[Samba] Problems with ldap groups in share folders ACCESS_DENIED
Gaiseric Vandal
gaiseric.vandal at gmail.com
Sat Jun 12 14:58:54 MDT 2010
On each machine I would try running
net groupmap list
net user info someuser -U Administrator
That is to make sure that the group mappings for key groups (e.g. Domain
Users) is setup to verify that users are in the groups you think that they
are. You don't need group mappings for all your user groups (you will see
warnings in logs about missing SID's) but for the well known groups and
groups used in shares you will need mappings.
I found that when I moved to samba 3.4.x that the ou=groups seemed to be
ignored, and that the entire LDAP branch for the domain was searched for
groups (I had had one ou for unix groups and one ou for group mappings.)
The results was that access was broken if it required a user being in the
"domain users" group, or "domain users" being in the local users groups on
windows server.
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Alberto Moreno
Sent: Friday, June 11, 2010 9:27 PM
To: samba at lists.samba.org
Subject: [Samba] Problems with ldap groups in share folders ACCESS_DENIED
Hi I have been working all week with samba 3.4.7 in Centos 5.5
PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave.
I already have 5 clients join.
1 Windows XP
1 Windows 7 UE
1 Centos 5.5 Desktop
1 Ubuntu 9.x
1 Centos 5.5
I can browse inside windows and see my clients, access some shares. I
want to create private shares inside my PDC, I use:
force group
valid users
write list
I create a group with smbldap-tools name :it, add 2 users: test1,test2.
Centos PDC and others are enable to get users+groups from LDAP:
id test1
id test1
uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it)
getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
exim:x:93:93::/var/spool/exim:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
rot:x:1004:513:System User:/home/rot:/sbin/nologin
smbbdc$:*:1005:515:Computer:/dev/null:/bin/false
pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false
test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin
test2:x:10002:513:Test Test2:/home/test2:/bin/bash
smbpdc$:*:1007:515:Computer:/dev/null:/bin/false
pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false
pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false
pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false
getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,exim
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
utmp:x:22:
utempter:x:35:
slocate:x:21:
audio:x:63:
rpc:x:32:
ecryptfs:x:101:
sshd:x:74:
dbus:x:81:
avahi:x:70:
haldaemon:x:68:
avahi-autoipd:x:102:
exim:x:93:
ldap:x:55:
screen:x:84:
pcap:x:77:
apache:x:48:
Domain Admins:*:512:root
Domain Users:*:513:test1
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
it:*:10001:test1,test2ll
I can add ldap groups to directories:
total 2088
drwxrwx--- 5 root it 4096 Jun 8 19:32 it
This is my smb.conf for this share:
[sis]
path = /opt/it
available = Yes
browseable = Yes
read only = No
guest ok = No
writeable = Yes
valid users = @it
write list = @PIMPOM\it
directory mode = 0770
I have try:
valid users: @it
valid users = \it
valid users = @PIMPOM\it
the same for write list, combinations, etc and cannot make this happen.
If I handle this by user it works, example:
valid users = test1
write list = test1
I just need this small thing to work and done.
log:
[2010/06/08 19:52:04, 3] smbd/process.c:1273(switch_message)
switch message SMBtconX (pid 11075) conn 0x0
[2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
NT user token: (NULL)
[2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/06/08 19:52:04, 5] smbd/uid.c:368(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2010/06/08 19:52:04, 4] smbd/reply.c:680(reply_tcon_and_X)
Client requested device type [?????] for share [SIS]
[2010/06/08 19:52:04, 5] smbd/service.c:1216(make_connection)
making a connection to 'normal' service sistemas
[2010/06/08 19:52:04, 3] lib/access.c:362(only_ipaddrs_in_list)
only_ipaddrs_in_list: list has non-ip address (127.)
[2010/06/08 19:52:04, 3] lib/access.c:396(check_access)
check_access: hostnames in host allow/deny list.
[2010/06/08 19:52:04, 2] lib/access.c:406(check_access)
Allowed connection from 172.16.5.204 (172.16.5.204)
[2010/06/08 19:52:04, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @PIMPOM\it does not start with 'S-'.
[2010/06/08 19:52:04, 5] smbd/password.c:403(user_in_netgroup)
Unable to get default yp domain, let's try without specifying it
[2010/06/08 19:52:04, 5] smbd/password.c:407(user_in_netgroup)
looking for user test1 of domain (ANY) in netgroup PIMPOM\it
[2010/06/08 19:52:04, 5] smbd/password.c:423(user_in_netgroup)
looking for user test1 of domain (ANY) in netgroup PIMPOM\it
[2010/06/08 19:52:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/06/08 19:52:04, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
NT user token: (NULL)
[2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/06/08 19:52:04, 5] lib/smbldap.c:1295(smbldap_search_ext)
smbldap_search_ext: base => [dc=pimpom,dc=loc], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope
=> [2]
[2010/06/08 19:52:04, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 10001
[2010/06/08 19:52:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/06/08 19:52:04, 2] smbd/service.c:596(create_connection_server_info)
user 'test1' (from session setup) not permitted to access this share (SIS)
[2010/06/08 19:52:04, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/06/08 19:52:04, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/reply.c(689) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2010/06/08 19:52:04, 5] lib/util.c:632(show_msg)
[2010/06/08 19:52:04, 5] lib/util.c:642(show_msg)
My smb.cong general settings are:
[global]
workgroup = PIMPOM
server string = PDC Domain
netbios name = SMBPDC
hosts allow = 172.16.0.0/16 127.
interfaces = eth0, lo
bind interfaces only = Yes
deny hosts = 0.0.0.0
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn
*ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 5
log file = /var/log/samba/%m.%U.log
max log size = 500
syslog = 1
# Name resolution
name resolve order = wins hosts bcast lmhost
# misc
timeserver = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
host msdfs = No
# printers - configured to use CUPS and automatically load them
load printers = No
printcap name =
#printing =
cups options =
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %m
# LDAP-iConfiguration
#ldap delete dn = Yes
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=pimpom,dc=loc
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=pimpom,dc=loc
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script =
logon path =
logon path =
logon home =
logon drive =
# setting up as domain controller
username map = /home/samba/usermap
preferred master = Yes
wins support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
map acl inherit = Yes
unix charset = UTF8
password level = 6
Do u see any issues with my settings?
Thanks for your time, any help will be appreciated!!!
--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list