[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Tue Jul 29 11:18:37 MDT 2014
On 29/07/14 18:01, Ryan Ashley wrote:
> Yes, I see all domain users and groups, getent works with passwd and
> with any domain group, and shows things as they should be. Every group
> has a unique gid.
OK, then on paper everything is working as it should be, I cannot think
of anything else to do, anybody else have any input ???
If nobody else has any input, it may be time to file a bug against samba.
Rowland
>
> On 07/29/2014 12:09 PM, Rowland Penny wrote:
>> On 29/07/14 16:52, Ryan Ashley wrote:
>>> I took it a step farther. I stopped the daemons, left the domain,
>>> deleted everything in /var/lib/samba, uninstalled S4, rebooted,
>>> pulled the latest stuff from 4-1-stable, configured and built it,
>>> installed it, added the options you showed me to the configuration,
>>> joined the domain, and verified everything. IDs are the same, the
>>> keytab WAS created, but users still get access denied. So I am still
>>> nowhere for my efforts. At least I have the keytab though.
>>>
>>> So what is next? I am not running iptables or anything yet, because
>>> of the issues. Windows ACLs are there and are correct. The domain
>>> admin is the only one who can access the shares.
>>
>> I take it that 'wbinfo -u' shows all domain users, 'wbinfo -g' shows
>> all the domain groups, 'getent passwd' shows local and domain users,
>> 'getent group Domain\ Users' shows the info for the Domain users
>> group ('getent group' will not show any domain groups unless ALL
>> domain groups have a gidNumber).
>>
>> Rowland
>>
>>>
>>> On 07/29/2014 11:40 AM, Rowland Penny wrote:
>>>> On 29/07/14 16:17, Ryan Ashley wrote:
>>>>> I just checked and I only have */etc/krb5.conf* in */etc*. No
>>>>> keytab. I am pasting the provision information from my history as
>>>>> root on the DC.
>>>>>
>>>>> samba-tool domain provision --use-rfc2307 --interactive
>>>>>
>>>>> I gave the domain the name "truevine.lan". I also noted that there
>>>>> is no Kerberos keytab on the DC. I followed the guides to the
>>>>> letter in both cases, and neither mention what you are telling me.
>>>>> I am not disputing you, but if this stuff is required, it needs to
>>>>> be in the guide/wiki. That is why I started asking questions. I
>>>>> understand the guides and have been a Windows admin for years, but
>>>>> doing it with Samba is still new, and I love it, though I must
>>>>> learn a standard way to do this so it will always work.
>>>>
>>>> If you require the keytab on the Samba4 AD server (if you want to
>>>> use sssd for instance) you have to export it with
>>>>
>>>> 'samba-tool domain exportkeytab /etc/krb5.keytab'
>>>>
>>>> This will put the keytab in /etc/krb5.keytab and you will then be
>>>> able to list the keytab with ktutil.
>>>>
>>>> On a client or member server, the keytab should be created when you
>>>> join the domain.
>>>>
>>>> This is the global part of the smb.conf on the laptop I am writing
>>>> this on:
>>>>
>>>> [global]
>>>> workgroup = EXAMPLE
>>>> security = ADS
>>>> realm = EXAMPLE.COM
>>>> #client signing = yes
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> server string = Samba 4 Client %h
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>> winbind expand groups = 4
>>>> winbind nss info = rfc2307
>>>> winbind refresh tickets = Yes
>>>> winbind offline logon = yes
>>>> winbind normalize names = Yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> idmap config EXAMPLE : backend = ad
>>>> idmap config EXAMPLE : range = 10000-999999
>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>> printcap name = cups
>>>> cups options = raw
>>>> usershare allow guests = yes
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> os level = 20
>>>> map to guest = bad user
>>>> username map = /etc/samba/smbmap
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> The laptop runs samba4 in classic mode with users and groups having
>>>> uidNumber's & gidNumber's etc stored in AD, both ranges starting at
>>>> 10000.
>>>>
>>>> With the above smb.conf and all samba daemons stopped, if you now run
>>>>
>>>> 'net ads join -U Administrator at EXAMPLE.COM'
>>>>
>>>> The machine should join the domain and /etc/krb5.keytab should be
>>>> created.
>>>>
>>>> You can read this with ktutil
>>>>
>>>> sudo ktutil
>>>> ktutil: rkt /etc/krb5.keytab
>>>> ktutil: l
>>>> slot KVNO Principal
>>>> ---- ----
>>>> ---------------------------------------------------------------------
>>>> 1 5 host/thinkpad.example.com at EXAMPLE.COM
>>>> 2 5 host/thinkpad.example.com at EXAMPLE.COM
>>>> 3 5 host/thinkpad.example.com at EXAMPLE.COM
>>>> 4 5 host/thinkpad.example.com at EXAMPLE.COM
>>>> 5 5 host/thinkpad.example.com at EXAMPLE.COM
>>>> 6 5 host/thinkpad at EXAMPLE.COM
>>>> 7 5 host/thinkpad at EXAMPLE.COM
>>>> 8 5 host/thinkpad at EXAMPLE.COM
>>>> 9 5 host/thinkpad at EXAMPLE.COM
>>>> 10 5 host/thinkpad at EXAMPLE.COM
>>>> 11 5 THINKPAD$@EXAMPLE.COM
>>>> 12 5 THINKPAD$@EXAMPLE.COM
>>>> 13 5 THINKPAD$@EXAMPLE.COM
>>>> 14 5 THINKPAD$@EXAMPLE.COM
>>>> 15 5 THINKPAD$@EXAMPLE.COM
>>>> ktutil: q
>>>>
>>>> You should now restart the samba daemons.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>>>>>> On 29/07/14 15:33, Ryan Ashley wrote:
>>>>>>> I will checkout the module later. Working is my top priority as
>>>>>>> you stated. However, you have me curious now. If this keytab is
>>>>>>> created, where the heck is it created? I am looking for it in
>>>>>>> /var/lib/samba, /etc, and other places. None of my member
>>>>>>> servers have it and they all seem to work, minus this stubborn
>>>>>>> one of course.
>>>>>>
>>>>>> If you set smb.conf up correctly and the run 'net ads join -U
>>>>>> Administrator at EXAMPLE.COM' , you should find that
>>>>>> /etc/krb5.keytab is created.
>>>>>>
>>>>>>>
>>>>>>> Also, I did a test earlier and wanted to share the results. This
>>>>>>> thing keeps complaining about an idmap ad backend not being
>>>>>>> found, and I honestly believe that is the issue, not Kerberos. I
>>>>>>> am trying your suggestion because maybe this backend is stored
>>>>>>> in Kerberos, who knows. Either way, I am being flooded with
>>>>>>> errors about this "idmap backend ad" not being found.
>>>>>>
>>>>>> The 'idmap backend ad' is part of winbind, and as such, should be
>>>>>> available. If I remember correctly you are using a S4 AD DC, can
>>>>>> you remember how you provisioned it ?
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Anyway, I had already added winbind to nsswitch.conf for users
>>>>>>> and groups, so I wanted to verify the same UID/GID was being
>>>>>>> pulled. I wiped the winbind idmap tdb files and rebooted. Got
>>>>>>> the same IDs after it rebooted and created the files again, so
>>>>>>> no issue there. For example, the "Domain Users" group always has
>>>>>>> an ID of 70001. That much is working. So what in the heck does
>>>>>>> the missing backend do? Something is already mapping domain
>>>>>>> users and groups to IDs, so I am scratching my head on this one.
>>>>>>
>>>>>> The 'idmap backend ad' is one that pulls all the user and group
>>>>>> info from RFC2307 attributes on the AD server.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>>>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>>>>>> I understand the basics of Kerberos, but the reason that I am
>>>>>>>>> asking is because I have dozens of S4 servers in production
>>>>>>>>> environments and have never had to create the keytab you
>>>>>>>>> mentioned. They all just worked.
>>>>>>>>
>>>>>>>> If, when you talk about S4 servers, you mean as an AD DC, then
>>>>>>>> yes you do not require the keytab, but on a member server (or
>>>>>>>> client) when you you join the domain with the net command, the
>>>>>>>> keytab is created.
>>>>>>>>>
>>>>>>>>> Now, I do not mind modifying my pam settings as I have done on
>>>>>>>>> loads of Linux workstations which are joined to an AD domain,
>>>>>>>>> but how would I prevent the login of users? I have a home
>>>>>>>>> directory and cannot remove it, so there is technically a
>>>>>>>>> place for their home directories. In Windows I would simply
>>>>>>>>> modify group policy to deny logon, but we both know Linux
>>>>>>>>> knows nothing of a GPO. So without removing "/home", how would
>>>>>>>>> I prevent login?
>>>>>>>>>
>>>>>>>>> My plan now is to modify pam first, then if needed, do the
>>>>>>>>> keytab.
>>>>>>>>
>>>>>>>> I would do it the other way, get everything to work and then if
>>>>>>>> need be, stop user login with PAM. If you install
>>>>>>>> the packages I suggested, PAM will do all the work for you
>>>>>>>> initially. You could also investigate a PAM module called
>>>>>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list