[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

Nissl Reinhard Reinhard.Nissl at fee.de
Fri Jul 31 12:49:42 UTC 2015

Hi Rowland,

I just wanted to give some feedback on how I solved my issues.

Reading the log output and source code I finally found that the mentioned SID was contained either in /etc/samba/passdb.tdb or in /etc/samba/secrets.tdb for whatever reason (looks like previous samba versions required such an entry for user root long time ago).

So I removed those files and joined the domain again and it worked afterwards.

Another issue which took me some days to analyze by debugging smbd was, that apparmor got enabled by the update to openSUSE 13.2. And the default configuration prevented smbd to do things which were working before the upgrade as apparmor was disabled on the old system.

Issues caused by apparmor are hard to track down if you don't accidentally have a look in the apparmor logs, because there's nothing in the samba logs that apparmor caused the API function to fail. Shouldn't for example smbd detect, that it is running under apparmor control and drop a line about that into the logs?

Thanks for your assistance.

Reinhard Nißl, TB3, -198

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Freitag, 20. März 2015 19:17
An: samba at lists.samba.org
Betreff: Re: [Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

On 20/03/15 17:22, Reinhard Nißl wrote:
> Hi Rowland,
> Am 20.03.2015 um 15:02 schrieb Rowland Penny:
>>>> Try replacing the global part of your smb.conf with this:
>>>> [global]
>>>>        netbios name = PLATON
>>>>        workgroup = FEE
>>>>        security = ADS
>>>>        realm = FEE.DE
>>>>        dedicated keytab file = /etc/krb5.keytab
>>>>        kerberos method = secrets and keytab
>>>>        server string = Web- und Internet-Mail-Server
>>>>        interfaces =
>>>>        bind interfaces only = Yes
>>>>        username map = /etc/samba/smbusers
>>>>        name resolve order = wins hosts
>>>>        os level = 0
>>>>        local master = No
>>>>        wins server =
>>>>        guest ok = Yes
>>>>        hide dot files = No
>>>>        idmap config *:backend = tdb
>>>>        idmap config *:range = 2000-9999
>>>>        idmap config FEE:backend = rid
>>>>        idmap config FEE:range = 10000-20000
>>>>        winbind cache time = 10
>>>>        template shell = /bin/false
>>>>        template homedir = /tmp
>>>>        winbind use default domain = yes
>>>>        winbind enum users = yes
>>>>        winbind enum groups = yes
>>>>        winbind expand groups = 1
>>>>        winbind trusted domains only = no
>>>>        winbind refresh tickets = Yes
>>>>        deadtime = 1
>>>>        load printers = no
>>>>        printing = bsd
>>>> Remove all the 'valid users' etc from the shares and use ACLs 
>>>> instead , either from windows or with setfacl on the member server, 
>>>> see:
>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_wi
>>>> th_Windows_ACLs
> To appreciate your support, I've put the above lines into smb.conf, 
> modified the shares accordingly and rejoined the domain, so I do have 
> a /etc/krb5.keytab now, but as long as smbusers contains that mapping 
> to root, I still get this error:
>> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) 
>> failed
> According to these wiki entries
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> there is nothing special in my setup, so I have absolutely no clue, 
> why this root-mapping doesn't work.
> Bye.
> --
> Reinhard Nißl, TB3, -198

What are you authenticating to ? a samba4 AD DC or a windows AD DC ?

Either way you need to look at the object in AD that has the SID 'S-1-5-21-2807186310-4085009417-2666197100-1000', If it is a samba AD DC, then you should be able to use ldbedit, but you will have to use windows tools that I am not used to, search the internet.

Once you find out just who (or what) has the RID 1000, it should help to understand why you are getting the problem you are having. I take it as read that you do not have a user with the ID 10938 in /etc/passwd.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list