Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




On Fri, 3 May 2019 15:36:59 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Hai Paul, 
> 
> Look at this: user=paulg,uid=2381 
> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
> 
> Now, look at this : 
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > # - You must set a DOMAIN backend configuration
> > # idmap config for the ONEEXAMPLECA domain
> > idmap config ONEEXAMPLECA : backend = rid
> > idmap config ONEEXAMPLECA : range = 10000-999999   
> 
> What do you notice here. ( the hint is 2381:1000 ) and i would expect
> to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is
> a local users one, not AD-DC users. 
> 
> Your ranges are out of sync now, and that your denied is completly
> correct. 
> 

Good catch Louis, those numbers are even outside the '*' domain, so
must be a local Unix user and group and how many times do I have to
say this:

You cannot have local Unix users and groups in /etc/passwd & /etc/group
and expect them to work on a Samba Unix domain.

If the ID numbers are in AD, then the only reason would be if this is
a classicupgraded domain (which I personally hate) and if so, the
ranges in smb.conf will need altering to match.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba