Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access

On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
On Fri, 3 May 2019 15:36:59 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Hai Paul,

Look at this: user=paulg,uid=2381
(from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o

Now, look at this :
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999
What do you notice here. ( the hint is 2381:1000 ) and i would expect
to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is
a local users one, not AD-DC users.

Your ranges are out of sync now, and that your denied is completly

Good catch Louis, those numbers are even outside the '*' domain, so
must be a local Unix user and group and how many times do I have to
say this:

You cannot have local Unix users and groups in /etc/passwd & /etc/group
and expect them to work on a Samba Unix domain.

If the ID numbers are in AD, then the only reason would be if this is
a classicupgraded domain (which I personally hate) and if so, the
ranges in smb.conf will need altering to match.


Louis and Rowland,

Thank you both for your suggestions. Why only the mail directory, why wouldn't I get a permission error on the other directories?

This is a classic upgraded domain. In this situation, what would be ideal..?

1 ) Configure the local builtin accounts?

idmap config *   :  range = 100-999

2) Configure the Domain accounts?

idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 1000-999999

Suggestions and links always welcomed :)


Paul Griffith | Computer Systems Coordinator
Electrical Engineering & Computer Science | Lassonde School of Engineering
York University | 4700 Keele St., Toronto ON M3J 1P3 Canada
T:416-736-2100 x70258 | F:416-736-5872

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba