Rowland Penny
2019-May-03 13:53 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On Fri, 3 May 2019 15:36:59 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Paul, > > Look at this: user=paulg,uid=2381 > (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o > user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) > > Now, look at this : > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > # - You must set a DOMAIN backend configuration > > # idmap config for the ONEEXAMPLECA domain > > idmap config ONEEXAMPLECA : backend = rid > > idmap config ONEEXAMPLECA : range = 10000-999999 > > What do you notice here. ( the hint is 2381:1000 ) and i would expect > to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is > a local users one, not AD-DC users. > > Your ranges are out of sync now, and that your denied is completly > correct. >Good catch Louis, those numbers are even outside the '*' domain, so must be a local Unix user and group and how many times do I have to say this: You cannot have local Unix users and groups in /etc/passwd & /etc/group and expect them to work on a Samba Unix domain. If the ID numbers are in AD, then the only reason would be if this is a classicupgraded domain (which I personally hate) and if so, the ranges in smb.conf will need altering to match. Rowland
Paul Griffith
2019-May-06 14:33 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On 5/3/19 9:53 AM, Rowland Penny via samba wrote:> On Fri, 3 May 2019 15:36:59 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai Paul, >> >> Look at this: user=paulg,uid=2381 >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) >> >> Now, look at this : >>> idmap config * : backend = tdb >>> idmap config * : range = 3000-7999 >>> # - You must set a DOMAIN backend configuration >>> # idmap config for the ONEEXAMPLECA domain >>> idmap config ONEEXAMPLECA : backend = rid >>> idmap config ONEEXAMPLECA : range = 10000-999999 >> What do you notice here. ( the hint is 2381:1000 ) and i would expect >> to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is >> a local users one, not AD-DC users. >> >> Your ranges are out of sync now, and that your denied is completly >> correct. >> > Good catch Louis, those numbers are even outside the '*' domain, so > must be a local Unix user and group and how many times do I have to > say this: > > You cannot have local Unix users and groups in /etc/passwd & /etc/group > and expect them to work on a Samba Unix domain. > > If the ID numbers are in AD, then the only reason would be if this is > a classicupgraded domain (which I personally hate) and if so, the > ranges in smb.conf will need altering to match. > > Rowland > >Louis and Rowland, Thank you both for your suggestions. Why only the mail directory, why wouldn't I get a permission error on the other directories? This is a classic upgraded domain. In this situation, what would be ideal..? 1 ) Configure the local builtin accounts? idmap config * : range = 100-999 2) Configure the Domain accounts? idmap config ONEEXAMPLECA : backend = rid idmap config ONEEXAMPLECA : range = 1000-999999 Suggestions and links always welcomed :) Paul -- Paul Griffith | Computer Systems Coordinator Electrical Engineering & Computer Science | Lassonde School of Engineering York University | 4700 Keele St., Toronto ON M3J 1P3 Canada T:416-736-2100 x70258 | F:416-736-5872
Rowland Penny
2019-May-06 15:59 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On Mon, 6 May 2019 10:33:27 -0400 Paul Griffith <paulg at eecs.yorku.ca> wrote:> On 5/3/19 9:53 AM, Rowland Penny via samba wrote: > > On Fri, 3 May 2019 15:36:59 +0200 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> Hai Paul, > >> > >> Look at this: user=paulg,uid=2381 > >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o > >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) > >> > >> Now, look at this : > >>> idmap config * : backend = tdb > >>> idmap config * : range = 3000-7999 > >>> # - You must set a DOMAIN backend configuration > >>> # idmap config for the ONEEXAMPLECA domain > >>> idmap config ONEEXAMPLECA : backend = rid > >>> idmap config ONEEXAMPLECA : range = 10000-999999 > >> What do you notice here. ( the hint is 2381:1000 ) and i would > >> expect to see 10000:10000 or higher. Do you see what i mean? Your > >> UID/GID is a local users one, not AD-DC users. > >> > >> Your ranges are out of sync now, and that your denied is completly > >> correct. > >> > > Good catch Louis, those numbers are even outside the '*' domain, so > > must be a local Unix user and group and how many times do I have to > > say this: > > > > You cannot have local Unix users and groups in /etc/passwd > > & /etc/group and expect them to work on a Samba Unix domain. > > > > If the ID numbers are in AD, then the only reason would be if this > > is a classicupgraded domain (which I personally hate) and if so, the > > ranges in smb.conf will need altering to match. > > > > Rowland > > > > > > Louis and Rowland, > > Thank you both for your suggestions. Why only the mail directory, why > wouldn't I get a permission error on the other directories? > > This is a classic upgraded domain. In this situation, what would be > ideal..? > > 1 ) Configure the local builtin accounts? > > idmap config * : range = 100-999No, set this above the 'ONEEXAMPLECA' domain> > 2) Configure the Domain accounts? > > idmap config ONEEXAMPLECA : backend = rid > idmap config ONEEXAMPLECA : range = 1000-999999if your lowest Unix ID in AD is 1000 and your highest is less than 999999, then yes, but use the 'ad' backend instead. If you don't care about the ID's (in which case, why did you run the classicupgrade ?), the range can be anything you like, if you use the 'rid' backend. Rowland> > Suggestions and links always welcomed :) > > Paul >
Reasonably Related Threads
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access