[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

Rowland Penny rowlandpenny at googlemail.com
Fri Mar 20 12:17:09 MDT 2015 

On 20/03/15 17:22, Reinhard Nißl wrote:
> Hi Rowland,
>
> Am 20.03.2015 um 15:02 schrieb Rowland Penny:
>
>>>> Try replacing the global part of your smb.conf with this:
>>>>
>>>> [global]
>>>>        netbios name = PLATON
>>>>        workgroup = FEE
>>>>        security = ADS
>>>>        realm = FEE.DE
>>>>        dedicated keytab file = /etc/krb5.keytab
>>>>        kerberos method = secrets and keytab
>>>>        server string = Web- und Internet-Mail-Server
>>>>        interfaces = 10.73.0.6/255.255.0.0
>>>>        bind interfaces only = Yes
>>>>        username map = /etc/samba/smbusers
>>>>        name resolve order = wins hosts
>>>>        os level = 0
>>>>        local master = No
>>>>        wins server = 10.73.0.7 10.73.0.21
>>>>
>>>>        guest ok = Yes
>>>>        hide dot files = No
>>>>
>>>>        idmap config *:backend = tdb
>>>>        idmap config *:range = 2000-9999
>>>>        idmap config FEE:backend = rid
>>>>        idmap config FEE:range = 10000-20000
>>>>
>>>>        winbind cache time = 10
>>>>        template shell = /bin/false
>>>>        template homedir = /tmp
>>>>
>>>>        winbind use default domain = yes
>>>>        winbind enum users = yes
>>>>        winbind enum groups = yes
>>>>        winbind expand groups = 1
>>>>        winbind trusted domains only = no
>>>>        winbind refresh tickets = Yes
>>>>
>>>>        deadtime = 1
>>>>        load printers = no
>>>>        printing = bsd
>>>>
>>>> Remove all the 'valid users' etc from the shares and use ACLs 
>>>> instead ,
>>>> either from windows or with setfacl on the member server, see:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs 
>>>>
>
> To appreciate your support, I've put the above lines into smb.conf, 
> modified the shares accordingly and rejoined the domain, so I do have 
> a /etc/krb5.keytab now, but as long as smbusers contains that mapping 
> to root, I still get this error:
>
>> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) 
>> failed
>
> According to these wiki entries
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>
> there is nothing special in my setup, so I have absolutely no clue, 
> why this root-mapping doesn't work.
>
> Bye.
> -- 
> Reinhard Nißl, TB3, -198

What are you authenticating to ? a samba4 AD DC or a windows AD DC ?

Either way you need to look at the object in AD that has the SID 
'S-1-5-21-2807186310-4085009417-2666197100-1000', If it is a samba AD 
DC, then you should be able to use ldbedit, but you will have to use 
windows tools that I am not used to, search the internet.

Once you find out just who (or what) has the RID 1000, it should help to 
understand why you are getting the problem you are having. I take it as 
read that you do not have a user with the ID 10938 in /etc/passwd.

Rowland

More information about the samba mailing list