Alright, even with that change they cannot access the share. I do not have
SELinux on this system to my knowledge. The only change since my initial post
was changing SAMDOM in my config to TRUEVINE as was pointed out. I then rebooted
the server for good measure. People in the AD group FBC are still debied access
to the FBC share and people in the AD administration group are still denied
access to the staff share.
Sent from my Verizon Wireless 4G LTE smartphone
<div>-------- Original message --------</div><div>From: Ryan
Ashley <ryana at reachtechfp.com> </div><div>Date:2014/07/25
11:21 (GMT-05:00) </div><div>To: samba at lists.samba.org
</div><div>Subject: Re: [Samba] Samba 4 AD share: Access denied
</div><div>
</div>I just realized reply sent this straight to you, Dale. Sorry about
that.
I have made the changes but am not sure if it worked yet. I rebooted the
system, which happens to be a Debian Wheezy 64bit system running under
XenServer. Now I am waiting for a complaint. So far none, which is good.
I will respond again if anything fails to work.
Just for kicks, are there any TDB files I should delete now that I
changed this?
On 07/24/2014 03:41 PM, Dale Schroeder wrote:> Ryan,
>
> Assuming this is a verbatim copy of your config, should not "idmap
> config SAMDOM" actually be "idmap config TRUEVINE"?
>
> Dale
>
> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>> I have been using Samba4 for ages and love it as a DC and a
>> print-server. I just setup my first member-server designed solely to
>> host file shares, and have hit an issue. Group policy is mapping it
>> correctly for the users in the group, but those users are getting an
>> access denied message from their Windows 7 Pro 64bit clients when
>> accessing the share. I have configured ACLs and the box resolves
>> users and groups. Everything works, except for the shares. Below I
>> attached all of the information I believe to be useful. Ask if you
>> need more, and thank you for your help!
>>
>> smb.conf:
>> =====>> [global]
>> netbios name = FS01
>> workgroup = TRUEVINE
>> security = ADS
>> realm = TRUEVINE.LAN
>> encrypt passwords = yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 500-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> auth methods = winbind
>>
>> [install$]
>> path = /home/shared/install
>> comment = "Software installation files"
>> read only = no
>>
>> [staff$]
>> path = /home/shared/staff
>> comment = "Staff file share"
>> read only = no
>>
>> [fbc$]
>> path = /home/shared/fbc
>> comment = "Family Bible College file share"
>> read only = no
>>
>>
>>
>> ACL List:
>> =====>> root at fs01:~# getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: reachfp
>> # group: administration
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:administration:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:administration:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# getfacl /home/shared/fbc/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/fbc/
>> # owner: reachfp
>> # group: fbc
>> # flags: ss-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:fbc:rwx
>> group:domain\040admins:rwx
>> group:70028:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:fbc:rwx
>> default:group:domain\040admins:rwx
>> default:group:70028:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>>
>> NSSwitch:
>> =====>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about
this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>>
>> FS Permissions:
>> =========>> root at fs01:~# l /home/shared
>> total 40
>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>
>>
>>
>> As you can see, I even tried changing the directory permissions to
>> 777 and still no go. The users in the "administration" group
are
>> getting the drive mapped but are being denied access to it. Same for
>> FBC. I have worked on this for days now and cannot get anywhere. What
>> should I try next?
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
