[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 28 07:40:42 MDT 2014
On 28/07/14 14:18, Ryan Ashley wrote:
> I have never even played with apparmor. I do my Debian installs using
> a net CD and doing the expert 64bit install. I disable recommended and
> suggested packages and install only exactly what I need, so I do not
> have apparmor or selinux. Good thought though. I also tried disabling
> the firewall on a test PC and still no go. This has NEVER happened
> before so I am lost.
>
> So where else should I look? The system in question is a domain member
> server, can resolve users and groups, and can set ACLs with user and
> groups from AD. It is simply denying access to group members of said
> shares.
>
> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>> On 27/07/14 16:28, Ryan Ashley wrote:
>>> I understand and I should have stated more clearly that I have been
>>> going through those results for over a week now. Nothing seems to
>>> help. Funny thing is that creating a second virtual file-server and
>>> using share authentication works fine. Yet another reason I am
>>> leaning towards group issues. If the file-server is share-level the
>>> Windows 7 boxes are happy. As soon as it goes AD and uses AD groups,
>>> they stop working. I have not tried user-level security yet. Then
>>> again I may have user-level and share-level confused. It has been a
>>> long week. I will keep searching but so far nothing I have found and
>>> tried works.
>>>
>>> Is there a way to get an actual reason for the denial? If it
>>> flat-out told me a reason I could troubleshoot. Right now I am just
>>> shooting in random directions hoping to hit something since all I
>>> get is "Access Denied". Is it possible to see is S4 is denying the
>>> connection via a log or something, or if Windows 7 is being
>>> stupid... again?
>>>
>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>> That solution is for Windows 8. That also is not our issue. The
>>>>> WIndows 7 Pro 64bit workstations see the server and shares, and
>>>>> they map the shares according to group policy, but then everybody
>>>>> gets access denied, despite being in the domain groups for which
>>>>> the shares were created. Funny thing is that if I logon as domain
>>>>> admin, I get to access the shares. Due to this, I fully believe
>>>>> the S4 server is ignoring or not accounting for group membership.
>>>>> The "reachfp" account is the domain admin. This is also the
>>>>> default owner of files on the shares. The group "administration"
>>>>> contains many members and does not grant access, despite the group
>>>>> being granted full control. This lead e into believing I am still
>>>>> dealing with a permissions issue and not another issue. If it was
>>>>> the other issue, I would assume domain admin could not see the
>>>>> share or access it. Is that about right?
>>>>>
>>>>> On 7/27/2014 4:56 AM, Rowland Penny wrote:
>>>>>> On 26/07/14 22:20, Ryan Ashley wrote:
>>>>>>> Alright, I just read the responses. I have two pickup trucks and
>>>>>>> one is older and acting up, so I have been working on it. On to
>>>>>>> the responses! Also, I sent this once by accident to Rowland.
>>>>>>> Still not used to having to change the reply field to the list.
>>>>>>> My apologies.
>>>>>>>
>>>>>>> Yes I set g+s and u+s via chmod. This was great in Samba 3, but
>>>>>>> I can undo it if needed. I believe 700028 is "SYSTEM". The
>>>>>>> directories and files are owned by "administration", "domain
>>>>>>> admins", and "SYSTEM". Same for the other share, except "fbc"
>>>>>>> instead of "administration". And I used the linked article as a
>>>>>>> guide for setting up these shares, so it has been used up. I
>>>>>>> only set the sticky bits after it wasn't working. I was trying
>>>>>>> to get it working and wanted a standard user and group. Either
>>>>>>> way, that was the guide I used before posting to this list.
>>>>>>>
>>>>>>> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>>>>>>>> On 26/07/14 10:04, steve wrote:
>>>>>>>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>>>>>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>>>>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>>>>>>>> brought up nmbd, smbd, and winbindd. All TDB files were
>>>>>>>>>>> regenerated
>>>>>>>>>>> but the problem persists. I can resolve AD groups with
>>>>>>>>>>> wbinfo, but
>>>>>>>>>>> share access appears to only be granted to the owner. I need
>>>>>>>>>>> this
>>>>>>>>>>> fixed ASAP. I am out of ideas now.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>>>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>>>>>>>> insignificant.
>>>>>>>>>>>>
>>>>>>>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>>>>>>>> exhausted when I did this. I will make the change now.
>>>>>>>>>>>>> Could this
>>>>>>>>>>>>> cause my issues though?
>>>>>>>>>>>> In a word, yes. It appears to be essential.
>>>>>>>>>>>>
>>>>>>>>>>>> To answer the question in your list email, if you should
>>>>>>>>>>>> have any
>>>>>>>>>>>> further problems, the cache tdb's may have to be
>>>>>>>>>>>> regenerated. There
>>>>>>>>>>>> are probably some SAMDOM entries in the default backend,
>>>>>>>>>>>> but this may
>>>>>>>>>>>> never be an issue since the domain doesn't exist. Beyond
>>>>>>>>>>>> that, I
>>>>>>>>>>>> can't offer any specific advice because I don't have the
>>>>>>>>>>>> ability to
>>>>>>>>>>>> use the ad backend here. We have no Samba DC's nor Windows
>>>>>>>>>>>> DC's with
>>>>>>>>>>>> SFU installed.
>>>>>>>>>>>>
>>>>>>>>>>>> Good luck,
>>>>>>>>>>>> Dale
>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>>>>>>>> Ryan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Assuming this is a verbatim copy of your config, should
>>>>>>>>>>>>>> not "idmap
>>>>>>>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Dale
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>>>>>>>> print-server. I just setup my first member-server
>>>>>>>>>>>>>>> designed solely
>>>>>>>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>>>>>>>> mapping it correctly for the users in the group, but
>>>>>>>>>>>>>>> those users
>>>>>>>>>>>>>>> are getting an access denied message from their Windows
>>>>>>>>>>>>>>> 7 Pro
>>>>>>>>>>>>>>> 64bit clients when accessing the share. I have
>>>>>>>>>>>>>>> configured ACLs and
>>>>>>>>>>>>>>> the box resolves users and groups. Everything works,
>>>>>>>>>>>>>>> except for
>>>>>>>>>>>>>>> the shares. Below I attached all of the information I
>>>>>>>>>>>>>>> believe to
>>>>>>>>>>>>>>> be useful. Ask if you need more, and thank you for your
>>>>>>>>>>>>>>> help!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> smb.conf:
>>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>> netbios name = FS01
>>>>>>>>>>>>>>> workgroup = TRUEVINE
>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>>>>>>>>> encrypt passwords = yes
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>> winbind trusted domains only = no
>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>>>>>> auth methods = winbind
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [install$]
>>>>>>>>>>>>>>> path = /home/shared/install
>>>>>>>>>>>>>>> comment = "Software installation files"
>>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [staff$]
>>>>>>>>>>>>>>> path = /home/shared/staff
>>>>>>>>>>>>>>> comment = "Staff file share"
>>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [fbc$]
>>>>>>>>>>>>>>> path = /home/shared/fbc
>>>>>>>>>>>>>>> comment = "Family Bible College file share"
>>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ACL List:
>>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>>> # group: administration
>>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>>> group:administration:rwx
>>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>>> # group: fbc
>>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>>> group:fbc:rwx
>>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>>> default:group:fbc:rwx
>>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> NSSwitch:
>>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>>>>>>>> #
>>>>>>>>>>>>>>> # Example configuration of GNU Name Service Switch
>>>>>>>>>>>>>>> functionality.
>>>>>>>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>>>>>>>> installed, try:
>>>>>>>>>>>>>>> # `info libc "Name Service Switch"' for information
>>>>>>>>>>>>>>> about this file.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> hosts: files dns
>>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> FS Permissions:
>>>>>>>>>>>>>>> ==========
>>>>>>>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>>>>>>>> total 40
>>>>>>>>>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>>>>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14
>>>>>>>>>>>>>>> install
>>>>>>>>>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>>>>>>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30
>>>>>>>>>>>>>>> staff
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As you can see, I even tried changing the directory
>>>>>>>>>>>>>>> permissions to
>>>>>>>>>>>>>>> 777 and still no go. The users in the "administration"
>>>>>>>>>>>>>>> group are
>>>>>>>>>>>>>>> getting the drive mapped but are being denied access to
>>>>>>>>>>>>>>> it. Same
>>>>>>>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>>>>>>>> anywhere. What should I try next?
>>>>>>>>>> You seem to have 'flags' set on the directories, as I have
>>>>>>>>>> never seen
>>>>>>>>>> this before I read the manpage and found this means that all
>>>>>>>>>> files in
>>>>>>>>>> the directory will be owned by whoever owns the directory. I
>>>>>>>>>> do not know
>>>>>>>>>> how you set the 'flags' but I suggest you find out how to
>>>>>>>>>> remove them, I
>>>>>>>>>> think that this will cure your problem.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>> @Rowland
>>>>>>>>> chmod u-s <folder>
>>>>>>>>> and
>>>>>>>>> chmod g-s <folder>
>>>>>>>>
>>>>>>>> Hi, I actually knew that ;-) I was trying to get the OP to read
>>>>>>>> up on getfacl a bit more.
>>>>>>>>>
>>>>>>>>> I think that's OK, but I've suggested removing everything and
>>>>>>>>> starting
>>>>>>>>> with only the sticky bit on group:
>>>>>>>>> chmod g+s
>>>>>>>>> in combination with the group rw acl. That is all we are using
>>>>>>>>> here for
>>>>>>>>> our group access share. What we are not seeing here are the
>>>>>>>>> xacls, but
>>>>>>>>> the OP is doing it on the samba side. The group rw maps fine
>>>>>>>>> in windows.
>>>>>>>>> It also looks as though windows has had its say too as there is a
>>>>>>>>> builtin acl set too.
>>>>>>>>> Cheers,
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I would also suggest that the OP has a read here:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>> OK, after a bit more thought, I decided that as everything seems
>>>>>> to be correct it is probably a windows problem. A quick internet
>>>>>> search turned this up:
>>>>>>
>>>>>> http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162
>>>>>>
>>>>>>
>>>>>> Have a look, I think that it may fix your problems.
>>>>>>
>>>>>> Rowland
>>>>>
>>>> You are missing the point, I probably could have chosen a better
>>>> target but I only spent about 30secs on the search:
>>>>
>>>> windows 7 64 bit access denied samba
>>>>
>>>> This returns About 116,000 results, here's another one:
>>>>
>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>
>>>>
>>>> Try looking into this before dismissing it out of hand and
>>>> insisting that samba is the problem.
>>>>
>>>> Rowland
>>>
>> OK, after more thought and re-reading your posts, a thought has
>> popped into my head, apparmor, do you have this running on the server ?
>> I have been caught out by this a few times, not being allowed to do
>> things that I thought I should be able to do, or packages not running
>> correctly because they were not allowed access, in every case it was
>> apparmor. As I could never get apparmor to play ball with me (I
>> thought that I had found all rights that needed modding and then
>> another one would pop its head up and what is in the logs bares no
>> resemblance to what you need to put in the conf file), I now disable
>> apparmor straight after installing a new system.
>>
>> Rowland
>>
>
OK, getting a bit lost here now, have you tried raising the log level in
smb.conf and seeing if anything appears in the logs ?
Rowland
More information about the samba
mailing list