[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access

Paul Griffith paulg at eecs.yorku.ca
Thu May 9 19:17:07 UTC 2019 

On 5/6/19 11:59 AM, Rowland Penny via samba wrote:
> On Mon, 6 May 2019 10:33:27 -0400
> Paul Griffith <paulg at eecs.yorku.ca> wrote:
>
>> On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
>>> On Fri, 3 May 2019 15:36:59 +0200
>>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>>>   
>>>> Hai Paul,
>>>>
>>>> Look at this: user=paulg,uid=2381
>>>> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
>>>> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
>>>>
>>>> Now, look at this :
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 3000-7999
>>>>> # - You must set a DOMAIN backend configuration
>>>>> # idmap config for the ONEEXAMPLECA domain
>>>>> idmap config ONEEXAMPLECA : backend = rid
>>>>> idmap config ONEEXAMPLECA : range = 10000-999999
>>>> What do you notice here. ( the hint is 2381:1000 ) and i would
>>>> expect to see 10000:10000 or higher. Do you see what i mean? Your
>>>> UID/GID is a local users one, not AD-DC users.
>>>>
>>>> Your ranges are out of sync now, and that your denied is completly
>>>> correct.
>>>>   
>>> Good catch Louis, those numbers are even outside the '*' domain, so
>>> must be a local Unix user and group and how many times do I have to
>>> say this:
>>>
>>> You cannot have local Unix users and groups in /etc/passwd
>>> & /etc/group and expect them to work on a Samba Unix domain.
>>>
>>> If the ID numbers are in AD, then the only reason would be if this
>>> is a classicupgraded domain (which I personally hate) and if so, the
>>> ranges in smb.conf will need altering to match.
>>>
>>> Rowland
>>>    
>>>   
>> Louis and Rowland,
>>
>> Thank you both for your suggestions. Why only the mail directory, why
>> wouldn't I get a permission error on the other directories?
>>
>> This is a classic upgraded domain. In this situation, what would be
>> ideal..?
>>
>> 1 ) Configure the local builtin accounts?
>>
>> idmap config *   :  range = 100-999
> No, set this above the 'ONEEXAMPLECA' domain
>
>> 2) Configure the Domain accounts?
>>
>> idmap config ONEEXAMPLECA : backend = rid
>> idmap config ONEEXAMPLECA : range = 1000-999999
> if your lowest Unix ID in AD is 1000 and your highest is less than
> 999999, then yes, but use the 'ad' backend instead.
>
> If you don't care about the ID's (in which case, why did you run the
> classicupgrade ?), the range can be anything you like, if you use
> the 'rid' backend.
>
> Rowland
>
>> Suggestions and links always welcomed :)
>>
>> Paul

Hello Rowland,

I went back and re-read the following links  and with the changes listed 
below I resolved most of my problems.

[0] - https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[1] - https://wiki.samba.org/index.php/Libnss_winbind_Links
[2] - https://wiki.samba.org/index.php/Idmap_config_ad
[3] - 
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt 

[4] - 
https://forums.freebsd.org/threads/samba-ad-getent-passwd-doesnt-return-domain-users.62554/


But I still can't figure out why getent doesn't return anything for the 
domain.  If I use /etc/password it works as expected.

- getent domain fails
getent passwd ONEEXAMPLECA\\paulg
#

 From strace I see it opens the winbindd pipe and talks to the winbind 
process.

lstat("/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
30477 lstat("/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, 
...}) = 0
30477 socket(AF_LOCAL, SOCK_STREAM, 0)  = 3
30477 fcntl(3, F_GETFL)                 = 0x2 (flags O_RDWR)
30477 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
30477 fcntl(3, F_GETFD)                 = 0
30477 fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
30477 connect(3, {sa_family=AF_LOCAL, 
sun_path="/var/run/winbindd/pipe"}, 110) = 0

 From log.winbindd log file, nothing is returned.

[2019/05/09 14:45:18.165098,  3, pid=14653, effective(0, 0), real(0, 0)] 
../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
   getpwnam ONEEXAMPLECA\paulg

Any suggestions to tackle the getent domain issue?

What errors could show up if we have the same user names in the local 
/etc/passwd file as in the domain?


--- Changes made ---

  I removed SSSD and related packages.

1 - Since we compile Samba from source, I linked the compiled library 
libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't work. 
I had to use strace to confirm that getent was looking for 
libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)

2 - verify nsswitch.conf
  grep -i winbind /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind

3 - verify /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = AD.ONE.EXAMPLE.CA
  dns_lookup_realm = false
  dns_lookup_kdc = true
  forwardable = true
  proxiable = true
  ignore_k5login = true
  ticket_lifetime = 24h
  renew_lifetime = 7d

4 - Using the command  'samba-tool user edit paulg' I added the UNIX 
ID/GID to uidNumber and gidNumber in AD.

5 - Updated file server conf as per previous e-mails and links above

[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
hostname lookups = yes

preferred master = no
domain master = no


# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999

# idmap config for the ONEEXAMPLECA domain
# range should match UNIX ID in AD
idmap config ONEEXAMPLECA : backend = ad
idmap config ONEEXAMPLECA : schema_mode = rfc2307
idmap config ONEEXAMPLECA : range = 1000-999999
idmap config ONEEXAMPLECA : unix_nss_info = yes

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes

# Keep no in production, set yes when debugging, this slows down your 
samba.
winbind enum users  = no
winbind enum groups = no

# disable usershares creating, when set empty no error log messages.
usershare path =

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

Thank you,
Paul

More information about the samba mailing list