[Samba] Samba 4 AD share: Access denied
ryana at reachtechfp.com
Tue Jul 29 09:17:38 MDT 2014
I just checked and I only have */etc/krb5.conf* in */etc*. No keytab. I
am pasting the provision information from my history as root on the DC.
samba-tool domain provision --use-rfc2307 --interactive
I gave the domain the name "truevine.lan". I also noted that there is no
Kerberos keytab on the DC. I followed the guides to the letter in both
cases, and neither mention what you are telling me. I am not disputing
you, but if this stuff is required, it needs to be in the guide/wiki.
That is why I started asking questions. I understand the guides and have
been a Windows admin for years, but doing it with Samba is still new,
and I love it, though I must learn a standard way to do this so it will
On 07/29/2014 10:51 AM, Rowland Penny wrote:
> On 29/07/14 15:33, Ryan Ashley wrote:
>> I will checkout the module later. Working is my top priority as you
>> stated. However, you have me curious now. If this keytab is created,
>> where the heck is it created? I am looking for it in /var/lib/samba,
>> /etc, and other places. None of my member servers have it and they
>> all seem to work, minus this stubborn one of course.
> If you set smb.conf up correctly and the run 'net ads join -U
> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is
>> Also, I did a test earlier and wanted to share the results. This
>> thing keeps complaining about an idmap ad backend not being found,
>> and I honestly believe that is the issue, not Kerberos. I am trying
>> your suggestion because maybe this backend is stored in Kerberos, who
>> knows. Either way, I am being flooded with errors about this "idmap
>> backend ad" not being found.
> The 'idmap backend ad' is part of winbind, and as such, should be
> available. If I remember correctly you are using a S4 AD DC, can you
> remember how you provisioned it ?
>> Anyway, I had already added winbind to nsswitch.conf for users and
>> groups, so I wanted to verify the same UID/GID was being pulled. I
>> wiped the winbind idmap tdb files and rebooted. Got the same IDs
>> after it rebooted and created the files again, so no issue there. For
>> example, the "Domain Users" group always has an ID of 70001. That
>> much is working. So what in the heck does the missing backend do?
>> Something is already mapping domain users and groups to IDs, so I am
>> scratching my head on this one.
> The 'idmap backend ad' is one that pulls all the user and group info
> from RFC2307 attributes on the AD server.
>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>> I understand the basics of Kerberos, but the reason that I am
>>>> asking is because I have dozens of S4 servers in production
>>>> environments and have never had to create the keytab you mentioned.
>>>> They all just worked.
>>> If, when you talk about S4 servers, you mean as an AD DC, then yes
>>> you do not require the keytab, but on a member server (or client)
>>> when you you join the domain with the net command, the keytab is
>>>> Now, I do not mind modifying my pam settings as I have done on
>>>> loads of Linux workstations which are joined to an AD domain, but
>>>> how would I prevent the login of users? I have a home directory and
>>>> cannot remove it, so there is technically a place for their home
>>>> directories. In Windows I would simply modify group policy to deny
>>>> logon, but we both know Linux knows nothing of a GPO. So without
>>>> removing "/home", how would I prevent login?
>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>> I would do it the other way, get everything to work and then if need
>>> be, stop user login with PAM. If you install
>>> the packages I suggested, PAM will do all the work for you
>>> initially. You could also investigate a PAM module called
>>> 'pam_nologin' , you should be able to guess what this does ;-)
More information about the samba