I have been attempting to fix an issue with Samba that prevents every domain user except the domain admin from accessing shares. Shares are normally configured with full access for the domain admins group and a group for users for that share. For example, a share with documents for general staff will be automatically mapped for anybody in the global security group "staff". The drives map for these people, but when they click on the drive they get "Access is denied" despite being in the "staff" group and that group having full access to the share. I received some help on the mailing list and have figured out that I left out "--with-shared-modules=idmap_ad" and have since rebuilt with that option and now get the uidNumber and gidNumber for my domain users and groups, but they are still denied access to all shares and even printers. Below is the configuration and diagnostics from my file-server. Note that ID 70006 in the shares below resolves to "SYSTEM" in Windows. All of the workstations are Windows 7 Professional 64bit. root@fs01:~# cat /etc/samba/smb.conf [global] netbios name = FS01 workgroup = TRUEVINE security = ADS realm = TRUEVINE.LAN encrypt passwords = true dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config TRUEVINE:backend = ad idmap config TRUEVINE:schema_mode = rfc2307 idmap config TRUEVINE:range = 10001-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes ntlm auth = no lanman auth = no client ntlmv2 auth = yes domain master = no local master = no preferred master = no vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [install$] path = /home/shared/install comment = "Software installation files" read only = no guest ok = no [staff$] path = /home/shared/staff comment = "Staff file share" read only = no guest ok = no [fbc$] path = /home/shared/fbc comment = "Family Bible College file share" read only = no guest ok = no root@fs01:~# getfacl /home/shared/fbc/ getfacl: Removing leading '/' from absolute path names # file: home/shared/fbc/ # owner: reachfp # group: fbc # flags: -s- user::rwx user:reachfp:rwx group::rwx group:fbc:rwx group:70006:rwx mask::rwx other::rwx default:user::rwx default:user:reachfp:rwx default:group::--- default:group:fbc:rwx default:group:70006:rwx default:mask::rwx default:other::--- root@fs01:~# getfacl /home/shared/staff/ getfacl: Removing leading '/' from absolute path names # file: home/shared/staff/ # owner: reachfp # group: staff # flags: -s- user::rwx user:reachfp:rwx group::rwx group:staff:rwx group:70006:rwx mask::rwx other::rwx default:user::rwx default:user:reachfp:rwx default:group::--- default:group:staff:rwx default:group:70006:rwx default:mask::rwx default:other::--- root@fs01:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis I am not going to show a dump of "getent passwd" or "getent group". Suffice to say, they work perfectly, but I do not want to edit out the names of every domain user. If I am required to, I will do this to prove that getent and id work correctly. Configure command: ./configure --with-ads --with-shared-modules=idmap_ad --enable-fhs --prefix=/usr --localstatedir=/var --sysconfdir=/etc The processes nmbd, smbd, and winbindd are running. If you need anything else, please let me know. This server has been down for almost a month and nothing allows access. I do not have iptables doing anything and there is no SELinux on this system. The OS is Debian Wheezy 7.6 64bit.
In further attempts to find a culprit, I copied a working smb.conf from a working member server in another domain and used it on the troubled server. I adjusted paths as I should and verified ACLs. It did not work. I then copied the smb.conf from the troubled server to a good one in another domain, adjust the share path, and it worked flawlessly. This tells me that the configuration is good, but something is still denying me access. Also, I have since added the PAM settings on the member server wiki page. This only resulted in killing SSH connections, but did not fix the "Access is denied" issue. I even tried from my Linux laptop. Still no go.
this does not look like a bug but like a configuration issue. We can't help with configation issues in bugzilla. You might try get get help from the mailing list or from some company offering commercial samba support, see https://www.samba.org/samba/support/