[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 29 09:40:51 MDT 2014

On 29/07/14 16:17, Ryan Ashley wrote:
> I just checked and I only have */etc/krb5.conf* in */etc*. No keytab. 
> I am pasting the provision information from my history as root on the DC.
> samba-tool domain provision --use-rfc2307 --interactive
> I gave the domain the name "truevine.lan". I also noted that there is 
> no Kerberos keytab on the DC. I followed the guides to the letter in 
> both cases, and neither mention what you are telling me. I am not 
> disputing you, but if this stuff is required, it needs to be in the 
> guide/wiki. That is why I started asking questions. I understand the 
> guides and have been a Windows admin for years, but doing it with 
> Samba is still new, and I love it, though I must learn a standard way 
> to do this so it will always work.

If you require the keytab on the Samba4 AD server (if you want to use 
sssd for instance) you have to export it with

'samba-tool domain exportkeytab /etc/krb5.keytab'

This will put the keytab in /etc/krb5.keytab and you will then be able 
to list the keytab with ktutil.

On a client or member server, the keytab should be created when you join 
the domain.

This is the global part of the smb.conf on the laptop I am writing this on:

         workgroup = EXAMPLE
         security = ADS
         realm = EXAMPLE.COM
         #client signing = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = Samba 4 Client %h
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE : schema_mode = rfc2307
         printcap name = cups
         cups options = raw
         usershare allow guests = yes
         domain master = no
         local master = no
         preferred master = no
         os level = 20
         map to guest = bad user
         username map = /etc/samba/smbmap
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

The laptop runs samba4 in classic mode with users and groups having 
uidNumber's & gidNumber's etc stored in AD, both ranges starting at 10000.

With the above smb.conf and all samba daemons stopped, if you now run

'net ads join -U Administrator at EXAMPLE.COM'

The machine should join the domain and /etc/krb5.keytab should be created.

You can read this with ktutil

sudo ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
    1    5          host/thinkpad.example.com at EXAMPLE.COM
    2    5          host/thinkpad.example.com at EXAMPLE.COM
    3    5          host/thinkpad.example.com at EXAMPLE.COM
    4    5          host/thinkpad.example.com at EXAMPLE.COM
    5    5          host/thinkpad.example.com at EXAMPLE.COM
    6    5                   host/thinkpad at EXAMPLE.COM
    7    5                   host/thinkpad at EXAMPLE.COM
    8    5                   host/thinkpad at EXAMPLE.COM
    9    5                   host/thinkpad at EXAMPLE.COM
  10    5                   host/thinkpad at EXAMPLE.COM
  11    5                       THINKPAD$@EXAMPLE.COM
  12    5                       THINKPAD$@EXAMPLE.COM
  13    5                       THINKPAD$@EXAMPLE.COM
  14    5                       THINKPAD$@EXAMPLE.COM
  15    5                       THINKPAD$@EXAMPLE.COM
ktutil: q

You should now restart the samba daemons.


> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>> On 29/07/14 15:33, Ryan Ashley wrote:
>>> I will checkout the module later. Working is my top priority as you 
>>> stated. However, you have me curious now. If this keytab is created, 
>>> where the heck is it created? I am looking for it in /var/lib/samba, 
>>> /etc, and other places. None of my member servers have it and they 
>>> all seem to work, minus this stubborn one of course.
>> If you set smb.conf up correctly and the run 'net ads join -U 
>> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is 
>> created.
>>> Also, I did a test earlier and wanted to share the results. This 
>>> thing keeps complaining about an idmap ad backend not being found, 
>>> and I honestly believe that is the issue, not Kerberos. I am trying 
>>> your suggestion because maybe this backend is stored in Kerberos, 
>>> who knows. Either way, I am being flooded with errors about this 
>>> "idmap backend ad" not being found.
>> The 'idmap backend ad' is part of winbind, and as such, should be 
>> available. If I remember correctly you are using a S4 AD DC, can you 
>> remember how you provisioned it ?
>>> Anyway, I had already added winbind to nsswitch.conf for users and 
>>> groups, so I wanted to verify the same UID/GID was being pulled. I 
>>> wiped the winbind idmap tdb files and rebooted. Got the same IDs 
>>> after it rebooted and created the files again, so no issue there. 
>>> For example, the "Domain Users" group always has an ID of 70001. 
>>> That much is working. So what in the heck does the missing backend 
>>> do? Something is already mapping domain users and groups to IDs, so 
>>> I am scratching my head on this one.
>> The 'idmap backend ad' is one that pulls all the user and group info 
>> from RFC2307 attributes on the AD server.
>> Rowland
>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>> I understand the basics of Kerberos, but the reason that I am 
>>>>> asking is because I have dozens of S4 servers in production 
>>>>> environments and have never had to create the keytab you 
>>>>> mentioned. They all just worked.
>>>> If, when you talk about S4 servers, you mean as an AD DC, then yes 
>>>> you do not require the keytab, but on a member server (or client) 
>>>> when you you join the domain with the net command, the keytab is 
>>>> created.
>>>>> Now, I do not mind modifying my pam settings as I have done on 
>>>>> loads of Linux workstations which are joined to an AD domain, but 
>>>>> how would I prevent the login of users? I have a home directory 
>>>>> and cannot remove it, so there is technically a place for their 
>>>>> home directories. In Windows I would simply modify group policy to 
>>>>> deny logon, but we both know Linux knows nothing of a GPO. So 
>>>>> without removing "/home", how would I prevent login?
>>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>>> I would do it the other way, get everything to work and then if 
>>>> need be, stop user login with PAM. If you install
>>>> the packages I suggested, PAM will do all the work for you 
>>>> initially. You could also investigate a PAM module called 
>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>> Rowland

More information about the samba mailing list