[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 15 07:34:48 MDT 2014
I removed the 70028 (SYSTEM) group a few days ago thinking it might be
the issue. I will post my information one final time in an attempt to
show you that I am doing this the correct way, now with functioning PAM
support on the member server. If you want ANYTHING else, I will do it,
just ask. Nothing would make me happier than to be out of your hair. I
did not come here with the intent to upset people, I simply wanted help.
root at fs01:~# cat /etc/samba/smb.conf
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = true
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 10001-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
# ntlm auth = no
# lanman auth = no
# client ntlmv2 auth = yes
domain master = no
local master = no
preferred master = no
vfs objects = acl_xattr
map acl inherit = yes
acl group control = yes
store dos attributes = yes
[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
root at fs01:~# getfacl /home/shared/install/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/install/
# owner: reachfp
# group: domain\040admins
# flags: -s-
user::rwx
group::rwx
other::---
root at fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: staff
# flags: -s-
user::rwx
user:reachfp:rwx
group::rwx
group:staff:rwx
mask::rwx
other::---
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:staff:rwx
default:mask::rwx
default:other::---
root at fs01:~# getfacl /home/shared/fbc
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc
# owner: reachfp
# group: fbc
# flags: -s-
user::rwx
user:reachfp:rwx
group::rwx
group:fbc:rwx
mask::rwx
other::---
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:fbc:rwx
default:mask::rwx
default:other::---
root at fs01:~# id yolandab
uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
root at fs01:~# id reach_support
uid=10003(reach_support) gid=20002(domain users) groups=20002(domain
users),20042(vpn
users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
root at fs01:~# id daquanm
uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
root at fs01:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root at fs01:~# cat /etc/krb5.conf
[libdefaults]
default_realm = TRUEVINE.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
root at fs01:~# cat /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
root at fs01:~# cat /etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth sufficient pam_winbind.so use_first_pass
root at fs01:~# cat /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
password sufficient pam_winbind.so use_authtok
root at fs01:~# cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
root at fs01:~# l /lib/security/
total 0
lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
/usr/lib/security/pam_winbind.so
root at fs01:~# l /lib | grep winbind
lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
/usr/lib/libnss_winbind.so.2
root at fs01:~# getent passwd
...
shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
root at fs01:~# getent group
...
allowed rodc password replication group:x:20012:
enterprise read-only domain controllers:x:20007:
denied rodc password replication group:x:20014:
read-only domain controllers:x:20010:
audiovideo:x:20038:
group policy creator owners:x:20008:
newmembers:x:20040:
vpn users:x:20042:
staff:x:20041:
fbc:x:20039:
ras and ias servers:x:20009:
domain controllers:x:20004:
enterprise admins:x:20006:
domain computers:x:20003:
cert publishers:x:20013:
dnsupdateproxy:x:20016:
domain admins:x:20001:
domain guests:x:20005:
schema admins:x:20011:
domain users:x:20002:
dnsadmins:x:20015:
Now if you can tell me where in my configuration I am wrong, I will
gladly apologize for all of the trouble and I will not bother you again.
I already apologized to you and Steve personally for whatever it was I
did to get under your skin, but you told me I needed to do more
googling. I did, and when I found out, from the Samba build parameters
page, that PAM was not built by default and mentioned it, I was attacked
for that also, despite me providing proof on the Samba wiki. If googling
returns false results and you want me to search for results, what do I
do? Do you see my predicament now? I come here and am told to search. I
search and find a fix to one of my issues and I am told I am wrong. How
do I know what to believe?
On 08/15/2014 08:48 AM, Rowland Penny wrote:
>
> OK, getting a bit fed up with this now, so I setup a share on my test
> domain, the share is on one PC running Linux Mint 17 and I connected
> from another, again running Linux Mint 17. The two AD DC are running
> Debian 7.5 with samba 4.1.9 from backports, the two Mint machines are
> both running samba 4.1.6 .
>
> This is the ACL's from the share:
>
> getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: emily
> # group: administration
> user::rwx
> user:emily:rwx
> group::rwx
> group:administration:rwx
> group:domain_admins:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:emily:rwx
> default:group::---
> default:group:administration:rwx
> default:group:domain_admins:rwx
> default:mask::rwx
> default:other::---
>
> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>
> Running 'id rowland' gets me this:
>
> uid=10000(rowland) gid=10000(domain_users)
> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>
> As you can see, rowland is not mentioned in the shares ACL's, but is a
> member of the group 'administration' which is.
>
> So I now try to connect from the other PC:
>
> smbclient //EmilysPC/staff
> Enter rowland's password:
> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
> smb: \> ls
> . D 0 Fri Aug 15 12:55:50
> 2014
> .. D 0 Fri Aug 15 12:55:50
> 2014
>
> 55743 blocks of size 8388608. 43330 blocks available
> smb: \> quit
>
> So as far as I can see there is no problem, what do you think ?
>
> Rowland
More information about the samba
mailing list