[Samba] How to troubleshoot an ACL error?

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 5 08:18:44 MST 2014 

On 05/03/14 13:57, Peter Clark wrote:
> On Tue, March 4, 2014 3:18 pm, Rowland Penny wrote:
>> On 04/03/14 19:11, Peter Clark wrote:
>>> On Tue, March 4, 2014 12:18 pm, Rowland Penny wrote:
>>>> On 04/03/14 16:06, Peter Clark wrote:
>>>>> Hi,
>>>>>
>>>>> Apparently they're not the same:
>>>>>
>>>>> [root at c3po ~]# getent passwd pclark
>>>>> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
>>>> Are you using fedora or centos or similar and is pclark a local user?
>>> Fedora 20, yes, 'pclark' is also a local user.
>> Thought so, remove the local user, you cannot have the same user in AD
>> and as a local user.
> OK.. I deleted the AD user and created another AD user that has no local
> account.
>
>
>>> However, why can't the Administrator login get the security attributes
>>> of
>>> that share either?
>> It is probably because you are using [homes], this does not work with
>> samba4, see:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_home_share
> I renamed the share [test] and still get nothing on the security tab
> except the "properties cannot be displayed" error when looked at from the
> administrator account. I can't get past step 2 above (after adding the
> disk permissions to the administrator account). Same NT_INVALID_ACL from
> the smbclient program, nothing useful from the ADUC or system
> properties/shares.
>
> What's the easiest way to just baseline everything and start over? samba
> is installed in /usr/local/samba.
>
> Thanks again,
>
>
>
OK, provided that you configured the samba4 build with './configure 
--with-ads --with-shared-modules=idmap_ad'

Stop all samba 4 daemons if running.

You then need to find the following files:

account_policy.tdb share_info.tdb group_mapping.tdb registry.tdb 
passdb.tdb secrets.tdb winbindd_idmap.tdb

On a normal distro install, you would probably find these in 
/var/lib/samba, but I think that on your install, they will be in 
/usr/local/samba/var/locks & /usr/local/samba/private

Where ever they are, delete them.

also find and delete, browse.dat netsamlogon_cache.tdb 
winbindd_cache.tdb, these will probably be in /usr/local/samba/var/cache

You now need a valid smb.conf placed in /usr/local/samba/etc, try this one:

[global]
         workgroup = EXAMPLE
         realm = example.com
         server string = Test Samba Server
         security = ADS
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         template shell = /bin/bash
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config *:backend = tdb
         idmap config *:range = 70001-80000
         idmap config EXAMPLE:backend = ad
        # if no uidNumber or gidNumber attributes in AD, change above 
line for this:
         #idmap config EXAMPLE:backend = rid
         idmap config EXAMPLE:schema_mode = rfc2307
         idmap config EXAMPLE:range = 500-40000

Ensure that /etc/resolv.conf points to the AD server and /etc/krb5.conf 
is setup for your realm.

Restart smbd, nmbd & winbind daemons and see how you go on

Rowland

More information about the samba mailing list