[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Jul 29 09:52:25 MDT 2014

I took it a step farther. I stopped the daemons, left the domain, 
deleted everything in /var/lib/samba, uninstalled S4, rebooted, pulled 
the latest stuff from 4-1-stable, configured and built it, installed it, 
added the options you showed me to the configuration, joined the domain, 
and verified everything. IDs are the same, the keytab WAS created, but 
users still get access denied. So I am still nowhere for my efforts. At 
least I have the keytab though.

So what is next? I am not running iptables or anything yet, because of 
the issues. Windows ACLs are there and are correct. The domain admin is 
the only one who can access the shares.

On 07/29/2014 11:40 AM, Rowland Penny wrote:
> On 29/07/14 16:17, Ryan Ashley wrote:
>> I just checked and I only have */etc/krb5.conf* in */etc*. No keytab. 
>> I am pasting the provision information from my history as root on the 
>> DC.
>> samba-tool domain provision --use-rfc2307 --interactive
>> I gave the domain the name "truevine.lan". I also noted that there is 
>> no Kerberos keytab on the DC. I followed the guides to the letter in 
>> both cases, and neither mention what you are telling me. I am not 
>> disputing you, but if this stuff is required, it needs to be in the 
>> guide/wiki. That is why I started asking questions. I understand the 
>> guides and have been a Windows admin for years, but doing it with 
>> Samba is still new, and I love it, though I must learn a standard way 
>> to do this so it will always work.
> If you require the keytab on the Samba4 AD server (if you want to use 
> sssd for instance) you have to export it with
> 'samba-tool domain exportkeytab /etc/krb5.keytab'
> This will put the keytab in /etc/krb5.keytab and you will then be able 
> to list the keytab with ktutil.
> On a client or member server, the keytab should be created when you 
> join the domain.
> This is the global part of the smb.conf on the laptop I am writing 
> this on:
> [global]
>         workgroup = EXAMPLE
>         security = ADS
>         realm = EXAMPLE.COM
>         #client signing = yes
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         server string = Samba 4 Client %h
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind expand groups = 4
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind offline logon = yes
>         winbind normalize names = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         idmap config EXAMPLE : backend  = ad
>         idmap config EXAMPLE : range = 10000-999999
>         idmap config EXAMPLE : schema_mode = rfc2307
>         printcap name = cups
>         cups options = raw
>         usershare allow guests = yes
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 20
>         map to guest = bad user
>         username map = /etc/samba/smbmap
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         store dos attributes = Yes
> The laptop runs samba4 in classic mode with users and groups having 
> uidNumber's & gidNumber's etc stored in AD, both ranges starting at 
> 10000.
> With the above smb.conf and all samba daemons stopped, if you now run
> 'net ads join -U Administrator at EXAMPLE.COM'
> The machine should join the domain and /etc/krb5.keytab should be 
> created.
> You can read this with ktutil
> sudo ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- 
> ---------------------------------------------------------------------
>    1    5          host/thinkpad.example.com at EXAMPLE.COM
>    2    5          host/thinkpad.example.com at EXAMPLE.COM
>    3    5          host/thinkpad.example.com at EXAMPLE.COM
>    4    5          host/thinkpad.example.com at EXAMPLE.COM
>    5    5          host/thinkpad.example.com at EXAMPLE.COM
>    6    5                   host/thinkpad at EXAMPLE.COM
>    7    5                   host/thinkpad at EXAMPLE.COM
>    8    5                   host/thinkpad at EXAMPLE.COM
>    9    5                   host/thinkpad at EXAMPLE.COM
>  10    5                   host/thinkpad at EXAMPLE.COM
>  11    5                       THINKPAD$@EXAMPLE.COM
>  12    5                       THINKPAD$@EXAMPLE.COM
>  13    5                       THINKPAD$@EXAMPLE.COM
>  14    5                       THINKPAD$@EXAMPLE.COM
>  15    5                       THINKPAD$@EXAMPLE.COM
> ktutil: q
> You should now restart the samba daemons.
> Rowland
>> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>>> On 29/07/14 15:33, Ryan Ashley wrote:
>>>> I will checkout the module later. Working is my top priority as you 
>>>> stated. However, you have me curious now. If this keytab is 
>>>> created, where the heck is it created? I am looking for it in 
>>>> /var/lib/samba, /etc, and other places. None of my member servers 
>>>> have it and they all seem to work, minus this stubborn one of course.
>>> If you set smb.conf up correctly and the run 'net ads join -U 
>>> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab 
>>> is created.
>>>> Also, I did a test earlier and wanted to share the results. This 
>>>> thing keeps complaining about an idmap ad backend not being found, 
>>>> and I honestly believe that is the issue, not Kerberos. I am trying 
>>>> your suggestion because maybe this backend is stored in Kerberos, 
>>>> who knows. Either way, I am being flooded with errors about this 
>>>> "idmap backend ad" not being found.
>>> The 'idmap backend ad' is part of winbind, and as such, should be 
>>> available. If I remember correctly you are using a S4 AD DC, can you 
>>> remember how you provisioned it ?
>>>> Anyway, I had already added winbind to nsswitch.conf for users and 
>>>> groups, so I wanted to verify the same UID/GID was being pulled. I 
>>>> wiped the winbind idmap tdb files and rebooted. Got the same IDs 
>>>> after it rebooted and created the files again, so no issue there. 
>>>> For example, the "Domain Users" group always has an ID of 70001. 
>>>> That much is working. So what in the heck does the missing backend 
>>>> do? Something is already mapping domain users and groups to IDs, so 
>>>> I am scratching my head on this one.
>>> The 'idmap backend ad' is one that pulls all the user and group info 
>>> from RFC2307 attributes on the AD server.
>>> Rowland
>>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>>> I understand the basics of Kerberos, but the reason that I am 
>>>>>> asking is because I have dozens of S4 servers in production 
>>>>>> environments and have never had to create the keytab you 
>>>>>> mentioned. They all just worked.
>>>>> If, when you talk about S4 servers, you mean as an AD DC, then yes 
>>>>> you do not require the keytab, but on a member server (or client) 
>>>>> when you you join the domain with the net command, the keytab is 
>>>>> created.
>>>>>> Now, I do not mind modifying my pam settings as I have done on 
>>>>>> loads of Linux workstations which are joined to an AD domain, but 
>>>>>> how would I prevent the login of users? I have a home directory 
>>>>>> and cannot remove it, so there is technically a place for their 
>>>>>> home directories. In Windows I would simply modify group policy 
>>>>>> to deny logon, but we both know Linux knows nothing of a GPO. So 
>>>>>> without removing "/home", how would I prevent login?
>>>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>>>> I would do it the other way, get everything to work and then if 
>>>>> need be, stop user login with PAM. If you install
>>>>> the packages I suggested, PAM will do all the work for you 
>>>>> initially. You could also investigate a PAM module called 
>>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>>> Rowland

More information about the samba mailing list