[Samba] How to troubleshoot an ACL error?
Rowland Penny
rowlandpenny at googlemail.com
Wed Mar 5 08:18:44 MST 2014
On 05/03/14 13:57, Peter Clark wrote:
> On Tue, March 4, 2014 3:18 pm, Rowland Penny wrote:
>> On 04/03/14 19:11, Peter Clark wrote:
>>> On Tue, March 4, 2014 12:18 pm, Rowland Penny wrote:
>>>> On 04/03/14 16:06, Peter Clark wrote:
>>>>> Hi,
>>>>>
>>>>> Apparently they're not the same:
>>>>>
>>>>> [root at c3po ~]# getent passwd pclark
>>>>> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
>>>> Are you using fedora or centos or similar and is pclark a local user?
>>> Fedora 20, yes, 'pclark' is also a local user.
>> Thought so, remove the local user, you cannot have the same user in AD
>> and as a local user.
> OK.. I deleted the AD user and created another AD user that has no local
> account.
>
>
>>> However, why can't the Administrator login get the security attributes
>>> of
>>> that share either?
>> It is probably because you are using [homes], this does not work with
>> samba4, see:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_home_share
> I renamed the share [test] and still get nothing on the security tab
> except the "properties cannot be displayed" error when looked at from the
> administrator account. I can't get past step 2 above (after adding the
> disk permissions to the administrator account). Same NT_INVALID_ACL from
> the smbclient program, nothing useful from the ADUC or system
> properties/shares.
>
> What's the easiest way to just baseline everything and start over? samba
> is installed in /usr/local/samba.
>
> Thanks again,
>
>
>
OK, provided that you configured the samba4 build with './configure
--with-ads --with-shared-modules=idmap_ad'
Stop all samba 4 daemons if running.
You then need to find the following files:
account_policy.tdb share_info.tdb group_mapping.tdb registry.tdb
passdb.tdb secrets.tdb winbindd_idmap.tdb
On a normal distro install, you would probably find these in
/var/lib/samba, but I think that on your install, they will be in
/usr/local/samba/var/locks & /usr/local/samba/private
Where ever they are, delete them.
also find and delete, browse.dat netsamlogon_cache.tdb
winbindd_cache.tdb, these will probably be in /usr/local/samba/var/cache
You now need a valid smb.conf placed in /usr/local/samba/etc, try this one:
[global]
workgroup = EXAMPLE
realm = example.com
server string = Test Samba Server
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config EXAMPLE:backend = ad
# if no uidNumber or gidNumber attributes in AD, change above
line for this:
#idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 500-40000
Ensure that /etc/resolv.conf points to the AD server and /etc/krb5.conf
is setup for your realm.
Restart smbd, nmbd & winbind daemons and see how you go on
Rowland
More information about the samba
mailing list