I have been using Samba4 for ages and love it as a DC and a print-server. I just setup my first member-server designed solely to host file shares, and have hit an issue. Group policy is mapping it correctly for the users in the group, but those users are getting an access denied message from their Windows 7 Pro 64bit clients when accessing the share. I have configured ACLs and the box resolves users and groups. Everything works, except for the shares. Below I attached all of the information I believe to be useful. Ask if you need more, and thank you for your help! smb.conf: =====[global] netbios name = FS01 workgroup = TRUEVINE security = ADS realm = TRUEVINE.LAN encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes auth methods = winbind [install$] path = /home/shared/install comment = "Software installation files" read only = no [staff$] path = /home/shared/staff comment = "Staff file share" read only = no [fbc$] path = /home/shared/fbc comment = "Family Bible College file share" read only = no ACL List: =====root at fs01:~# getfacl /home/shared/staff/ getfacl: Removing leading '/' from absolute path names # file: home/shared/staff/ # owner: reachfp # group: administration # flags: ss- user::rwx user:reachfp:rwx group::rwx group:administration:rwx group:domain\040admins:rwx group:70028:rwx mask::rwx other::rwx default:user::rwx default:user:reachfp:rwx default:group::--- default:group:administration:rwx default:group:domain\040admins:rwx default:group:70028:rwx default:mask::rwx default:other::--- root at fs01:~# getfacl /home/shared/fbc/ getfacl: Removing leading '/' from absolute path names # file: home/shared/fbc/ # owner: reachfp # group: fbc # flags: ss- user::rwx user:reachfp:rwx group::rwx group:fbc:rwx group:domain\040admins:rwx group:70028:rwx mask::rwx other::rwx default:user::rwx default:user:reachfp:rwx default:group::--- default:group:fbc:rwx default:group:domain\040admins:rwx default:group:70028:rwx default:mask::rwx default:other::--- NSSwitch: =====# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis FS Permissions: =========root at fs01:~# l /home/shared total 40 drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install drwx------ 2 root root 16384 Jul 15 10:00 lost+found drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff As you can see, I even tried changing the directory permissions to 777 and still no go. The users in the "administration" group are getting the drive mapped but are being denied access to it. Same for FBC. I have worked on this for days now and cannot get anywhere. What should I try next?
Ryan, Assuming this is a verbatim copy of your config, should not "idmap config SAMDOM" actually be "idmap config TRUEVINE"? Dale On 07/24/2014 10:25 AM, Ryan Ashley wrote:> I have been using Samba4 for ages and love it as a DC and a > print-server. I just setup my first member-server designed solely to > host file shares, and have hit an issue. Group policy is mapping it > correctly for the users in the group, but those users are getting an > access denied message from their Windows 7 Pro 64bit clients when > accessing the share. I have configured ACLs and the box resolves users > and groups. Everything works, except for the shares. Below I attached > all of the information I believe to be useful. Ask if you need more, > and thank you for your help! > > smb.conf: > =====> [global] > netbios name = FS01 > workgroup = TRUEVINE > security = ADS > realm = TRUEVINE.LAN > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > auth methods = winbind > > [install$] > path = /home/shared/install > comment = "Software installation files" > read only = no > > [staff$] > path = /home/shared/staff > comment = "Staff file share" > read only = no > > [fbc$] > path = /home/shared/fbc > comment = "Family Bible College file share" > read only = no > > > > ACL List: > =====> root at fs01:~# getfacl /home/shared/staff/ > getfacl: Removing leading '/' from absolute path names > # file: home/shared/staff/ > # owner: reachfp > # group: administration > # flags: ss- > user::rwx > user:reachfp:rwx > group::rwx > group:administration:rwx > group:domain\040admins:rwx > group:70028:rwx > mask::rwx > other::rwx > default:user::rwx > default:user:reachfp:rwx > default:group::--- > default:group:administration:rwx > default:group:domain\040admins:rwx > default:group:70028:rwx > default:mask::rwx > default:other::--- > > root at fs01:~# getfacl /home/shared/fbc/ > getfacl: Removing leading '/' from absolute path names > # file: home/shared/fbc/ > # owner: reachfp > # group: fbc > # flags: ss- > user::rwx > user:reachfp:rwx > group::rwx > group:fbc:rwx > group:domain\040admins:rwx > group:70028:rwx > mask::rwx > other::rwx > default:user::rwx > default:user:reachfp:rwx > default:group::--- > default:group:fbc:rwx > default:group:domain\040admins:rwx > default:group:70028:rwx > default:mask::rwx > default:other::--- > > > > NSSwitch: > =====> # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > > FS Permissions: > =========> root at fs01:~# l /home/shared > total 40 > drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc > drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install > drwx------ 2 root root 16384 Jul 15 10:00 lost+found > drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff > > > > As you can see, I even tried changing the directory permissions to 777 > and still no go. The users in the "administration" group are getting > the drive mapped but are being denied access to it. Same for FBC. I > have worked on this for days now and cannot get anywhere. What should > I try next?
Andrew Bartlett
2014-Aug-15 21:23 UTC
[Samba] auth methods = winbind (was: Re: Samba 4 AD share: Access denied)
On Thu, 2014-07-24 at 11:25 -0400, Ryan Ashley wrote:> I have been using Samba4 for ages and love it as a DC and a > print-server. I just setup my first member-server designed solely to > host file shares, and have hit an issue. Group policy is mapping it > correctly for the users in the group, but those users are getting an > access denied message from their Windows 7 Pro 64bit clients when > accessing the share. I have configured ACLs and the box resolves users > and groups. Everything works, except for the shares. Below I attached > all of the information I believe to be useful. Ask if you need more, and > thank you for your help! > > smb.conf: > =====> [global]> auth methods = winbindRyan, I know you have had much advice, a lot of it not actually relevant to the problems you have at hand (I see you have been distracted down 'kerberos method' for example), and this advice is probably in the same category. However: Please do not set 'auth methods'. It has already been set correctly by the defaults (based on security=), and the parameter only needs to be set in the most unusual of configurations. Yes, it will probably still work (perhaps breaking anonymous access, which you probably are not using), but the man-page does say: "This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate." Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba