Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.


  Search this Thread
Old 12-27-2012, 02:34 PM   #1
LQ Newbie
Registered: Oct 2012
Posts: 8

Rep: Reputation: Disabled
Question Permission Problem on a Samba3 Share in a Samba4 Domain.

Hello everyone
I have reached the end of my rope and desperately need help.
I have recently installed two Samba4 Active Directory Domain Controllers which are working perfectly, and I have joined a Samba3 Server to this domain and everything went well. I can authenticate users on samba3 server and can see all the groups in the domain. The problem I am having is accessing the share that I have created on the Samba3 server. I can see the Share from windows XP or Windows 7 box but when I try to Access is I get “Access Denied” When I look at the security tab of the Share from any of the Windows PCs, I can see the “Domain Admins” and the Owner listed but the permissions are blank and when I try to set the permissions I get “Access Denied”. Kinit and Klist work fine. The ntp is set correctly and the server and domain controller times are identical.

Here are my configuration files and commands that I have ran.

[root@Samba3 ~]# cat /etc/krb5.conf
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
kdc =
default_domain = DOMAIN.COMPANY.COM
profile = /etc/krb5kdc/kdc.conf
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba3 samba-ad

[root@Samba3 ~]# cat /etc/samba/smb.conf
netbios name = Samba3
workgroup = DOMAIN
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+vavanessians"
admin users = "DOMAIN+vavanessians"

passwd: compat winbind
shadow: compat
group: compat winbind

[root@Samba3 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
auth sufficient nullok try_first_pass
auth sufficient use_first_pass
auth sufficient cached_login use_first_pass
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore]
account sufficient [default = bad success=ok user_unknown=ignore] cached_login use_first_pass
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient cached_login use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional
session required use_first_pass

Here is the result of the commands that I ran:

l[root@Samba3 ~]# ls -ld /data
drwxrwxrwx+ 2 vavanessians domain admins 4096 Dec 21 11:05 /data

[root@Samba3 ~]# getfacl /data
getfacl: Removing leading '/' from absolute path names
# file: data
# owner: vavanessians
# group: domain\040admins

[root@Samba3 ~]# wbinfo -u

[root@Samba3 ~]# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users

[root@localhost ~]# ssh vavanessians@samba3
vavanessians@samba3's password:
Last login: Thu Dec 27 09:58:54 2012 from 192.1681.1.145
Could not chdir to home directory /home/vavanessians: No such file or directory

[root@Samba3 ~]# wbinfo --group-info="Domain Admins"
domain admins:*:605:vavanessians,enaja,fsalam,administrator

Any help is greatly appreciated.
Old 12-27-2012, 02:43 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 2,463

Rep: Reputation: Disabled
Perhaps a silly question, but have you mounted the file system with ACL support enabled? This is not the default on all distributions, and getfacl/setfacl works anyway if the file system itself supports ACLs, but the ACL is not actually enforced.
Old 12-27-2012, 03:59 PM   #3
LQ Newbie
Registered: Oct 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Permission Problem on a Samba3 Share in a Samba4 Domain.

Thank you for your quick reply. The Distribution I am Using is CentOS 6.3 and I have enable acl in /etc/fstab.

[root@Samba3 ~]# mount
/dev/mapper/vg_samba3-lv_root on / type ext4 (rw,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_ubject_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_samba3-lv_usr on /usr type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /root/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev)

I am puzzeled as everything seems to work except permissions.
Old 12-27-2012, 04:12 PM   #4
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 2,463

Rep: Reputation: Disabled
Don't you need extended attributes (xattr) as well on a file system hosting a Samba share?
Old 12-27-2012, 05:06 PM   #5
LQ Newbie
Registered: Oct 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Permission Problem on a Samba3 Share in a Samba4 Domain.

Once again, thanks for your quick response. I added the user_xattr to the file system, but still had the same problem. However, your suggestions led me to look at the selinux. selinux seems to be the problem, I changed its settings from "enforcing" to "disabled" and it seems to have fixed the problem. I wonder if there is a way to around this?

Thanks again for you timely help.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server requirement for Domain server using Samba4 for 100 users deep27ak Linux - Server 0 12-15-2012 01:44 PM
[SOLVED] joining samba3 to samba4 pdc swagcute Linux - Server 13 08-03-2012 08:15 PM
share directory with samba domain user permission neo571 Linux - Networking 4 12-02-2008 05:37 AM
Adding WindowsXP Professional to a Samba3 domain.(password problem) slyth1982 Linux - Networking 0 05-05-2004 11:05 AM
So can Samba3 emulate an Active Directory domain? trey85stang Linux - Networking 9 04-22-2004 01:08 AM > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 03:06 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration