, and can set ACLs 
>>>>>>> with user and groups from AD. It is simply denying access to 
>>>>>>> group members of said shares.
>>>>>>>
>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>> I understand and I should have stated more clearly that I have 
>>>>>>>>> been going through those results for over a week now. Nothing 
>>>>>>>>> seems to help. Funny thing is that creating a second virtual 
>>>>>>>>> file-server and using share authentication works fine. Yet 
>>>>>>>>> another reason I am leaning towards group issues. If the 
>>>>>>>>> file-server is share-level the Windows 7 boxes are happy. As 
>>>>>>>>> soon as it goes AD and uses AD groups, they stop working. I 
>>>>>>>>> have not tried user-level security yet. Then again I may have 
>>>>>>>>> user-level and share-level confused. It has been a long week. 
>>>>>>>>> I will keep searching but so far nothing I have found and 
>>>>>>>>> tried works.
>>>>>>>>>
>>>>>>>>> Is there a way to get an actual reason for the denial? If it 
>>>>>>>>> flat-out told me a reason I could troubleshoot. Right now I am 
>>>>>>>>> just shooting in random directions hoping to hit something 
>>>>>>>>> since all I get is "Access Denied". Is it possible to see is 
>>>>>>>>> S4 is denying the connection via a log or something, or if 
>>>>>>>>> Windows 7 is being stupid... again?
>>>>>>>>>
>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>> That solution is for Windows 8. That also is not our issue. 
>>>>>>>>>>> The WIndows 7 Pro 64bit workstations see the server and 
>>>>>>>>>>> shares, and they map the shares according to group policy, 
>>>>>>>>>>> but then everybody gets access denied, despite being in the 
>>>>>>>>>>> domain groups for which the shares were created. Funny thing 
>>>>>>>>>>> is that if I logon as domain admin, I get to access the 
>>>>>>>>>>> shares. Due to this, I fully believe the S4 server is 
>>>>>>>>>>> ignoring or not accounting for group membership. The 
>>>>>>>>>>> "reachfp" account is the domain admin. This is also the 
>>>>>>>>>>> default owner of files on the shares. The group 
>>>>>>>>>>> "administration" contains many members and does not grant 
>>>>>>>>>>> access, despite the group being granted full control. This 
>>>>>>>>>>> lead e into believing I am still dealing with a permissions 
>>>>>>>>>>> issue and not another issue. If it was the other issue, I 
>>>>>>>>>>> would assume domain admin could not see the share or access 
>>>>>>>>>>> it. Is that about right?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> You are missing the point, I probably could have chosen a 
>>>>>>>>>> better target but I only spent about 30secs on the search:
>>>>>>>>>>
>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>
>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>
>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Try looking into this before dismissing it out of hand and 
>>>>>>>>>> insisting that samba is the problem.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> OK, after more thought and re-reading your posts, a thought has 
>>>>>>>> popped into my head, apparmor, do you have this running on the 
>>>>>>>> server ?
>>>>>>>> I have been caught out by this a few times, not being allowed 
>>>>>>>> to do things that I thought I should be able to do, or packages 
>>>>>>>> not running correctly because they were not allowed access, in 
>>>>>>>> every case it was apparmor. As I could never get apparmor to 
>>>>>>>> play ball with me (I thought that I had found all rights that 
>>>>>>>> needed modding and then another one would pop its head up and 
>>>>>>>> what is in the logs bares no resemblance to what you need to 
>>>>>>>> put in the conf file), I now disable apparmor straight after 
>>>>>>>> installing a new system.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> Somebody else reported this problem, he went to 4.1.8 and the 
>>>>> zombie nmbd problem went away, if you upgrade to the latest samba4 
>>>>> you may hit two birds with one stone, the nmbd problem and your 
>>>>> group problem ;-)
>>>>>
>>>>> Rowland
>>>>
>>> Hi, what you are using is not the stable branch, it is the branch 
>>> that will become the next release i.e. 4.2. This does not mean that 
>>> you shouldn't use it, it just means that it could be upgraded at any 
>>> time until it is 'frozen' just before release. These upgrades 
>>> 'could' break something, not saying they will, just that they could, 
>>> for production use I would use the latest version from here:
>>>
>>>  https://ftp.samba.org/pub/samba/stable/
>>>
>>> Rowland
>>>
>>
>



More information about the samba mailing list