[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 29 08:51:59 MDT 2014


On 29/07/14 15:33, Ryan Ashley wrote:
> I will checkout the module later. Working is my top priority as you 
> stated. However, you have me curious now. If this keytab is created, 
> where the heck is it created? I am looking for it in /var/lib/samba, 
> /etc, and other places. None of my member servers have it and they all 
> seem to work, minus this stubborn one of course.

If you set smb.conf up correctly and the run 'net ads join -U 
Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is 
created.

>
> Also, I did a test earlier and wanted to share the results. This thing 
> keeps complaining about an idmap ad backend not being found, and I 
> honestly believe that is the issue, not Kerberos. I am trying your 
> suggestion because maybe this backend is stored in Kerberos, who 
> knows. Either way, I am being flooded with errors about this "idmap 
> backend ad" not being found.

The 'idmap backend ad' is part of winbind, and as such, should be 
available. If I remember correctly you are using a S4 AD DC, can you 
remember how you provisioned it ?

>
>
> Anyway, I had already added winbind to nsswitch.conf for users and 
> groups, so I wanted to verify the same UID/GID was being pulled. I 
> wiped the winbind idmap tdb files and rebooted. Got the same IDs after 
> it rebooted and created the files again, so no issue there. For 
> example, the "Domain Users" group always has an ID of 70001. That much 
> is working. So what in the heck does the missing backend do? Something 
> is already mapping domain users and groups to IDs, so I am scratching 
> my head on this one.

The 'idmap backend ad' is one that pulls all the user and group info 
from RFC2307 attributes on the AD server.

Rowland

>
> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>> On 29/07/14 15:00, Ryan Ashley wrote:
>>> I understand the basics of Kerberos, but the reason that I am asking 
>>> is because I have dozens of S4 servers in production environments 
>>> and have never had to create the keytab you mentioned. They all just 
>>> worked.
>>
>> If, when you talk about S4 servers, you mean as an AD DC, then yes 
>> you do not require the keytab, but on a member server (or client) 
>> when you you join the domain with the net command, the keytab is 
>> created.
>>>
>>> Now, I do not mind modifying my pam settings as I have done on loads 
>>> of Linux workstations which are joined to an AD domain, but how 
>>> would I prevent the login of users? I have a home directory and 
>>> cannot remove it, so there is technically a place for their home 
>>> directories. In Windows I would simply modify group policy to deny 
>>> logon, but we both know Linux knows nothing of a GPO. So without 
>>> removing "/home", how would I prevent login?
>>>
>>> My plan now is to modify pam first, then if needed, do the keytab.
>>
>> I would do it the other way, get everything to work and then if need 
>> be, stop user login with PAM. If you install
>> the packages I suggested, PAM will do all the work for you initially. 
>> You could also investigate a PAM module called 'pam_nologin' , you 
>> should be able to guess what this does ;-)
>>
>> Rowland
>>
>>
>>>
>>> On 07/29/2014 09:22 AM, Rowland Penny wrote:
>>>> On 29/07/14 14:01, Ryan Ashley wrote:
>>>>> I do not have libpam-krb5 installed, nor have I ever had it 
>>>>> installed anywhere, on any system. I also do not modify pam 
>>>>> settings because I do not want users being able to log into the 
>>>>> servers if one decided to be malicious. Currently each server only 
>>>>> has the root account on it and this was fine in S3.
>>>>
>>>> OK, you do not need any other users on the server and as long as 
>>>> there is nowhere for the users to call home, they will not be able 
>>>> to login. Having said that, the computer needs to authenticate 
>>>> users & groups from AD, this is where PAM comes in and you need PAM 
>>>> and kerberos to connect to an AD DC.
>>>>
>>>>>
>>>>> Before I change anything, I would like to know what that keytab 
>>>>> file does. Just playing it safe. If I do not understand it I will 
>>>>> not be able to support it. Thanks for your time and effort, I do 
>>>>> appreciate it.
>>>>
>>>> If you are going to get involved with AD, you need to get involved 
>>>> with kerberos and keytabs, this subject is a bit involved to go 
>>>> into here, but you could start here:
>>>>
>>>> https://itservices.stanford.edu/service/kerberos/keytabs
>>>>
>>>> After that, perhaps the samba wiki and there is always the internet 
>>>> ;-)
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>
>>>>> On 07/29/2014 03:50 AM, Rowland Penny wrote:
>>>>>> On 28/07/14 23:33, Ryan Ashley wrote:
>>>>>>> More information in another winbind log. I attempted to login to 
>>>>>>> a remote Windows 7 box with a normal user account which is in 
>>>>>>> both groups and should get both drives. Windows logs access 
>>>>>>> denied and does not map the drives, and I get this in the logs. 
>>>>>>> At this point I am fairly sure winbind is having issues speaking 
>>>>>>> to the DC due to a missing module which I can find nothing about 
>>>>>>> online. I did use Google for a while today and cannot find a 
>>>>>>> match for the phrases below, so I am stuck.
>>>>>>>
>>>>>>> log.wb-TRUEVINE:
>>>>>>> [2014/07/28 18:24:52.880743,  3] 
>>>>>>> ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>>>>>   ads: query_user
>>>>>>> [2014/07/28 18:24:52.883979,  1] 
>>>>>>> ../source3/winbindd/winbindd_ads.c:710(query_user)
>>>>>>>   nss_get_info_cached failed: NT_STATUS_NOT_FOUND
>>>>>>>
>>>>>>> log.winbind-idmap:
>>>>>>> [2014/07/28 18:24:52.883979,  3] 
>>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>>>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
>>>>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>>> [2014/07/28 18:24:52.883991,  0] 
>>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>>>   Got sig[15] terminate (is_parent=0)
>>>>>>> [2014/07/28 18:24:52.884011,  3] 
>>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>>>   idmap backend ad not found
>>>>>>> [2014/07/28 18:24:52.884072,  3] 
>>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>>>   Could not probe idmap module ad
>>>>>>>
>>>>>>> On 7/28/2014 11:16 AM, Ryan Ashley wrote:
>>>>>>>> Found the problem, I believe
>>>>>>>>
>>>>>>>> [2014/07/28 10:14:44.828015,  3] 
>>>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>>>>   ads_cleanup_expired_creds: Ticket in 
>>>>>>>> ccache[MEMORY:cliconnect] expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>>>> [2014/07/28 10:31:37.274435,  0] 
>>>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>>>>   Got sig[15] terminate (is_parent=0)
>>>>>>>> [2014/07/28 11:02:32.032341,  3] 
>>>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>>>>   idmap backend ad not found
>>>>>>>> [2014/07/28 11:02:32.051673,  3] 
>>>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>>>>   Could not probe idmap module ad
>>>>>>>>
>>>>>>>> As you can see, winbind is having issues with AD. What could 
>>>>>>>> cause this? Currently I have set share permissions in Linux to 
>>>>>>>> 777 and am running S4 4.1.10 from the v4-1-stable branch. Is 
>>>>>>>> this something I can fix?
>>>>>>>>
>>>>>>>> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>>>>>>>>> Great, so by doing "git clone git://git.samba.org/samba.git 
>>>>>>>>> samba-master" I am by default cloning the testing branch. I am 
>>>>>>>>> going to do a checkout on stable and try again.
>>>>>>>>>
>>>>>>>>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>>>>>>>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>>>>>>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>>>>>>>>
>>>>>>>>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>>>>>>>>> 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master#
>>>>>>>>>>>
>>>>>>>>>>> I normally clone, configure, and build. Is the stable branch 
>>>>>>>>>>> not default? Am I building a testing branch? Should I 
>>>>>>>>>>> checkout on the stable branch?
>>>>>>>>>>>
>>>>>>>>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>>>>>>>>> Alright, I was poking around this morning trying to make 
>>>>>>>>>>>>> this work, and noticed something odd. Loads of zombie nmbd 
>>>>>>>>>>>>> processes. Check out the dump below and tell me, what is 
>>>>>>>>>>>>> going on here? Is this my problem?
>>>>>>>>>>>>>
>>>>>>>>>>>>> root at fs01:~# ps x
>>>>>>>>>>>>>   PID TTY      STAT   TIME COMMAND
>>>>>>>>>>>>>     1 ?        Ss     0:02 init [2]
>>>>>>>>>>>>>     2 ?        S      0:00 [kthreadd]
>>>>>>>>>>>>>     3 ?        S      0:00 [ksoftirqd/0]
>>>>>>>>>>>>>     5 ?        S      0:00 [kworker/u:0]
>>>>>>>>>>>>>     6 ?        S      0:00 [migration/0]
>>>>>>>>>>>>>     7 ?        S      0:01 [watchdog/0]
>>>>>>>>>>>>>     8 ?        S<     0:00 [cpuset]
>>>>>>>>>>>>>     9 ?        S<     0:00 [khelper]
>>>>>>>>>>>>>    10 ?        S      0:00 [kdevtmpfs]
>>>>>>>>>>>>>    11 ?        S<     0:00 [netns]
>>>>>>>>>>>>>    12 ?        S      0:00 [xenwatch]
>>>>>>>>>>>>>    13 ?        S      0:00 [xenbus]
>>>>>>>>>>>>>    14 ?        S      0:01 [sync_supers]
>>>>>>>>>>>>>    15 ?        S      0:00 [bdi-default]
>>>>>>>>>>>>>    16 ?        S<     0:00 [kintegrityd]
>>>>>>>>>>>>>    17 ?        S<     0:00 [kblockd]
>>>>>>>>>>>>>    19 ?        S      0:00 [khungtaskd]
>>>>>>>>>>>>>    20 ?        S      0:00 [kswapd0]
>>>>>>>>>>>>>    21 ?        SN     0:00 [ksmd]
>>>>>>>>>>>>>    22 ?        SN     0:00 [khugepaged]
>>>>>>>>>>>>>    23 ?        S      0:00 [fsnotify_mark]
>>>>>>>>>>>>>    24 ?        S<     0:00 [crypto]
>>>>>>>>>>>>>   173 ?        S      0:00 [jbd2/xvda1-8]
>>>>>>>>>>>>>   174 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>   183 ?        S      0:00 [kworker/u:1]
>>>>>>>>>>>>>   313 ?        Ss     0:00 udevd --daemon
>>>>>>>>>>>>>   420 ?        S      0:00 udevd --daemon
>>>>>>>>>>>>>   425 ?        S      0:00 udevd --daemon
>>>>>>>>>>>>>   433 ?        S      0:00 [khubd]
>>>>>>>>>>>>>   438 ?        S<     0:00 [kpsmoused]
>>>>>>>>>>>>>   445 ?        S<     0:00 [ata_sff]
>>>>>>>>>>>>>   471 ?        S      0:00 [scsi_eh_0]
>>>>>>>>>>>>>   472 ?        S      0:00 [scsi_eh_1]
>>>>>>>>>>>>>  1295 ?        S      0:00 [jbd2/xvda2-8]
>>>>>>>>>>>>>  1296 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1297 ?        S      0:01 [flush-202:0]
>>>>>>>>>>>>>  1298 ?        S      0:00 [jbd2/xvda9-8]
>>>>>>>>>>>>>  1299 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1300 ?        S      0:00 [jbd2/xvda10-8]
>>>>>>>>>>>>>  1301 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1302 ?        S      0:00 [jbd2/xvda8-8]
>>>>>>>>>>>>>  1303 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1307 ?        S      0:00 [jbd2/xvda11-8]
>>>>>>>>>>>>>  1308 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1309 ?        S      0:00 [jbd2/xvda3-8]
>>>>>>>>>>>>>  1310 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1311 ?        S      0:00 [jbd2/xvda4-8]
>>>>>>>>>>>>>  1312 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1313 ?        S      0:00 [jbd2/xvda5-8]
>>>>>>>>>>>>>  1314 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1315 ?        S      0:00 [jbd2/xvda6-8]
>>>>>>>>>>>>>  1316 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1317 ?        S      0:00 [jbd2/xvda7-8]
>>>>>>>>>>>>>  1318 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1319 ?        S      0:00 [jbd2/xvdb1-8]
>>>>>>>>>>>>>  1320 ?        S<     0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>>  1780 ?        Sl     0:00 /usr/sbin/rsyslogd -c5
>>>>>>>>>>>>>  1811 ?        Ss     0:00 /usr/sbin/acpid
>>>>>>>>>>>>>  1903 ?        Ss     0:00 /usr/sbin/cron
>>>>>>>>>>>>>  1998 ?        Ss     0:00 /usr/sbin/sshd
>>>>>>>>>>>>>  2022 tty1     Ss+    0:00 /sbin/getty 38400 tty1
>>>>>>>>>>>>>  2023 tty2     Ss+    0:00 /sbin/getty 38400 tty2
>>>>>>>>>>>>>  2024 tty3     Ss+    0:00 /sbin/getty 38400 tty3
>>>>>>>>>>>>>  2025 tty4     Ss+    0:00 /sbin/getty 38400 tty4
>>>>>>>>>>>>>  2026 tty5     Ss+    0:00 /sbin/getty 38400 tty5
>>>>>>>>>>>>>  2027 tty6     Ss+    0:00 /sbin/getty 38400 tty6
>>>>>>>>>>>>>  2041 ?        Ss     0:03 nmbd
>>>>>>>>>>>>>  2043 ?        Ss     0:03 smbd
>>>>>>>>>>>>>  2045 ?        Ss     0:00 winbindd
>>>>>>>>>>>>>  2046 ?        S      0:02 winbindd
>>>>>>>>>>>>>  2047 ?        S      0:00 winbindd
>>>>>>>>>>>>>  2048 ?        S      0:00 winbindd
>>>>>>>>>>>>>  2049 ?        S      0:00 smbd
>>>>>>>>>>>>>  2067 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2085 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2109 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2127 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2145 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2163 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2185 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2203 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2223 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2241 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2263 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2281 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2299 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2317 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2339 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2357 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2375 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2393 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2415 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2433 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2451 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2469 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2491 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2509 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2527 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2545 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2567 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2585 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2603 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2621 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2643 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2661 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2679 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2697 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2719 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2737 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2755 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2773 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2795 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2813 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2831 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2849 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2871 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2889 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2907 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2925 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2946 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2964 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  2982 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3000 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3022 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3040 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3058 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3076 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3098 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3116 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3134 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3152 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3174 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3192 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3210 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3228 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3250 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3268 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3285 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3303 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3325 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3343 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3361 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3380 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3402 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3420 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3438 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3456 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3574 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3592 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3610 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3628 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3650 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3668 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3686 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3704 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3726 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3744 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3762 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3780 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3802 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3820 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3838 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3856 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3878 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3896 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3914 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3932 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3954 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3972 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  3990 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4008 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4030 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4048 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4066 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4084 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4106 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4124 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4142 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4160 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4182 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4200 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4220 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4238 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4261 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4279 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4297 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4315 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4337 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4355 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4373 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4391 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4413 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4431 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4449 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4467 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4489 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4507 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4525 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4543 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4565 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4583 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4601 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4619 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4641 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4659 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4677 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4694 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4716 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4734 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4752 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4770 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4792 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4811 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4829 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4847 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4869 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4887 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4905 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4923 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4945 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4963 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4981 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  4999 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5021 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5039 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5057 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5075 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5097 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5115 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5133 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5151 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5173 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5191 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5209 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5227 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5249 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5267 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5285 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5303 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5325 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5343 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5361 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5379 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5525 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5543 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5571 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5589 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5611 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5630 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5648 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5666 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5688 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5706 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5724 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5742 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5764 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5782 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5800 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5818 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5840 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5858 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5876 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5894 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5916 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5934 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5952 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5970 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  5992 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6010 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6028 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6046 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6068 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6086 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6104 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6122 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6144 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6161 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6179 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6197 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6219 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6238 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6256 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6274 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6296 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6314 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6332 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6350 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6372 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6390 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6408 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6426 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6448 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6466 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6484 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6502 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6524 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6542 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6560 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6578 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6600 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6618 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6636 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6654 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6676 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6694 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6712 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6730 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6752 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6770 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6789 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6807 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6829 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6847 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6852 ?        S      0:01 [kworker/0:0]
>>>>>>>>>>>>>  6867 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6885 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6906 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6924 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6942 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6960 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  6982 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7000 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7018 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7036 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7058 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7076 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7094 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7112 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7134 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7152 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7170 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7188 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7210 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7228 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7246 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7264 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7286 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7304 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7322 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7340 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7458 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7476 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7494 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7512 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7534 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7552 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7569 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7587 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7609 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7627 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7645 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7665 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7676 ?        S      0:00 [kworker/0:2]
>>>>>>>>>>>>>  7687 ?        Z      0:00 [nmbd] <defunct>
>>>>>>>>>>>>>  7697 ?        Ss     0:00 sshd: root at pts/0
>>>>>>>>>>>>>  7699 pts/0    Ss     0:00 -bash
>>>>>>>>>>>>>  7711 ?        S      0:00 [kworker/0:1]
>>>>>>>>>>>>>  7718 ?        S      0:00 [flush-202:16]
>>>>>>>>>>>>>  7721 pts/0    R+     0:00 ps x
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>>>>>>>>> I have never even played with apparmor. I do my Debian 
>>>>>>>>>>>>>> installs using a net CD and doing the expert 64bit 
>>>>>>>>>>>>>> install. I disable recommended and suggested packages and 
>>>>>>>>>>>>>> install only exactly what I need, so I do not have 
>>>>>>>>>>>>>> apparmor or selinux. Good thought though. I also tried 
>>>>>>>>>>>>>> disabling the firewall on a test PC and still no go. This 
>>>>>>>>>>>>>> has NEVER happened before so I am lost.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So where else should I look? The system in question is a 
>>>>>>>>>>>>>> domain member server, can resolve users and groups, and 
>>>>>>>>>>>>>> can set ACLs with user and groups from AD. It is simply 
>>>>>>>>>>>>>> denying access to group members of said shares.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>>>>>>>>> I understand and I should have stated more clearly that 
>>>>>>>>>>>>>>>> I have been going through those results for over a week 
>>>>>>>>>>>>>>>> now. Nothing seems to help. Funny thing is that 
>>>>>>>>>>>>>>>> creating a second virtual file-server and using share 
>>>>>>>>>>>>>>>> authentication works fine. Yet another reason I am 
>>>>>>>>>>>>>>>> leaning towards group issues. If the file-server is 
>>>>>>>>>>>>>>>> share-level the Windows 7 boxes are happy. As soon as 
>>>>>>>>>>>>>>>> it goes AD and uses AD groups, they stop working. I 
>>>>>>>>>>>>>>>> have not tried user-level security yet. Then again I 
>>>>>>>>>>>>>>>> may have user-level and share-level confused. It has 
>>>>>>>>>>>>>>>> been a long week. I will keep searching but so far 
>>>>>>>>>>>>>>>> nothing I have found and tried works.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Is there a way to get an actual reason for the denial? 
>>>>>>>>>>>>>>>> If it flat-out told me a reason I could troubleshoot. 
>>>>>>>>>>>>>>>> Right now I am just shooting in random directions 
>>>>>>>>>>>>>>>> hoping to hit something since all I get is "Access 
>>>>>>>>>>>>>>>> Denied". Is it possible to see is S4 is denying the 
>>>>>>>>>>>>>>>> connection via a log or something, or if Windows 7 is 
>>>>>>>>>>>>>>>> being stupid... again?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>>>>>>>>> That solution is for Windows 8. That also is not our 
>>>>>>>>>>>>>>>>>> issue. The WIndows 7 Pro 64bit workstations see the 
>>>>>>>>>>>>>>>>>> server and shares, and they map the shares according 
>>>>>>>>>>>>>>>>>> to group policy, but then everybody gets access 
>>>>>>>>>>>>>>>>>> denied, despite being in the domain groups for which 
>>>>>>>>>>>>>>>>>> the shares were created. Funny thing is that if I 
>>>>>>>>>>>>>>>>>> logon as domain admin, I get to access the shares. 
>>>>>>>>>>>>>>>>>> Due to this, I fully believe the S4 server is 
>>>>>>>>>>>>>>>>>> ignoring or not accounting for group membership. The 
>>>>>>>>>>>>>>>>>> "reachfp" account is the domain admin. This is also 
>>>>>>>>>>>>>>>>>> the default owner of files on the shares. The group 
>>>>>>>>>>>>>>>>>> "administration" contains many members and does not 
>>>>>>>>>>>>>>>>>> grant access, despite the group being granted full 
>>>>>>>>>>>>>>>>>> control. This lead e into believing I am still 
>>>>>>>>>>>>>>>>>> dealing with a permissions issue and not another 
>>>>>>>>>>>>>>>>>> issue. If it was the other issue, I would assume 
>>>>>>>>>>>>>>>>>> domain admin could not see the share or access it. Is 
>>>>>>>>>>>>>>>>>> that about right?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You are missing the point, I probably could have 
>>>>>>>>>>>>>>>>> chosen a better target but I only spent about 30secs 
>>>>>>>>>>>>>>>>> on the search:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html 
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Try looking into this before dismissing it out of hand 
>>>>>>>>>>>>>>>>> and insisting that samba is the problem.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, after more thought and re-reading your posts, a 
>>>>>>>>>>>>>>> thought has popped into my head, apparmor, do you have 
>>>>>>>>>>>>>>> this running on the server ?
>>>>>>>>>>>>>>> I have been caught out by this a few times, not being 
>>>>>>>>>>>>>>> allowed to do things that I thought I should be able to 
>>>>>>>>>>>>>>> do, or packages not running correctly because they were 
>>>>>>>>>>>>>>> not allowed access, in every case it was apparmor. As I 
>>>>>>>>>>>>>>> could never get apparmor to play ball with me (I thought 
>>>>>>>>>>>>>>> that I had found all rights that needed modding and then 
>>>>>>>>>>>>>>> another one would pop its head up and what is in the 
>>>>>>>>>>>>>>> logs bares no resemblance to what you need to put in the 
>>>>>>>>>>>>>>> conf file), I now disable apparmor straight after 
>>>>>>>>>>>>>>> installing a new system.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Somebody else reported this problem, he went to 4.1.8 and 
>>>>>>>>>>>> the zombie nmbd problem went away, if you upgrade to the 
>>>>>>>>>>>> latest samba4 you may hit two birds with one stone, the 
>>>>>>>>>>>> nmbd problem and your group problem ;-)
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Hi, what you are using is not the stable branch, it is the 
>>>>>>>>>> branch that will become the next release i.e. 4.2. This does 
>>>>>>>>>> not mean that you shouldn't use it, it just means that it 
>>>>>>>>>> could be upgraded at any time until it is 'frozen' just 
>>>>>>>>>> before release. These upgrades 'could' break something, not 
>>>>>>>>>> saying they will, just that they could, for production use I 
>>>>>>>>>> would use the latest version from here:
>>>>>>>>>>
>>>>>>>>>>  https://ftp.samba.org/pub/samba/stable/
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> Do you have all of these packages installed:
>>>>>>
>>>>>> samba libnss-winbind winbind libpam-winbind krb5-config 
>>>>>> libpam-krb5 krb5-user
>>>>>>
>>>>>> If not, install what is missing and add these lines to smb.conf:
>>>>>>
>>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>>         kerberos method = secrets and keytab
>>>>>>
>>>>>> Restart samba and try again, you may have to join the machine to 
>>>>>> the domain again.
>>>>>>
>>>>>> Rowland
>>>>>
>>>>
>>>
>>
>



More information about the samba mailing list