[Samba] Problems with ldap groups in share folders ACCESS_DENIED

Alberto Moreno portsbsd at gmail.com
Fri Jun 11 19:26:33 MDT 2010


Hi I have been working all week with samba 3.4.7 in Centos 5.5
PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave.

I already have 5 clients join.

1 Windows XP
1 Windows 7 UE
1 Centos 5.5 Desktop
1 Ubuntu 9.x
1 Centos 5.5

I can browse inside windows and see my clients, access some shares. I
want to  create private shares inside my PDC, I use:

force group
valid users
write list

I create a group with smbldap-tools name :it, add 2 users: test1,test2.

Centos PDC and others are enable to get users+groups from LDAP:

id test1
id test1
uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it)

getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
exim:x:93:93::/var/spool/exim:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
rot:x:1004:513:System User:/home/rot:/sbin/nologin
smbbdc$:*:1005:515:Computer:/dev/null:/bin/false
pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false
test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin
test2:x:10002:513:Test Test2:/home/test2:/bin/bash
smbpdc$:*:1007:515:Computer:/dev/null:/bin/false
pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false
pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false
pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false

getent group

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,exim
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
utmp:x:22:
utempter:x:35:
slocate:x:21:
audio:x:63:
rpc:x:32:
ecryptfs:x:101:
sshd:x:74:
dbus:x:81:
avahi:x:70:
haldaemon:x:68:
avahi-autoipd:x:102:
exim:x:93:
ldap:x:55:
screen:x:84:
pcap:x:77:
apache:x:48:
Domain Admins:*:512:root
Domain Users:*:513:test1
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
it:*:10001:test1,test2ll

I can add ldap groups to directories:

total 2088
drwxrwx--- 5 root     it              4096 Jun  8 19:32 it

This is my smb.conf for this share:
[sis]
        path = /opt/it
        available = Yes
        browseable = Yes
        read only = No
        guest ok = No
        writeable = Yes
        valid users = @it
        write list = @PIMPOM\it
        directory mode = 0770

I have try:
valid users: @it
valid users = \it
valid users = @PIMPOM\it

the same for write list, combinations, etc and cannot make this happen.

If I handle this by user it works, example:

        valid users = test1
        write list = test1

I just need this small thing to work and done.

log:

[2010/06/08 19:52:04,  3] smbd/process.c:1273(switch_message)
  switch message SMBtconX (pid 11075) conn 0x0
[2010/06/08 19:52:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/06/08 19:52:04,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2010/06/08 19:52:04,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/06/08 19:52:04,  5] smbd/uid.c:368(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/06/08 19:52:04,  4] smbd/reply.c:680(reply_tcon_and_X)
  Client requested device type [?????] for share [SIS]
[2010/06/08 19:52:04,  5] smbd/service.c:1216(make_connection)
  making a connection to 'normal' service sistemas
[2010/06/08 19:52:04,  3] lib/access.c:362(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (127.)
[2010/06/08 19:52:04,  3] lib/access.c:396(check_access)
  check_access: hostnames in host allow/deny list.
[2010/06/08 19:52:04,  2] lib/access.c:406(check_access)
  Allowed connection from 172.16.5.204 (172.16.5.204)
[2010/06/08 19:52:04,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @PIMPOM\it does not start with 'S-'.
[2010/06/08 19:52:04,  5] smbd/password.c:403(user_in_netgroup)
  Unable to get default yp domain, let's try without specifying it
[2010/06/08 19:52:04,  5] smbd/password.c:407(user_in_netgroup)
  looking for user test1 of domain (ANY) in netgroup PIMPOM\it
[2010/06/08 19:52:04,  5] smbd/password.c:423(user_in_netgroup)
  looking for user test1 of domain (ANY) in netgroup PIMPOM\it
[2010/06/08 19:52:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/06/08 19:52:04,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/06/08 19:52:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/06/08 19:52:04,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2010/06/08 19:52:04,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/06/08 19:52:04,  5] lib/smbldap.c:1295(smbldap_search_ext)
  smbldap_search_ext: base => [dc=pimpom,dc=loc], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope
=> [2]
[2010/06/08 19:52:04,  2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/08 19:52:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/06/08 19:52:04,  2] smbd/service.c:596(create_connection_server_info)
  user 'test1' (from session setup) not permitted to access this share (SIS)
[2010/06/08 19:52:04,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/06/08 19:52:04,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/reply.c(689) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2010/06/08 19:52:04,  5] lib/util.c:632(show_msg)
[2010/06/08 19:52:04,  5] lib/util.c:642(show_msg)

My smb.cong general settings are:

[global]
        workgroup = PIMPOM
        server string = PDC Domain
        netbios name = SMBPDC
        hosts allow = 172.16.0.0/16 127.
        interfaces = eth0, lo
        bind interfaces only = Yes
        deny hosts = 0.0.0.0
# passwd backend
        encrypt passwords = yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        enable privileges = yes
        pam password change= Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %nn
*ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes

# Log options
        log level = 5
        log file = /var/log/samba/%m.%U.log
        max log size = 500
        syslog = 1

# Name resolution
        name resolve order = wins hosts bcast lmhost

# misc
        timeserver = No
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Dos-Attribute
        map hidden = No
        map system = No
        map archive = No
        map read only = No
        store dos attributes = Yes
        host msdfs = No
# printers - configured to use CUPS and automatically load them
        load printers = No
        printcap name =
#printing =
        cups options =
        show add printer wizard = No


# scripts invoked by samba
        add user script = /usr/sbin/smbldap-useradd -m %u
        delete user script = /usr/sbin/smbldap-userdel %u
        add group script = /usr/sbin/smbldap-groupadd -p %g
        delete group script = /usr/sbin/smbldap-groupdel %g
        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
        delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
        add machine script = /usr/sbin/smbldap-useradd -w %m

# LDAP-iConfiguration
#ldap delete dn = Yes
        ldap ssl = off
        ldap passwd sync = Yes
        ldap suffix = dc=pimpom,dc=loc
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=Manager,dc=pimpom,dc=loc
        idmap backend = ldap:ldap://127.0.0.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000
# logon options
        logon script =
        logon path =
        logon path =
        logon home =
        logon drive =

# setting up as domain controller
        username map = /home/samba/usermap
        preferred master = Yes
        wins support = Yes
        domain logons = Yes
        domain master = Yes
        local master = Yes
        os level = 64
        map acl inherit = Yes
        unix charset = UTF8
        password level = 6

Do u see any issues with my settings?

Thanks for your time, any help will be appreciated!!!
-- 
LIving the dream...


More information about the samba mailing list