[Samba] Samba 4 AD share: Access denied

Ryan Ashley

unread,

Jul 24, 2014, 11:50:02 AM7/24/14

to

I have been using Samba4 for ages and love it as a DC and a
print-server. I just setup my first member-server designed solely to
host file shares, and have hit an issue. Group policy is mapping it
correctly for the users in the group, but those users are getting an
access denied message from their Windows 7 Pro 64bit clients when
accessing the share. I have configured ACLs and the box resolves users
and groups. Everything works, except for the shares. Below I attached
all of the information I believe to be useful. Ask if you need more, and
thank you for your help!

smb.conf:
======
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes

idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-40000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind

[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no

[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no

[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no

ACL List:
======
root@fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: administration
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:administration:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:administration:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---

root@fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: ss-
user::rwx
user:reachfp:rwx
group::rwx
group:fbc:rwx
group:domain\040admins:rwx
group:70028:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:fbc:rwx
default:group:domain\040admins:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---

NSSwitch:
======
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

FS Permissions:
==========
root@fs01:~# l /home/shared
total 40
drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
drwx------ 2 root root 16384 Jul 15 10:00 lost+found
drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff

As you can see, I even tried changing the directory permissions to 777
and still no go. The users in the "administration" group are getting the
drive mapped but are being denied access to it. Same for FBC. I have
worked on this for days now and cannot get anywhere. What should I try next?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Dale Schroeder

unread,

Jul 25, 2014, 8:10:02 AM7/25/14

to

Ryan,

Assuming this is a verbatim copy of your config, should not "idmap
config SAMDOM" actually be "idmap config TRUEVINE"?

Dale

Ryan Ashley

unread,

Jul 25, 2014, 11:30:02 AM7/25/14

to

I just realized reply sent this straight to you, Dale. Sorry about that.

I have made the changes but am not sure if it worked yet. I rebooted the
system, which happens to be a Debian Wheezy 64bit system running under
XenServer. Now I am waiting for a complaint. So far none, which is good.
I will respond again if anything fails to work.

Just for kicks, are there any TDB files I should delete now that I
changed this?

Ryan Ashley

unread,

Jul 25, 2014, 10:10:02 PM7/25/14

to

As per suggestion, I deleted the TDB files after a reboot, then brought
up nmbd, smbd, and winbindd. All TDB files were regenerated but the
problem persists. I can resolve AD groups with wbinfo, but share access
appears to only be granted to the owner. I need this fixed ASAP. I am
out of ideas now.

On 7/25/2014 5:00 PM, Dale Schroeder wrote:
> I'll reply to you offline also, as these comments are fairly
> insignificant.
>
> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>> You are correct. I forgot to change it. Chalk it up to being
>> exhausted when I did this. I will make the change now. Could this
>> cause my issues though?
> In a word, yes. It appears to be essential.
>
> To answer the question in your list email, if you should have any
> further problems, the cache tdb's may have to be regenerated. There
> are probably some SAMDOM entries in the default backend, but this may
> never be an issue since the domain doesn't exist. Beyond that, I
> can't offer any specific advice because I don't have the ability to
> use the ad backend here. We have no Samba DC's nor Windows DC's with
> SFU installed.
>
> Good luck,
> Dale

>
>>
>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:

steve

unread,

Jul 26, 2014, 3:30:02 AM7/26/14

to

On Fri, 2014-07-25 at 22:07 -0400, Ryan Ashley wrote:
> As per suggestion, I deleted the TDB files after a reboot, then brought
> up nmbd, smbd, and winbindd. All TDB files were regenerated but the
> problem persists. I can resolve AD groups with wbinfo, but share access
> appears to only be granted to the owner. I need this fixed ASAP. I am
> out of ideas now.

Hi
What does 70028 map to?
https://lists.samba.org/archive/samba/2014-July/183149.html

<remove>

> >>>> vfs objects = acl_xattr
> >>>> map acl inherit = yes
> >>>> store dos attributes = yes
> >>>> auth methods = winbind

</remove>

net cache flush
remove all the acls on the share folders
reset only the group rw
restart smbd
and try again
HTH
Steve

Rowland Penny

unread,

Jul 26, 2014, 4:20:01 AM7/26/14

to

You seem to have 'flags' set on the directories, as I have never seen
this before I read the manpage and found this means that all files in
the directory will be owned by whoever owns the directory. I do not know
how you set the 'flags' but I suggest you find out how to remove them, I
think that this will cure your problem.

Rowland

steve

unread,

Jul 26, 2014, 5:10:01 AM7/26/14

to

Hi
@Rowland
chmod u-s <folder>
and
chmod g-s <folder>

I think that's OK, but I've suggested removing everything and starting
with only the sticky bit on group:
chmod g+s
in combination with the group rw acl. That is all we are using here for
our group access share. What we are not seeing here are the xacls, but
the OP is doing it on the samba side. The group rw maps fine in windows.
It also looks as though windows has had its say too as there is a
builtin acl set too.
Cheers,
Steve

Rowland Penny

unread,

Jul 26, 2014, 5:40:01 AM7/26/14

to

Hi, I actually knew that ;-) I was trying to get the OP to read up on
getfacl a bit more.

>
> I think that's OK, but I've suggested removing everything and starting
> with only the sticky bit on group:
> chmod g+s
> in combination with the group rw acl. That is all we are using here for
> our group access share. What we are not seeing here are the xacls, but
> the OP is doing it on the samba side. The group rw maps fine in windows.
> It also looks as though windows has had its say too as there is a
> builtin acl set too.
> Cheers,
> Steve
>
>
>

I would also suggest that the OP has a read here:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

Rowland

Ryan Ashley

unread,

Jul 26, 2014, 5:30:01 PM7/26/14

to

Alright, I just read the responses. I have two pickup trucks and one is
older and acting up, so I have been working on it. On to the responses!
Also, I sent this once by accident to Rowland. Still not used to having
to change the reply field to the list. My apologies.

Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can
undo it if needed. I believe 700028 is "SYSTEM". The directories and
files are owned by "administration", "domain admins", and "SYSTEM". Same
for the other share, except "fbc" instead of "administration". And I
used the linked article as a guide for setting up these shares, so it
has been used up. I only set the sticky bits after it wasn't working. I
was trying to get it working and wanted a standard user and group.
Either way, that was the guide I used before posting to this list.

steve

unread,

Jul 26, 2014, 6:50:01 PM7/26/14

to

On Sat, 2014-07-26 at 17:20 -0400, Ryan Ashley wrote:
> Alright, I just read the responses. I have two pickup trucks and one is
> older and acting up, so I have been working on it. On to the responses!
> Also, I sent this once by accident to Rowland. Still not used to having
> to change the reply field to the list. My apologies.
>
> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can
> undo it if needed. I believe 700028 is "SYSTEM".

Hi
But we're not interested in 700028. In any case, whatever the mapping of
the builtin group is under winbind on the file server will not be the
same as on the DC. The mapping of the builtin groups on the DC begin at
3000000 and are stored in a db called idmap. You need to know the sid to
which 70028 corresponds. wbinfo will get you there.

I've no idea why recent versions add the builtin acl but it appeared
some time after 4.1.6.

HTH
Steve

Rowland Penny

unread,

Jul 27, 2014, 5:00:01 AM7/27/14

to

OK, after a bit more thought, I decided that as everything seems to be
correct it is probably a windows problem. A quick internet search turned
this up:

http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162

Have a look, I think that it may fix your problems.

Ryan Ashley

unread,

Jul 27, 2014, 10:20:02 AM7/27/14

to

That solution is for Windows 8. That also is not our issue. The
WIndows 7 Pro 64bit workstations see the server and shares, and they map
the shares according to group policy, but then everybody gets access
denied, despite being in the domain groups for which the shares were
created. Funny thing is that if I logon as domain admin, I get to access
the shares. Due to this, I fully believe the S4 server is ignoring or
not accounting for group membership. The "reachfp" account is the domain
admin. This is also the default owner of files on the shares. The group
"administration" contains many members and does not grant access,
despite the group being granted full control. This lead e into believing
I am still dealing with a permissions issue and not another issue. If it
was the other issue, I would assume domain admin could not see the share
or access it. Is that about right?

Rowland Penny

unread,

Jul 27, 2014, 11:00:01 AM7/27/14

to

You are missing the point, I probably could have chosen a better target
but I only spent about 30secs on the search:

windows 7 64 bit access denied samba

This returns About 116,000 results, here's another one:

http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html

Try looking into this before dismissing it out of hand and insisting
that samba is the problem.

Ryan Ashley

unread,

Jul 27, 2014, 11:30:01 AM7/27/14

to

I understand and I should have stated more clearly that I have been
going through those results for over a week now. Nothing seems to help.
Funny thing is that creating a second virtual file-server and using
share authentication works fine. Yet another reason I am leaning towards
group issues. If the file-server is share-level the Windows 7 boxes are
happy. As soon as it goes AD and uses AD groups, they stop working. I
have not tried user-level security yet. Then again I may have user-level
and share-level confused. It has been a long week. I will keep searching
but so far nothing I have found and tried works.

Is there a way to get an actual reason for the denial? If it flat-out
told me a reason I could troubleshoot. Right now I am just shooting in
random directions hoping to hit something since all I get is "Access
Denied". Is it possible to see is S4 is denying the connection via a log
or something, or if Windows 7 is being stupid... again?

Davor Vusir

unread,

Jul 27, 2014, 3:00:02 PM7/27/14

to

-- Skickat från mobilusken! --

Den 27 jul 2014 17:28 skrev "Ryan Ashley" <ry...@reachtechfp.com>:
>
> I understand and I should have stated more clearly that I have been going
through those results for over a week now. Nothing seems to help. Funny
thing is that creating a second virtual file-server and using share
authentication works fine. Yet another reason I am leaning towards group
issues. If the file-server is share-level the Windows 7 boxes are happy. As
soon as it goes AD and uses AD groups, they stop working. I have not tried
user-level security yet. Then again I may have user-level and share-level
confused. It has been a long week. I will keep searching but so far nothing
I have found and tried works.
>
> Is there a way to get an actual reason for the denial? If it flat-out
told me a reason I could troubleshoot. Right now I am just shooting in
random directions hoping to hit something since all I get is "Access
Denied". Is it possible to see is S4 is denying the connection via a log or
something, or if Windows 7 is being stupid... again?
>

I have hade a similar problem on a combined AD DC and file server. Are the
groups in question of scope 'Domain Local'? If so, convert them to Global.
https://lists.samba.org/archive/samba/2014-March/180173.html

Regards
Davor

Ryan Ashley

unread,

Jul 27, 2014, 11:50:02 PM7/27/14

to

They were created a global security groups. I just remoted in and
checked and they are still global security groups. Any other ideas? I
have tried about everything I can think of and can find online at this
point.

Rowland Penny

unread,

Jul 28, 2014, 5:10:02 AM7/28/14

to

OK, after more thought and re-reading your posts, a thought has popped
into my head, apparmor, do you have this running on the server ?
I have been caught out by this a few times, not being allowed to do
things that I thought I should be able to do, or packages not running
correctly because they were not allowed access, in every case it was
apparmor. As I could never get apparmor to play ball with me (I thought
that I had found all rights that needed modding and then another one
would pop its head up and what is in the logs bares no resemblance to
what you need to put in the conf file), I now disable apparmor straight
after installing a new system.

Ryan Ashley

unread,

[2014/07/28 18:24:52.883991, 0]

../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0)

[2014/07/28 18:24:52.884011, 3]

../source3/winbindd/idmap.c:230(idmap_init_domain)
idmap backend ad not found

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

server string = Samba 4 Client %h

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

winbind expand groups = 4

winbind nss info = rfc2307

winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes

idmap config * : backend = tdb

idmap config * : range = 2000-9999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 10000-999999
idmap config EXAMPLE : schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
username map = /etc/samba/smbmap
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

The laptop runs samba4 in classic mode with users and groups having
uidNumber's & gidNumber's etc stored in AD, both ranges starting at 10000.

With the above smb.conf and all samba daemons stopped, if you now run

'net ads join -U Admini...@EXAMPLE.COM'

The machine should join the domain and /etc/krb5.keytab should be created.

You can read this with ktutil

sudo ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 5 host/thinkpad.e...@EXAMPLE.COM
2 5 host/thinkpad.e...@EXAMPLE.COM
3 5 host/thinkpad.e...@EXAMPLE.COM
4 5 host/thinkpad.e...@EXAMPLE.COM
5 5 host/thinkpad.e...@EXAMPLE.COM
6 5 host/thin...@EXAMPLE.COM
7 5 host/thin...@EXAMPLE.COM
8 5 host/thin...@EXAMPLE.COM
9 5 host/thin...@EXAMPLE.COM
10 5 host/thin...@EXAMPLE.COM
11 5 THINKPAD$@EXAMPLE.COM
12 5 THINKPAD$@EXAMPLE.COM
13 5 THINKPAD$@EXAMPLE.COM
14 5 THINKPAD$@EXAMPLE.COM
15 5 THINKPAD$@EXAMPLE.COM
ktutil: q

You should now restart the samba daemons.

Rowland

Ryan Ashley

unread,

Jul 29, 2014, 12:00:02 PM7/29/14

to

I took it a step farther. I stopped the daemons, left the domain,
deleted everything in /var/lib/samba, uninstalled S4, rebooted, pulled
the latest stuff from 4-1-stable, configured and built it, installed it,
added the options you showed me to the configuration, joined the domain,
and verified everything. IDs are the same, the keytab WAS created, but
users still get access denied. So I am still nowhere for my efforts. At
least I have the keytab though.

So what is next? I am not running iptables or anything yet, because of
the issues. Windows ACLs are there and are correct. The domain admin is
the only one who can access the shares.

Rowland Penny

unread,

Jul 29, 2014, 12:20:01 PM7/29/14

to

On 29/07/14 16:52, Ryan Ashley wrote:
> I took it a step farther. I stopped the daemons, left the domain,
> deleted everything in /var/lib/samba, uninstalled S4, rebooted, pulled
> the latest stuff from 4-1-stable, configured and built it, installed
> it, added the options you showed me to the configuration, joined the
> domain, and verified everything. IDs are the same, the keytab WAS
> created, but users still get access denied. So I am still nowhere for
> my efforts. At least I have the keytab though.
>
> So what is next? I am not running iptables or anything yet, because of
> the issues. Windows ACLs are there and are correct. The domain admin
> is the only one who can access the shares.

I take it that 'wbinfo -u' shows all domain users, 'wbinfo -g' shows all
the domain groups, 'getent passwd' shows local and domain users, 'getent
group Domain\ Users' shows the info for the Domain users group ('getent
group' will not show any domain groups unless ALL domain groups have a
gidNumber).

Rowland

unread,

Jul 30, 2014, 10:20:01 AM7/30/14

to

Sorry for the delay. I am in eastern time and have been busy with
another project. I cannot convert that ID to SID. In Windows however,
this shows as "SYSTEM". How do I know? Simple, there are only three
things listed. Those are "Domain Admins", "Administration", and
"SYSTEM". Also, what do you mean by "ntadmins" being local? I have added
no groups to the Linux systems, so if you're asking if it is a local
group on the Linux box, no it is not. I can remove the SYSTEM account
from the share if needed, but it is on all Windows shares as well and
causes no issues.

failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 70028 to sid

Ryan Ashley

unread,

Jul 31, 2014, 12:10:04 PM7/31/14

to

I made a strange discovery this morning. If I attempt to map the drive
using the server's IP address, I get invalid password. If I attempt to
map it using the hostname, it flat out denies access.

C:\Users\reach_support>net use s: \\172.16.0.5\staff$ /persistent:no
Enter the user name for '172.16.0.5': reach_support
Enter the password for 172.16.0.5:
System error 86 has occurred.

The specified network password is not correct.

C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
Enter the user name for 'fs01': reach_support
Enter the password for fs01:
System error 5 has occurred.

Access is denied.

C:\Users\reach_support>

This REALLY looks like an S4 bug to me. Why would it give different
errors if using a hostname versus the static IP? The hostname simply
resolves to the IP anyway. Is there anything we can do now?

unread,

Aug 4, 2014, 2:30:02 PM8/4/14

to

DC Config:
=======
# Global parameters
[global]
workgroup = TRUEVINE
realm = TRUEVINE.LAN
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbi$
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/truevine.lan/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

Print-Server Config:
============
[global]
netbios name = ps01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes

idmap config *:backend = tdb

idmap config *:range = 70001-80000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-40000

winbind nss info = rfc2307

winbind trusted domains only = no

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

auth methods = winbind
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64

[printers]
path = /var/spool/samba
printable = yes
printing = CUPS

[print$]
path = /srv/samba/printer_drivers
comment = Printer drivers
writeable = yes

[Xerox7545]
path = /var/spool/samba
browseable = yes
printable = yes
printer name = Xerox_WC_7545

File-Server Config:
===========
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb

idmap config *:range = 70001-80000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 500-40000

winbind nss info = rfc2307

winbind trusted domains only = no

winbind use default domain = yes

winbind enum users = yes

winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind
log level = 3

[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
guest ok = no

[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
guest ok = no

[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
guest ok = no

IP Information:
=========
Note that I do have a reverse-DNS zone setup in AD but it NEVER works
with S4. Works fine in 2008 R2, 2008, 2003 R2, etc. Being that I read
hundreds of posts of people never getting it working in S4, I assume it
is broken and am not worried about it yet.

root@fs01:~# host dc01
dc01.truevine.lan has address 172.16.0.1
root@fs01:~# host ps01
ps01.truevine.lan has address 172.16.0.7
root@fs01:~# host 172.16.0.1
Host 1.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)
root@fs01:~# host 172.16.0.7
Host 7.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)

Other:
====
root@fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: administration
# flags: -s-
user::rwx
user:70014:rwx
group::rwx
group:fbc:rwx
group:70020:rwx
group:70028:rwx
mask::rwx
other::---
default:user::rwx
default:user:70014:rwx
default:group::---
default:group:fbc:rwx
default:group:70020:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---

root@fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: -s-
user::rwx
user:70014:rwx
group::rwx
group:70013:rwx
group:70020:rwx
group:70028:rwx
mask::rwx
other::---
default:user::rwx
default:user:70014:rwx
default:group::---
default:group:70013:rwx
default:group:70020:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---

root@fs01:~# l /home/shared/
total 40
drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
drwxrws---+ 8 reachfp domain computers 4096 Jul 23 11:14 install
drwx------ 2 root root 16384 Jul 15 10:00 lost+found
drwxrws---+ 13 reachfp administration 4096 Jul 23 11:30 staff

As you can see, getfacl is using ID numbers, but they do resolve to
groups when using ls. This is confusing as heck. This core functionality
should just work. Winbind is running, those IDs resolve to groups, but
getfacl cannot resolve them? What in the heck is missing here? I
followed the guide to the letter!

Finally, I do not know what this DN is. Domain Name? That is TRUEVINE,
FQDN is truevine.lan. As far as causing the error, everybody in the
entire domain causes it EXCEPT the domain admin. Also, what is "ute"?

Rowland Penny

unread,

Aug 4, 2014, 3:00:02 PM8/4/14

to

Funny that, the reverse-dns zone never working with S4, that is. It
works for me and has been doing for quite some time, but you never
answered how you are running the dns & dhcp, are you using the internal
dns server or bind9 ? how are you getting dhcp to update dns ?

The ID numbers that you have posted are in the 'builtin' range
'70001-80000', probably the best way out of your problem is to trace the
users & groups that these numbers match and then give them uidNumber's &
gidNumber's.

>
> Finally, I do not know what this DN is. Domain Name? That is TRUEVINE,
> FQDN is truevine.lan. As far as causing the error, everybody in the
> entire domain causes it EXCEPT the domain admin. Also, what is "ute"?
>

DN stands for distinguished name, for instance, the DN of Administrator
on your AD DC will be CN=Administrator,CN=User,DC=truevine,DC=lan

truevine.lan is NOT the FQDN, that would be DC01.truevine.lan for
instance, truevine.lan is the domain name or kerberos realm.

Haven't a clue what 'ute' is, perhaps Steve does ??

Rowland

Ryan Ashley

Aug 5, 2014, 12:40:01 AM8/5/14

to

2014-08-04 22:26 GMT+02:00 steve <st...@steve-ss.com>:
> On Mon, 2014-08-04 at 21:23 +0200, Davor Vusir wrote:
>
>> I think you get the 70xxx numbers and acces denied because you are
>> using "secrets and keytab". Change to "system keytab". See also
>> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#KERBEROSMETHOD
>
> I doubt whether that's the reason although Kerberos freaks will tell you
> that the machine should authenticate itself via a keytab, not a
> database. As a ctdb user, we all know how we can fool secrets into
> telling all manner of statistics;)
> HTH,
> Steve
>
>

I see.

In that case it might just be a lingering init-script from a previous
installation that starts winbind with the original smb.conf using
tdb-files in another location. Or does the server need to be re-joined
to the domain?

Regards
Davor

steve

unread,

Aug 5, 2014, 4:20:01 AM8/5/14

to

On Mon, 2014-08-04 at 19:11 -0400, Ryan Ashley wrote:

> Now how are you proposing I assign ID numbers to groups? I have NEVER
> had to or actually done that in the Windows world,

Hi
It's not a case of us proposing. It's you _telling_ us:

idmap config SAMDOM:backend = ad

BTW, you still have conflicting names in your file server smb.conf

HTH,

steve

unread,

Aug 5, 2014, 4:30:01 AM8/5/14

to

On Tue, 2014-08-05 at 06:33 +0200, Davor Vusir wrote:
> 2014-08-04 22:26 GMT+02:00 steve <st...@steve-ss.com>:
> > On Mon, 2014-08-04 at 21:23 +0200, Davor Vusir wrote:
> >
> >> I think you get the 70xxx numbers and acces denied because you are
> >> using "secrets and keytab". Change to "system keytab". See also
> >> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#KERBEROSMETHOD
> >
> > I doubt whether that's the reason although Kerberos freaks will tell you
> > that the machine should authenticate itself via a keytab, not a
> > database. As a ctdb user, we all know how we can fool secrets into
> > telling all manner of statistics;)
> > HTH,
> > Steve
> >
> >
> I see.
>
> In that case it might just be a lingering init-script from a previous
> installation that starts winbind with the original smb.conf using
> tdb-files in another location. Or does the server need to be re-joined
> to the domain?
>
> Regards
> Davor

Hi
+1 absolutely for that. Make sure there is only one version of smbd on
the file server;)

Rowland Penny

unread,

Aug 5, 2014, 4:40:01 AM8/5/14

to

Here is my working dhcpd.conf:

default-lease-time 14400;
max-lease-time 14400;
authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.21 192.168.0.229;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option time-offset 0;
option routers 192.168.0.1;
option domain-name "example.com";
option domain-name-servers 192.168.0.5;
option domain-search "example.com";
option netbios-name-servers 192.168.0.5;
option ntp-servers 192.168.0.5;
}

on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));
execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

Notice any differences ???

Are you by any chance using the un-recomended Bind9 flat file backend ?

Rowland

Ryan Ashley

unread,

Aug 5, 2014, 8:50:01 AM8/5/14

unread,

Aug 5, 2014, 1:20:02 PM8/5/14

to

The way that sounds, the "file server" guide is incomplete, because
nowhere does it mention any of what you're telling me. I also have
little trouble finding good documentation on every Linux product I use.
S4 is the one big exception, but with the guides, it eliminates some of
that need. I do not buy the whole argument of using Windows for
documentation, because 90% of their documentation is rambling crud. When
you get an error and have an ID, the docs don't have the ID you want,
you are hosed.

Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
latest updates. The stable repos have an OLD version of S4, and I do not
mind building it myself anyway.

Finally, you have told me I need this and that, but no direction is
noted. How do I assign this stuff and why does this ONE system need it
when all the others don't? I would also believe that if I MUST assign
IDs to make file-sharing work, that my other setups (dozens of them)
would be long broken by now since I have never done it in the past. I
also know that even removing and rejoining the domain results in the
exact same IDs for those directories in my shared directory. That tells
me somehow the IDs resolve the same.

My guess here, is that you're telling me I need to assign these IDs so
winbind does not have to resolve them. In other words, when a user
accesses the share, the ID is associated with the group and it sends
that along with the request, which even the Linux stuff can understand
(ie: ID 4000 can access a directory owned by ID 4000). Am I correct here?

Oh and Rowland, I have been using Linux since before 2000. This is the
only major issue I have EVER encountered where a standard setup working
in dozens of locations is failing in this one. We deploy Linux as often
as Windows here, and we have become GOOD at using and working with it.
We use Debian, naturally.

Rowland Penny

unread,

Aug 5, 2014, 2:00:02 PM8/5/14

to

On 05/08/14 18:17, Ryan Ashley wrote:
> The way that sounds, the "file server" guide is incomplete, because
> nowhere does it mention any of what you're telling me. I also have
> little trouble finding good documentation on every Linux product I
> use. S4 is the one big exception, but with the guides, it eliminates
> some of that need. I do not buy the whole argument of using Windows
> for documentation, because 90% of their documentation is rambling
> crud. When you get an error and have an ID, the docs don't have the ID
> you want, you are hosed.
>
> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with
> the latest updates. The stable repos have an OLD version of S4, and I
> do not mind building it myself anyway.

OK, this is your decision, I just pointed out that you can get 4.1.9
from backports, this works, I know this because it is what I use.

>
> Finally, you have told me I need this and that, but no direction is
> noted. How do I assign this stuff and why does this ONE system need it
> when all the others don't? I would also believe that if I MUST assign
> IDs to make file-sharing work, that my other setups (dozens of them)
> would be long broken by now since I have never done it in the past. I
> also know that even removing and rejoining the domain results in the
> exact same IDs for those directories in my shared directory. That
> tells me somehow the IDs resolve the same.
>
> My guess here, is that you're telling me I need to assign these IDs so
> winbind does not have to resolve them. In other words, when a user
> accesses the share, the ID is associated with the group and it sends
> that along with the request, which even the Linux stuff can understand
> (ie: ID 4000 can access a directory owned by ID 4000). Am I correct here?

Windows uses SID's and RID's, Linux has not got a clue what these mean,
so you need to use an interpretor, this is where winbind, sssd etc come
in. You can do it two ways (at least), you either take the RID and use
this to create a users ID number or you give your users & groups RFC2307
numbers. There are pro's & con's for both, but for me, using RFC2307
attributes wins out, using these means that users & groups get correctly
identified everywhere. Using the RFC2307 attributes is actually the way
that windows wants you to connect to Linux, this is why they created
'Service for NIS'.

>
> Oh and Rowland, I have been using Linux since before 2000. This is the
> only major issue I have EVER encountered where a standard setup
> working in dozens of locations is failing in this one. We deploy Linux
> as often as Windows here, and we have become GOOD at using and working
> with it. We use Debian, naturally.
>

Well I have been using Linux since well before that, but I must be an
idiot because I can get Samba4 to work with both windows & Linux
clients, along with bind9, dhcp etc just by reading the documentation
and surfing the net!

It actually doesn't matter what OS you use, as long as it is a
maintained recent version, some people swear by Red Hat for instance,
others just swear at it ;-)

Ryan Ashley

unread,

Aug 5, 2014, 2:10:02 PM8/5/14

to

I provisioned with rfc2307 specified and it is in my domain controller's
smb.conf. I added the line about using rfc2307 to my print-server and
file-server. No change though. Is that line only for domain controllers?

Also, I have been all over ADUC looking for the "UNIX Attributes" tab
but cannot find it. Why won't it show up with an S4 DC provisioned with
rfc2307? This may be the problem, though so far every ID has been
perfect and the same across both servers.

steve

unread,

Aug 5, 2014, 2:20:03 PM8/5/14

to

On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
> The way that sounds, the "file server" guide is incomplete, because
> nowhere does it mention any of what you're telling me. I also have
> little trouble finding good documentation on every Linux product I use.
> S4 is the one big exception, but with the guides, it eliminates some of
> that need. I do not buy the whole argument of using Windows for
> documentation, because 90% of their documentation is rambling crud. When
> you get an error and have an ID, the docs don't have the ID you want,
> you are hosed.

Unless you know what you're doing, the time it takes to get up on
user-land Linux compared with enterprise or microsoft
out-of-the-box-or-just-call-the-engineer is false economy.

>
> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
> latest updates. The stable repos have an OLD version of S4, and I do not
> mind building it myself anyway.

Debian doesn't install samba unless you tell it?

>
> Finally, you have told me I need this and that, but no direction is
> noted.

http://bit.ly/1s8LTZc

Stuart Naylor

unread,

Aug 5, 2014, 2:30:01 PM8/5/14

to

I use the sernet binaries as they are very rapid in there releases.

http://www.enterprisesamba.com/samba/

Great to have so many distro's supported.

Backports or Archlinux is usually a day after a fresh release.

Documentation wise things are not good guys.

I have been on the samba4 trail for some time now and yeah I know where I am at now.
There is a load of confusing almost opposing documentation sometimes its hard to differentiate between versions.

The result is great when you get things going and the coding effort is just amazing.

Doc wise guys and know offence things suck.

Also it must be such a chore to keep repeating things on a mail list.
So much great knowledge just slips through time.

A forum would add much but you guys have your hands full, but sometimes the extra workload means future workload is less.

Anyway thanks for a super product even if the documentation at times is a little barren or confusing.

Stuart

-----Original message-----
> From:Rowland Penny <rowlan...@googlemail.com>
> Sent: Tuesday 5th August 2014 18:50
> To: sa...@lists.samba.org
> Subject: Re: [Samba] Samba 4 AD share: Access denied

>
> On 05/08/14 18:17, Ryan Ashley wrote:
> > The way that sounds, the "file server" guide is incomplete, because
> > nowhere does it mention any of what you're telling me. I also have
> > little trouble finding good documentation on every Linux product I
> > use. S4 is the one big exception, but with the guides, it eliminates
> > some of that need. I do not buy the whole argument of using Windows
> > for documentation, because 90% of their documentation is rambling
> > crud. When you get an error and have an ID, the docs don't have the ID
> > you want, you are hosed.
> >

> > Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with
> > the latest updates. The stable repos have an OLD version of S4, and I
> > do not mind building it myself anyway.
>

> OK, this is your decision, I just pointed out that you can get 4.1.9
> from backports, this works, I know this because it is what I use.
>
> >

> > Finally, you have told me I need this and that, but no direction is

Ryan Ashley

unread,

Aug 5, 2014, 2:40:01 PM8/5/14

to

Well, again, no issues until now. I never did the Kerberos keytab thing
before, and everything works. Never did the NIS thing before, and
everything works. Now I am learning these things should be done and I
have been told what to do and have done them as well as documented them
in our technical reference. However, I am now at the point where I
cannot set ID's due to not having the UNIX tab in ADUC. I did provision
with "--use-rfc2307" and it is in all of my S4 configuration files, but
no luck yet. What do I need to check to get that tab to appear? If
assigning an ID fixes this, I will HAPPILY do it on all of our domains
as we go out for maintenance.

Rowland Penny

unread,

Aug 5, 2014, 2:40:03 PM8/5/14

to

On 05/08/14 19:07, Ryan Ashley wrote:
> I provisioned with rfc2307 specified and it is in my domain
> controller's smb.conf. I added the line about using rfc2307 to my
> print-server and file-server. No change though. Is that line only for
> domain controllers?

All provisioning with RFC2307 does is add the ypServ30.ldif, it does not
do anything else, it is up to you to use it.

>
> Also, I have been all over ADUC looking for the "UNIX Attributes" tab
> but cannot find it. Why won't it show up with an S4 DC provisioned
> with rfc2307? This may be the problem, though so far every ID has been
> perfect and the same across both servers.

This is a known windows problem, search Google (other search providers
are available) for a solution.

Rowland

Gregory Sloop

unread,

Aug 5, 2014, 2:50:03 PM8/5/14

to

RA> Well, again, no issues until now. I never did the Kerberos keytab thing
RA> before, and everything works. Never did the NIS thing before, and
RA> everything works. Now I am learning these things should be done and I
RA> have been told what to do and have done them as well as documented them
RA> in our technical reference. However, I am now at the point where I
RA> cannot set ID's due to not having the UNIX tab in ADUC. I did provision
RA> with "--use-rfc2307" and it is in all of my S4 configuration files, but
RA> no luck yet. What do I need to check to get that tab to appear? If
RA> assigning an ID fixes this, I will HAPPILY do it on all of our domains
RA> as we go out for maintenance.

RA> On 08/05/2014 02:16 PM, steve wrote:
>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>> The way that sounds, the "file server" guide is incomplete, because
>>> nowhere does it mention any of what you're telling me. I also have
>>> little trouble finding good documentation on every Linux product I use.
>>> S4 is the one big exception, but with the guides, it eliminates some of
>>> that need. I do not buy the whole argument of using Windows for
>>> documentation, because 90% of their documentation is rambling crud. When
>>> you get an error and have an ID, the docs don't have the ID you want,
>>> you are hosed.
>> Unless you know what you're doing, the time it takes to get up on
>> user-land Linux compared with enterprise or microsoft
>> out-of-the-box-or-just-call-the-engineer is false economy.
>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>> mind building it myself anyway.
>> Debian doesn't install samba unless you tell it?
>>> Finally, you have told me I need this and that, but no direction is
>>> noted.
>> http://bit.ly/1s8LTZc

I've followed this thread since it started - and while I don't have technical help to offer, since I've not followed the technical details carefully - I'd thought I'd say this, even at the risk of being seen to "meddle" where I shouldn't.

I'll try to be gentle about it, but you've hopped all over the place. ...claimed that revereses in DNS didn't work, but then found you hadn't finished configuring DNS etc.

Just SLOW DOWN! Yeah, the docs can be skimpy, and things can be a bit confusing - but SLOW DOWN - tackle one thing at a time. Don't make a thousand changes and keep moving the goal-posts all over the field.

I know Rowland/Steve/Marc will almost certainly be able to resolve your issue. But it's going to take careful, methodical steps through each part. And, IMO, you haven't done that very well. Sometimes you'll answer a few of the underlying questions, and leave out others. [Not sure why, perhaps you missed them, but often it seems you're doing it because you're frustrated and want a solution right this second.]

If I were helping you, I'd be quite frustrated at the effort. The guys helping you are the best on the list. Short of a Samba dev person hopping in to verify a particular bug, there's not better help to be had. So, no matter if it worked three weeks ago or not, if you want help, and it's not working, and you'd like for it to work - go gentle on the help you ARE getting. Being frustrated with them won't help.

I suppose you could run a SerNet package and pay SerNet to solve your problems/do Samba consulting. But you're not paying anyone and they're spending a lot of time trying to help you...

Please try to be gentle and appreciative...

As an aside:
I'd guess you don't have a UNIX tab because the Samba AD schema doesn't have it. I'm not sure why that would be, since I don't use any of the UNIX AD extensions myself.

steve

unread,

Aug 5, 2014, 3:00:03 PM8/5/14

to

On Tue, 2014-08-05 at 14:32 -0400, Ryan Ashley wrote:
> I am now at the point where I
> cannot set ID's due to not having the UNIX tab in ADUC. I did provision
> with "--use-rfc2307" and it is in all of my S4 configuration files, but
> no luck yet.

You do not need to provision with rfc2307 nor do you need a UNIX tab to
allocate uidNumbers. You already have what you need. Please try it.

Davor Vusir

unread,

Aug 5, 2014, 4:20:03 PM8/5/14

to

2014-08-05 20:32 GMT+02:00 Ryan Ashley <ry...@reachtechfp.com>:
> Well, again, no issues until now. I never did the Kerberos keytab thing
> before, and everything works. Never did the NIS thing before, and everything
> works. Now I am learning these things should be done and I have been told
> what to do and have done them as well as documented them in our technical
> reference. However, I am now at the point where I cannot set ID's due to not
> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" and it is
> in all of my S4 configuration files, but no luck yet. What do I need to
> check to get that tab to appear? If assigning an ID fixes this, I will
> HAPPILY do it on all of our domains as we go out for maintenance.
>

You have to activate advanced features in ADUC and edit the attributes
from the attribute editor tab.

It's a pity we couldn't help you sort this out. I think it's quite
strange that it doesn't work at this particular server as you say that
this is the standard way of yours to configure Samba. Why it doesn't
work, I really don't know. One thing that springs to mind is, and I
don't have knowledge enough to back it up, when using the TDB backend
you're not guaranteed consistent id mapping through the server park. I
have found nothing that states that winbind populates the
tdb-databases in a certain order (a-z, ascending SID numbering or
other mechanism). Which of course might give you different uidnumbers
(from the *:range) for different accounts. Please correct me if I'm
wrong. Is there a way to check this?

But I do think that Rowland and Steve are right to 'push' for
populating and using uid- and gidnumbers. uid- and gidnumbers with an
interpretator like winbind, sssd or other is a/the bridge between
Linux and windows. And it's a low-cost activation and maintenance. I
think you should consider their advice and rethink your setup.

Well, I'm out of ideas except that I have noticed that the activation
of vfs module acl_xattr in the global section of smb.conf does not
always/ever work on a mounted volume created from LVM. You might need
to/have to put it in the share section.

If you find out what caused this, please let us know.

Regards
Davor

Ricky Nance

unread,

Aug 6, 2014, 12:00:02 AM8/6/14

to

So IF I read the 70+ previous mails correctly, it looks like you have
tried both packages and samba source, if this is the case you could
have some seriously screwed up library files, causing various issues
(such as binaries just crashing at certain points). With that said,
there is a fair chance that your libnss_winbind.so (or so.2) is
mismatched from your current winbind causing exactly this issue.

Is there any chance you can give us a current recap of your
issue/setup? Include current configs (if you need to mask something,
make that clear). Also please provide the output of getent passwd |
grep ADUSER (replace ADUSER with an actual user) and which setup
(package or source, and which package you are using) you currently
have (as well as what you have tried there too).

Thanks,
Ricky

Ryan Ashley

unread,

Aug 6, 2014, 12:30:01 AM8/6/14

to

Plenty of replies since this afternoon! I will try to answer your
questions in order, as well as ask questions.

"All provisioning with RFC2307 does is add the ypServ30.ldif, it does
not do anything else, it is up to you to use it. "

Alright, how? Remember, all my domains are golden except this. I have
never had to use ldif files or assign ID numbers because they always
just worked.

"This is a known windows problem, search Google (other search providers
are available) for a solution."

I have been searching, and I have tried loads of results, to no avail.
Some said install libnss-ldapd, which I still don't know what it does,
others said to do various config entries, also to no avail, so I am back
here. I have reverted my changes since nothing worked.

"I'd guess you don't have a UNIX tab because the Samba AD schema doesn't
have it. I'm not sure why that would be, since I don't use any of the
UNIX AD extensions myself."

I never have either, it always JUST WORKED. This is not frustration with
the help, it is frustration in that it just refuses to work for no good
reason. That's why I am attempting to ditch Windows, because things just
don't work and nobody knows why. I actually feel that Rowland and Steve
have been great, and have made me SERIOUSLY question the highly
incomplete guides on the wiki. I mean nowhere does it mention the line
that creates the keytab for Kerberos in any guides. Nowhere does it
mention the ID's or anything else they have talked with me about. I
honestly believe the ID numbers will solve the issue, but I cannot do
that yet.

"You do not need to provision with rfc2307 nor do you need a UNIX tab to
allocate uidNumbers. You already have what you need. Please try it."

Alright, how? Again, and this is what I keep repeating, I have NEVER had
to do this before. Up to this very point in time, S4 has been
rock-solid. None of my other domains use the Kerberos keytab. None of
them use uID's or gID's. They all just work. You're telling me I have
the tools to do this, but it is like me telling you to adjust your main
jet to 1.5 turns out. Unless you're into antiques like I am, you haven't
a clue what I mean or how to do it. I am not trying to be rude, I just
literally do not have a clue how to do this.

"You have to activate advanced features in ADUC and edit the attributes
from the attribute editor tab."

Yes, I did that and saw it in there, but chose not to edit that way for
one reason. According to many posts I read on search results from
Google, the UNIX tab shows up once the system detects NIS. I believe NIS
is off for some reason, but I did the check at the link below and it
returned one result, indicating that NIS is supposedly enabled. It would
be better to simply show me a yes or no, but I guess that isn't an option.

ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
Referenced from:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC

Ricky:
I have NOT pulled any packages from any repos. I cloned the official
repo, configured and built. It turns out that by default it builds
4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a 4.2
bug, I uninstalled (make uninstall) 4.2 and configured and built 4.1,
then installed it. I completely removed any leftover files and
directories by hand, with the exception of my configuration file. Here's
the info you requested.

root@fs01:~# getent passwd | grep reachfp
reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
root@fs01:~# getent passwd | grep cynthiaj
cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
root@fs01:~# getent passwd | grep daquanm
daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
root@fs01:~# getent passwd | grep reach_support
reach_support:*:70015:70002:Reach
Support:/home/TRUEVINE/reach_support:/bin/false

=====================
FS01 Configuration File:
=====================

[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 70001-80000

idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 500-40000

idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes

winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes

store dos attributes = yes
auth methods = winbind

log level = 3

[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
guest ok = no

[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
guest ok = no

[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
guest ok = no

One thing I am unclear on is whether or not I need "idmap_ldb:use
rfc2307 = yes" in member server configs or ONLY AD DC configs. Also,
what does "idmap config TRUEVINE:range = 500-40000" specify? I was
trying to set AD users to 70001-80000 for their ID's, but maybe I
misunderstand things. Thanks for your help and input. I'm not frustrated
with you guys, just the fact that ONE server is acting up and I am
having to do all kinds of things I have never had to do before just to
share files. It isn't a bad frustration however, I enjoy building
projects from source and using Linux in general. If this was Windows I'd
have found an alternative by now.

steve

unread,

Aug 6, 2014, 3:30:02 AM8/6/14

to

On Wed, 2014-08-06 at 00:24 -0400, Ryan Ashley wrote:
> Plenty of replies since this afternoon! I will try to answer your
> questions in order, as well as ask questions.
>
> "All provisioning with RFC2307 does is add the ypServ30.ldif, it does
> not do anything else, it is up to you to use it. "
>
> Alright, how? Remember, all my domains are golden except this. I have
> never had to use ldif files or assign ID numbers because they always
> just worked.
>
> "This is a known windows problem, search Google (other search providers
> are available) for a solution."
>
> I have been searching, and I have tried loads of results, to no avail.
> Some said install libnss-ldapd, which I still don't know what it does,
> others said to do various config entries, also to no avail, so I am back
> here. I have reverted my changes since nothing worked.
>
> "I'd guess you don't have a UNIX tab because the Samba AD schema doesn't
> have it. I'm not sure why that would be, since I don't use any of the
> UNIX AD extensions myself."
>
> I never have either, it always JUST WORKED. This is not frustration with
> the help, it is frustration in that it just refuses to work for no good
> reason. That's why I am attempting to ditch Windows, because things just
> don't work and nobody knows why. I actually feel that Rowland and Steve
> have been great, and have made me SERIOUSLY question the highly
> incomplete guides on the wiki.

Please remember that here, you're at the bleeding edge of open source.
It is up to you to help us get the documentation up to your own high
standard. One thing you can do immediately is to post your method for
getting your other domains working so well. A simple blog post is all
that is required. The people here soon find them. And hit them hard.
Here is one you could try:
http://goo.gl/TnXsaj

> I mean nowhere does it mention the line
> that creates the keytab for Kerberos in any guides. Nowhere does it
> mention the ID's or anything else they have talked with me about. I
> honestly believe the ID numbers will solve the issue, but I cannot do
> that yet.
>
> "You do not need to provision with rfc2307 nor do you need a UNIX tab to
> allocate uidNumbers. You already have what you need. Please try it."
>
> Alright, how?

Please try to help us to help you. We have already sent you the link to
try to hint as to how you could get information which tells you how to
do this:
http://bit.ly/1s8LTZc

This will get you there directly:
ldbedit --url=/path/to/your/samba/private/sam.ldb cn=Domain\ Users
add the line:
gidNumber: 20513

ldbedit --url=/path/to/your/samba/private/sam.ldb cn=reachfp
add the line:
uidNumber: 501

For this, you need to know how to use vi. If you are unwilling or unable
to do so, please tell us and we'll send an alternative method.
HTH,
Steve

Rowland Penny

unread,

Aug 6, 2014, 4:40:02 AM8/6/14

to

On 06/08/14 05:24, Ryan Ashley wrote:
> Plenty of replies since this afternoon! I will try to answer your
> questions in order, as well as ask questions.
>
> "All provisioning with RFC2307 does is add the ypServ30.ldif, it does
> not do anything else, it is up to you to use it. "
>
> Alright, how? Remember, all my domains are golden except this. I have
> never had to use ldif files or assign ID numbers because they always
> just worked.
>

By adding whatever RFC2307 attributes that you will need, these are
usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How you
add them is up to you, you can use samba-tool, ADUC or even write your
own scripts around ldb-tools etc.

I think that in the past you must have been using the winbind rid
backend, only problem with this is that (at the moment) you get
different id numbers on the server from any client.

> "This is a known windows problem, search Google (other search
> providers are available) for a solution."
>
> I have been searching, and I have tried loads of results, to no avail.
> Some said install libnss-ldapd, which I still don't know what it does,
> others said to do various config entries, also to no avail, so I am
> back here. I have reverted my changes since nothing worked.

You cannot have searched very hard, the search term 'no unix attributes
tab' turns up about 1,910,000 results and the top one is:

http://support.microsoft.com/kb/921913

>
> "I'd guess you don't have a UNIX tab because the Samba AD schema
> doesn't have it. I'm not sure why that would be, since I don't use any
> of the UNIX AD extensions myself."

That was a very wrong statement, even if you do not provision with
rfc2307, you still get the rfc2307 attributes and objectclasses in AD
and it is not the reason you haven't got the tab

>
> I never have either, it always JUST WORKED. This is not frustration
> with the help, it is frustration in that it just refuses to work for
> no good reason. That's why I am attempting to ditch Windows, because
> things just don't work and nobody knows why. I actually feel that
> Rowland and Steve have been great, and have made me SERIOUSLY question
> the highly incomplete guides on the wiki. I mean nowhere does it
> mention the line that creates the keytab for Kerberos in any guides.
> Nowhere does it mention the ID's or anything else they have talked
> with me about. I honestly believe the ID numbers will solve the issue,
> but I cannot do that yet.
>
> "You do not need to provision with rfc2307 nor do you need a UNIX tab
> to allocate uidNumbers. You already have what you need. Please try it."
>
> Alright, how? Again, and this is what I keep repeating, I have NEVER
> had to do this before. Up to this very point in time, S4 has been
> rock-solid. None of my other domains use the Kerberos keytab. None of
> them use uID's or gID's. They all just work. You're telling me I have
> the tools to do this, but it is like me telling you to adjust your
> main jet to 1.5 turns out. Unless you're into antiques like I am, you
> haven't a clue what I mean or how to do it. I am not trying to be
> rude, I just literally do not have a clue how to do this.
>

er, I actually do know what you are talking about when it comes to the
main jet, this would be the initial setting on the carburettor and you
would adjust the high speed running from there, what do you set the slow
run jet to ?

Just how did you setup samba prior to having these problems, did you set
it up as a PDC or a standalone or what ?

You also seem very reticent about answering questions, you never seem to
quite answer them fully, sometimes not at all.

All of those numbers are coming from the 'builtin' range (70001-80000)
and shouldn't be and wouldn't be if you gave your users and groups
uidNumber's & gidNumber's

If you do not want to do this, change this line:

idmap config TRUEVINE:backend = ad

To this:

idmap config TRUEVINE:backend = rid

Remove these:

idmap config TRUEVINE:schema_mode = rfc2307

idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver
anyway, it's for the AD server
auth methods = winbind

Rowland

steve

unread,

Aug 6, 2014, 4:50:03 AM8/6/14

to

On Wed, 2014-08-06 at 09:29 +0100, Rowland Penny wrote:
> adjust your
> > main jet to 1.5 turns out. Unless you're into antiques like I am, you
> > haven't a clue what I mean or how to do it. I am not trying to be
> > rude, I just literally do not have a clue how to do this.
> >
>
> er, I actually do know what you are talking about when it comes to the
> main jet, this would be the initial setting on the carburettor and you
> would adjust the high speed running from there, what do you set the slow
> run jet to ?

ROFL! That's only for Strombergs before part number AC12475682. For twin
SUs, you must use 2 full turns.

Oh, and don't forget 2 shots of loginShell per gallon.

Rowland Penny

unread,

Aug 6, 2014, 2:00:02 PM8/6/14

to

On 06/08/14 18:50, Ryan Ashley wrote:
> Sorry Rowland! I accidentally sent this to you the first go around. My
> bad.
>
> I am actually surprised that a few others in the IT field know how to
> toy with carbs and such. My hobby is antique tractors and road
> vehicles. I love how easy it is to work on them. I wouldn't touch my
> 2013 F-150 with a ten-foot pole though. Too many computers and such.
> Also, the engine is covered in plastic guards, but I digress.
>
> What information have I not answered fully? If I did not understand
> what was asked, I asked about it. Like when "ute" was posted. I have
> posted my configs each time they are asked for. Nothing has been
> edited. I asked about NIS and you gave me the link at MS I read a
> while back. It says install the NIS stuff. S4 says NIS is installed.
> Now I am confused. I very obviously cannot install NIS stuff from 2008
> R2 into a Linux system with S4, and S4 says it is running NIS
> according to the test on the wiki page I linked below. Do you
> understand my confusion now?
>
> To add to that, MS says that once the NIS stuff is on the server
> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. This
> is why I have been very hesitant to use the advanced feature and
> attempt to add ID's. If the tool isn't detecting NIS and I force this
> stuff, will something break? If I can get a guarantee that nothing
> will break if I force ID's via the advanced options, I'll do it right
> now. My thought process is different however. It goes something like
> "I need to get NIS working on the S4 server, then the regular tab will
> show up, and I am golden. Since it is not showing up, I probably
> shouldn't attempt to force ID's through the advanced option". Am I
> wrong here?
>
> As for questions, I asked two or three times if I needed that line in
> my member server configurations, and I was just now told that I should
> only have it on DC's. This is fine, but we all miss or forget to
> answer once in a while, so if I forgot something, kindly remind me and
> I will be happy to answer it. Oh, and what about my question for the
> line that sets a range of 500-40000?
>
> I'm not aggravated with anybody, but I need this fixed. I am a VERY
> BUSY person and I may forget things. Do not take it personally,
> please. I love the S4 project and it has worked fine up until now. I
> believe my issue here is that I must assign an ID to each group and
> each user for file shares to work correctly under Linux. My other
> clients share files from Linux-based NAS devices and that is PROBABLY
> the key difference. Now I know I can add these ID numbers without the
> UNIX tab, but is it safe to do that

Too late, I already replied ;-)

Rowland

Ryan Ashley

unread,

Aug 6, 2014, 2:00:02 PM8/6/14

to

Rowland Penny

unread,

Aug 6, 2014, 2:00:01 PM8/6/14

to

On 06/08/14 18:33, Ryan Ashley wrote:
> I am actually surprised that a few others in the IT field know how to
> toy with carbs and such. My hobby is antique tractors and road
> vehicles. I love how easy it is to work on them. I wouldn't touch my
> 2013 F-150 with a ten-foot pole though. Too many computers and such.
> Also, the engine is covered in plastic guards, but I digress.

I didn't 'toy' with carbs, I was deadly serious for over 30 years, but
like you, I digress here.

>
> What information have I not answered fully? If I did not understand
> what was asked, I asked about it. Like when "ute" was posted. I have
> posted my configs each time they are asked for. Nothing has been
> edited. I asked about NIS and you gave me the link at MS I read a
> while back. It says install the NIS stuff. S4 says NIS is installed.
> Now I am confused. I very obviously cannot install NIS stuff from 2008
> R2 into a Linux system with S4, and S4 says it is running NIS
> according to the test on the wiki page I linked below. Do you
> understand my confusion now?

The only problem I have with all that, is the fact that I found myself
in the same position as you, I did not have the UNIX-Attributes tab in
ADUC. I searched the internet and found, amongst others, the link I
posted, this helped me to get the tab to appear.

>
> To add to that, MS says that once the NIS stuff is on the server
> (again, S4 says it is), I will see the UNIX tab on my ADUC tool.

As I said earlier, this is a know windows problem, note I say windows,
it has nothing to do with S4.

> This is why I have been very hesitant to use the advanced feature and
> attempt to add ID's. If the tool isn't detecting NIS and I force this
> stuff, will something break? If I can get a guarantee that nothing
> will break if I force ID's via the advanced options, I'll do it right
> now. My thought process is different however. It goes something like
> "I need to get NIS working on the S4 server, then the regular tab will
> show up, and I am golden. Since it is not showing up, I probably
> shouldn't attempt to force ID's through the advanced option". Am I
> wrong here?

You can very easily add RFC2307 attributes with ldb-tools, or by using
ldifs, the only problem doing it this way, is that you have to keep
records of what uidNumber's & gidNumber's you have used. You will not
damage anything by adding the attributes, provided you do it correctly.
Before you say 'well there you go again, telling me to do something
without telling me how' , decide which way you want to go and we will
try to help you get there.

>
>
> As for questions, I asked two or three times if I needed that line in
> my member server configurations, and I was just now told that I should
> only have it on DC's. This is fine, but we all miss or forget to
> answer once in a while, so if I forgot something, kindly remind me and
> I will be happy to answer it. Oh, and what about my question for the
> line that sets a range of 500-40000?

I must have missed that one, what was the question ?

>
> I'm not aggravated with anybody, but I need this fixed. I am a VERY
> BUSY person and I may forget things. Do not take it personally,
> please. I love the S4 project and it has worked fine up until now. I
> believe my issue here is that I must assign an ID to each group and
> each user for file shares to work correctly under Linux. My other
> clients share files from Linux-based NAS devices and that is PROBABLY
> the key difference. Now I know I can add these ID numbers without the

> UNIX tab, but is it safe to do that?
>

Ah, sharing from a NAS, they usually are running S3 and are not part of
a domain, these will be setup differently from an S4 AD DC.

Yes it is safe to add ID numbers without using ADUC.

Rowland

> On 08/06/2014 04:29 AM, Rowland Penny wrote:

Stuart Naylor

unread,

Aug 6, 2014, 2:10:01 PM8/6/14

to

Whoa there :)

Lol All I am pointing out is an experience. Its not so bad now as I know.

I am not sure about the reference to sernet as the binaries are free and sernet support is optional.

I just don't want the probs of any noob compile errors or battling with apparmor.

I mention sernet purely to say there are a lot of choices, depending on distro it can be sernet, backports or native.

Its a about choice and I thought I would just mention they are available.

Personally you shouldn't be so tender about someones experience with the documentation whilst only they are doing is making an honest evaluation of their experience.

I must admit I don't understand a mailing list as you must get so many replications of the same.

I think a forum is often a better platform.

Again this is no dictate just saying how my experience is and giving you some feed back

Please meddle away, it was purley an opinion.

The documentation is a bit sketchy and when you do a google because of the tremendous fast development its a bit of a mare because of the tremendous fast development

There are a lot of versions and sometimes its very easy to get confused.

Also because its so fast and a moving roadmap I don't even know if a standard static wiki is maybe the right form yet.

Dunno just opinion and feedback :)

Stuart

-----Original message-----
> From:Gregory Sloop <gr...@sloop.net>
> Sent: Tuesday 5th August 2014 19:46
> To: Ryan Ashley <ry...@reachtechfp.com>
> Cc: sa...@lists.samba.org
> Subject: Re: [Samba] Samba 4 AD share: Access denied
>
>
>

> RA> Well, again, no issues until now. I never did the Kerberos keytab thing
> RA> before, and everything works. Never did the NIS thing before, and
> RA> everything works. Now I am learning these things should be done and I
> RA> have been told what to do and have done them as well as documented them
> RA> in our technical reference. However, I am now at the point where I
> RA> cannot set ID's due to not having the UNIX tab in ADUC. I did provision
> RA> with "--use-rfc2307" and it is in all of my S4 configuration files, but
> RA> no luck yet. What do I need to check to get that tab to appear? If
> RA> assigning an ID fixes this, I will HAPPILY do it on all of our domains
> RA> as we go out for maintenance.

>
> RA> On 08/05/2014 02:16 PM, steve wrote:
> >> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
> >>> The way that sounds, the "file server" guide is incomplete, because
> >>> nowhere does it mention any of what you're telling me. I also have
> >>> little trouble finding good documentation on every Linux product I use.
> >>> S4 is the one big exception, but with the guides, it eliminates some of
> >>> that need. I do not buy the whole argument of using Windows for
> >>> documentation, because 90% of their documentation is rambling crud. When
> >>> you get an error and have an ID, the docs don't have the ID you want,
> >>> you are hosed.
> >> Unless you know what you're doing, the time it takes to get up on
> >> user-land Linux compared with enterprise or microsoft
> >> out-of-the-box-or-just-call-the-engineer is false economy.
> >>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
> >>> latest updates. The stable repos have an OLD version of S4, and I do not
> >>> mind building it myself anyway.
> >> Debian doesn't install samba unless you tell it?
> >>> Finally, you have told me I need this and that, but no direction is
> >>> noted.
> >> http://bit.ly/1s8LTZc
>
>

> I've followed this thread since it started - and while I don't have technical help to offer, since I've not followed the technical details carefully - I'd thought I'd say this, even at the risk of being seen to "meddle" where I shouldn't.
>
> I'll try to be gentle about it, but you've hopped all over the place. ...claimed that revereses in DNS didn't work, but then found you hadn't finished configuring DNS etc.
>
> Just SLOW DOWN! Yeah, the docs can be skimpy, and things can be a bit confusing - but SLOW DOWN - tackle one thing at a time. Don't make a thousand changes and keep moving the goal-posts all over the field.
>
> I know Rowland/Steve/Marc will almost certainly be able to resolve your issue. But it's going to take careful, methodical steps through each part. And, IMO, you haven't done that very well. Sometimes you'll answer a few of the underlying questions, and leave out others. [Not sure why, perhaps you missed them, but often it seems you're doing it because you're frustrated and want a solution right this second.]
>
> If I were helping you, I'd be quite frustrated at the effort. The guys helping you are the best on the list. Short of a Samba dev person hopping in to verify a particular bug, there's not better help to be had. So, no matter if it worked three weeks ago or not, if you want help, and it's not working, and you'd like for it to work - go gentle on the help you ARE getting. Being frustrated with them won't help.
>
> I suppose you could run a SerNet package and pay SerNet to solve your problems/do Samba consulting. But you're not paying anyone and they're spending a lot of time trying to help you...
>
> Please try to be gentle and appreciative...
>
> As an aside:

> I'd guess you don't have a UNIX tab because the Samba AD schema doesn't have it. I'm not sure why that would be, since I don't use any of the UNIX AD extensions myself.
>
>

idmap config TRUEVINE:range = 10001-40000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind

The line "idmap config *:range = 70001-80000" assigns a unique ID to
anybody who is not in the Truevine domain or who does not have a
uidNumber/gidNumber attribute set. Is this correct? This is where all of
my users and groups are getting ID's from.

Now, the line "idmap config TRUEVINE:range = 10001-40000" is the range
of uidNumber/gidNumber attributes to search. This is the range set aside
for domain users and groups, so I assume if I set this to something over
100k, it would never find anything. However, it is not finding the
uidNumber/gidNumber attributes in this range (which is everybody) for
some reason, and the users wind up with 70001 and above for their ID's.
So what am I doing wrong?

Rowland Penny

unread,

Aug 8, 2014, 10:30:01 AM8/8/14

to

I know I said that I wouldn't post on this thread again, but you are
doing my head in, you have taken a simple task and turned it into a farce!!!

I advised you at least once to remove this line:

auth methods = winbind

Here is why (taken from 'man smb.conf')

auth methods (G)

This option allows the administrator to chose what
authentication
methods smbd will use when authenticating a user. This option
defaults to sensible values based on security. This should be
considered a developer option and used only in rare
circumstances.
In the majority (if not all) of production servers, the default
setting should be adequate.

Default: auth methods =

This is also from 'man smb.conf' (abridged):

idmap config:OPTION (G)

ID mapping in Samba is the mapping between Windows SIDs and Unix
user and group IDs. This is performed by Winbindd with a
configurable plugin interface. Samba's ID mapping is
configured by
options starting with the idmap config prefix. An idmap option
consists of the idmap config prefix, followed by a domain
name or
the asterisk character (*), a colon, and the name of an idmap
setting for the chosen domain.

The following example illustrates how to configure the
idmap_ad(8)
backend for the CORP domain and the idmap_tdb(8) backend for all
other domains. This configuration assumes that the admin of CORP
assigns unix ids below 1000000 via the SFU extensions, and
winbind
is supposed to use the next million entries for its own mappings
from trusted domains and for local groups for example.

idmap config * : backend = tdb

idmap config * : range = 1000000-1999999

idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999

YOURS:

idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 10001-40000

What the above means is that trusted domains and local groups will get
mapped to numbers between 70001 and 80000, local groups etc being the
windows builtin ones not UNIX ones.

Your AD users will ONLY get pulled from AD if the
uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????

Have you actually got any normal users with uidNumber's & gidNumber's,
the last time I heard, you were trying to use the renamed Administrator
account as a normal account.

I would suggest that you go and take a running jump into Glenville Lake
to cool off, then come back and re-read your posts again, you might then
realise just what a Prat you are coming over as.

This is definitely my last post on this thread