Hi I had a few test shares created and they were working fine. Users could read or write depending on the windows group that was defined on the share. I have since removed the test shares and created the file structure needed and setup the smb.conf file with the share names. I have also setup the groups and assigned them to the respective directories. Problem is the users can connect to the share but the get "access denied" and can not open the share directory. I am at a loss as to where I went wrong, any help would be great. small cut of the smb.conf definitions. but the are all setup the same. # # defined shares for users # [acctcui] path = /cui/acct comment = Accounting data admin users = jlowry 'domain admins' valid users = jessica janet lynne read list = lynne janet jessica write list = lynne janet jessica writable = yes browsable = yes [tradecui] path = /cui/trade comment = Trade Compliance data admin users = jlowry 'domain admins' valid users = sharon tom janet lynne read list = lynne janet sharon tom write list = lynne janet sharon tom writable = yes browsable = yes [sales] path = /cui/admin/sales comment = Admin access for sales admin users = jlowry 'domain admins' valid users = tiana bob carol jessica janet lynne biet cynthia jill patty sharon wendy davidq read list = @salesread write list = @salesrw writable = yes browsable = yes windows shares: example of permissions thanks, -- --------------------------------------------------------------------------- Jerold Lowry Principal Network/Systems Engineer Engineering Design Team (EDT), Inc. a HEICO company 3423 NW John Olsen Pl Hillsboro, Oregon 97124 (U.S.A.) Phone: 503-690-1234 / 800-435-4320 Fax: 503-690-1243 Web: _www.edt.com <http://www.edt.com/>_
On Tue, 12 Dec 2017 13:31:30 -0800 Jerry Lowry via samba <samba at lists.samba.org> wrote:> Hi > > I had a few test shares created and they were working fine. Users > could read or write depending on the windows group that was defined > on the share. I have since removed the test shares and created the > file structure needed and setup the smb.conf file with the share > names. I have also setup the groups and assigned them to the > respective directories. Problem is the users can connect to the > share but the get "access denied" and can not open the share > directory. I am at a loss as to where I went wrong, any help would > be great. > > small cut of the smb.conf definitions. but the are all setup the > same. > > # > # defined shares for users > # > > [acctcui] > > path = /cui/acct > comment = Accounting data > admin users = jlowry 'domain admins' > valid users = jessica janet lynne > read list = lynne janet jessica > write list = lynne janet jessica > writable = yes > browsable = yes > > [tradecui] > > path = /cui/trade > comment = Trade Compliance data > admin users = jlowry 'domain admins' > valid users = sharon tom janet lynne > read list = lynne janet sharon tom > write list = lynne janet sharon tom > writable = yes > browsable = yes > > [sales] > path = /cui/admin/sales > comment = Admin access for sales > admin users = jlowry 'domain admins' > valid users = tiana bob carol jessica janet lynne biet > cynthia jill patty sharon wendy davidq > read list = @salesread > write list = @salesrw > writable = yes > browsable = yes > > > windows shares: > > example of permissions > > thanks, >I am sorry, but there isn't enough information provided: What version of Samba ? What is in the [global] portion of smb.conf Rowland
Pictures do not load on the mailing list. If they're relevant, post them on a site such as Imgur, and provide the link. Can you also post the [global] section of your smb.conf file? Are you setup using an Active Directory, a PDC, or a stand-alone? I find it's much easier not specifying users in the smb.conf file, and using Windows or Linux permissions to manage them. On Tue, Dec 12, 2017 at 1:31 PM, Jerry Lowry via samba < samba at lists.samba.org> wrote:> Hi > > I had a few test shares created and they were working fine. Users could > read or write depending on the windows group that was defined on the share. > I have since removed the test shares and created the file structure needed > and setup the smb.conf file with the share names. I have also setup the > groups and assigned them to the respective directories. Problem is the > users can connect to the share but the get "access denied" and can not open > the share directory. I am at a loss as to where I went wrong, any help > would be great. > > small cut of the smb.conf definitions. but the are all setup the same. > > # > # defined shares for users > # > > [acctcui] > > path = /cui/acct > comment = Accounting data > admin users = jlowry 'domain admins' > valid users = jessica janet lynne > read list = lynne janet jessica > write list = lynne janet jessica > writable = yes > browsable = yes > > [tradecui] > > path = /cui/trade > comment = Trade Compliance data > admin users = jlowry 'domain admins' > valid users = sharon tom janet lynne > read list = lynne janet sharon tom > write list = lynne janet sharon tom > writable = yes > browsable = yes > > [sales] > path = /cui/admin/sales > comment = Admin access for sales > admin users = jlowry 'domain admins' > valid users = tiana bob carol jessica janet lynne biet cynthia > jill patty sharon wendy davidq > read list = @salesread > write list = @salesrw > writable = yes > browsable = yes > > > windows shares: > > example of permissions > > thanks, > > -- > > ------------------------------------------------------------ > --------------- > Jerold Lowry > Principal Network/Systems Engineer > Engineering Design Team (EDT), Inc. a HEICO company > 3423 NW John Olsen Pl > Hillsboro, Oregon 97124 (U.S.A.) > Phone: 503-690-1234 / 800-435-4320 > Fax: 503-690-1243 > Web: _www.edt.com <http://www.edt.com/>_ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 12 Dec 2017 14:01:03 -0800 Jerry Lowry <jlowry at edt.com> wrote:> Sorry didn't scroll up far enough :) > > samba version : 4.4.4-14.el7_3 > > also forgot that pictures don't transfer....it has been a tough week, > this is Friday right? > > thanks > > Here is the global section: > > [global] > workgroup = Accounting > security = ADS > realm = Accounting.edt.local > log file = /var/log/samba/%m.log > log level = 1 > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > # - Adding just this is not enough > # - You must set a DOMAIN backend configuration, see below > idmap config * : backend = ad > idmap config * : range = 1000000-2000000 > #This is wrong, you cannot use the 'ad' backend for the default domain, it should be 'tdb'. You should also have 'idmap config' lines for the 'ACCOUNTING' domain, can I suggest you go and read this wikipage again: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Just a thought, have you given your users a unique number inside the '1000000-2000000' range and Domain Users a gidNumber inside the same range, these attributes are not added automatically. Rowland
After following Rowland's and Luke's instructions, you need to enter a unix attribute for each user and group. - Default groups: domain admins and domain users - Security groups: acctcui, tradecui, sales, etc. - Normal Users like tiana, bob and carol must have a unix attribute too. - Administrator does not need unix attribute. In addition,try leaving the shares as follows, [sales] path = /cui/admin/sales comment = Admin access for sales read only = no and use windows ntfs permissions via Computer Management - RSAT Tools or windows explorer. On Tue, Dec 12, 2017 at 8:09 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 12 Dec 2017 14:01:03 -0800 > Jerry Lowry <jlowry at edt.com> wrote: > > > Sorry didn't scroll up far enough :) > > > > samba version : 4.4.4-14.el7_3 > > > > also forgot that pictures don't transfer....it has been a tough week, > > this is Friday right? > > > > thanks > > > > Here is the global section: > > > > [global] > > workgroup = Accounting > > security = ADS > > realm = Accounting.edt.local > > log file = /var/log/samba/%m.log > > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > > # and groups on a domain member. The default (*) domain: > > # - must not overlap with any domain ID mapping configuration! > > # - must use a read-write-enabled back end, such as tdb. > > # - Adding just this is not enough > > # - You must set a DOMAIN backend configuration, see below > > idmap config * : backend = ad > > idmap config * : range = 1000000-2000000 > > # > > This is wrong, you cannot use the 'ad' backend for the default domain, > it should be 'tdb'. > You should also have 'idmap config' lines for the 'ACCOUNTING' domain, > can I suggest you go and read this wikipage again: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Just a thought, have you given your users a unique number inside the > '1000000-2000000' range and Domain Users a gidNumber inside the same > range, these attributes are not added automatically. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On Tue, 12 Dec 2017 14:18:24 -0800 Jerry Lowry <jlowry at edt.com> wrote:> On a previous post I received this reply. > > B) You totally missed this: '# - Adding just this is not enough' when > you cut and pasted it from the Samba wiki, you need to use the winbind > 'rid' or 'ad' backend. > > My backend had been set to 'tdb'. I changed it to 'ad' as you > suggested and the users were able to access the shares. > > this system is a file server, it is NOT a domain controller. > > I will read your pointer. > > thanks >Jerry, please be honest here, you don't understand the wiki page I pointed you to, do you ? I have tried to make it as obvious as possible that you need to go to another page for the DOMAIN setup, but it doesn't seem to be working, not just for you, but others as well. You must use 'tdb' for the '*' domain, but you also need 'idmap config' lines for the 'Accounting' domain If you don't want to add anything to AD, use the 'rid' backend, see here: https://wiki.samba.org/index.php/Idmap_config_rid If you do want to add to AD and have the same IDs everywhere, use the 'ad' backend, see here: https://wiki.samba.org/index.php/Idmap_config_ad Rowland> --------------------------------------------------------------------------- > Jerold Lowry > Principal Network/Systems Engineer > Engineering Design Team (EDT), Inc. a HEICO company > 3423 NW John Olsen Pl > Hillsboro, Oregon 97124 (U.S.A.) > Phone: 503-690-1234 / 800-435-4320 > Fax: 503-690-1243 > Web: _www.edt.com <http://www.edt.com/>_ > > > On 12/12/2017 2:09 PM, Rowland Penny via samba wrote: > > On Tue, 12 Dec 2017 14:01:03 -0800 > > Jerry Lowry <jlowry at edt.com> wrote: > > > >> Sorry didn't scroll up far enough :) > >> > >> samba version : 4.4.4-14.el7_3 > >> > >> also forgot that pictures don't transfer....it has been a tough > >> week, this is Friday right? > >> > >> thanks > >> > >> Here is the global section: > >> > >> [global] > >> workgroup = Accounting > >> security = ADS > >> realm = Accounting.edt.local > >> log file = /var/log/samba/%m.log > >> log level = 1 > >> # Default ID mapping configuration for local BUILTIN > >> accounts # and groups on a domain member. The default (*) domain: > >> # - must not overlap with any domain ID mapping > >> configuration! # - must use a read-write-enabled back end, such as > >> tdb. # - Adding just this is not enough > >> # - You must set a DOMAIN backend configuration, see below > >> idmap config * : backend = ad > >> idmap config * : range = 1000000-2000000 > >> # > > This is wrong, you cannot use the 'ad' backend for the default > > domain, it should be 'tdb'. > > You should also have 'idmap config' lines for the 'ACCOUNTING' > > domain, can I suggest you go and read this wikipage again: > > > > https://url.emailprotection.link/?a4H7AFc7q_vw3zlnkaZIenb4Cy2vfiz5ymNljCJltTIhZMpxcHixlZJzzZC2iUoV9esCNFjTEPhhyPl5MqJ5-YgvQsNby3NCGKY2xd1seGYzLifSreMbfxzK4Gzvd1Ebd > > > > Just a thought, have you given your users a unique number inside the > > '1000000-2000000' range and Domain Users a gidNumber inside the same > > range, these attributes are not added automatically. > > > > Rowland > > >