[Samba] Problems with ldap groups in share folders ACCESS_DENIED
Alberto Moreno
portsbsd at gmail.com
Mon Jun 14 01:44:11 MDT 2010
On Sat, Jun 12, 2010 at 1:58 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> On each machine I would try running
>
> net groupmap list
>
> net user info someuser -U Administrator
>
>
> That is to make sure that the group mappings for key groups (e.g. Domain
> Users) is setup to verify that users are in the groups you think that they
> are. You don't need group mappings for all your user groups (you will see
> warnings in logs about missing SID's) but for the well known groups and
> groups used in shares you will need mappings.
>
>
> I found that when I moved to samba 3.4.x that the ou=groups seemed to be
> ignored, and that the entire LDAP branch for the domain was searched for
> groups (I had had one ou for unix groups and one ou for group mappings.)
> The results was that access was broken if it required a user being in the
> "domain users" group, or "domain users" being in the local users groups on
> windows server.
>
>
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Alberto Moreno
> Sent: Friday, June 11, 2010 9:27 PM
> To: samba at lists.samba.org
> Subject: [Samba] Problems with ldap groups in share folders ACCESS_DENIED
>
> Hi I have been working all week with samba 3.4.7 in Centos 5.5
> PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave.
>
> I already have 5 clients join.
>
> 1 Windows XP
> 1 Windows 7 UE
> 1 Centos 5.5 Desktop
> 1 Ubuntu 9.x
> 1 Centos 5.5
>
> I can browse inside windows and see my clients, access some shares. I
> want to create private shares inside my PDC, I use:
>
> force group
> valid users
> write list
>
> I create a group with smbldap-tools name :it, add 2 users: test1,test2.
>
> Centos PDC and others are enable to get users+groups from LDAP:
>
> id test1
> id test1
> uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it)
>
> getent passwd
> root:x:0:0:root:/root:/bin/bash
> bin:x:1:1:bin:/bin:/sbin/nologin
> daemon:x:2:2:daemon:/sbin:/sbin/nologin
> adm:x:3:4:adm:/var/adm:/sbin/nologin
> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
> sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/halt
> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
> news:x:9:13:news:/etc/news:
> uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
> operator:x:11:0:operator:/root:/sbin/nologin
> games:x:12:100:games:/usr/games:/sbin/nologin
> gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
> nobody:x:99:99:Nobody:/:/sbin/nologin
> nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
> vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
> rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> dbus:x:81:81:System message bus:/:/sbin/nologin
> avahi:x:70:70:Avahi daemon:/:/sbin/nologin
> haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
> avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
> exim:x:93:93::/var/spool/exim:/sbin/nologin
> ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
> pcap:x:77:77::/var/arpwatch:/sbin/nologin
> apache:x:48:48:Apache:/var/www:/sbin/nologin
> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
> nobody:x:999:514:nobody:/dev/null:/bin/false
> rot:x:1004:513:System User:/home/rot:/sbin/nologin
> smbbdc$:*:1005:515:Computer:/dev/null:/bin/false
> pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false
> test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin
> test2:x:10002:513:Test Test2:/home/test2:/bin/bash
> smbpdc$:*:1007:515:Computer:/dev/null:/bin/false
> pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false
> pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false
> pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false
>
> getent group
>
> root:x:0:root
> bin:x:1:root,bin,daemon
> daemon:x:2:root,bin,daemon
> sys:x:3:root,bin,adm
> adm:x:4:root,adm,daemon
> tty:x:5:
> disk:x:6:root
> lp:x:7:daemon,lp
> mem:x:8:
> kmem:x:9:
> wheel:x:10:root
> mail:x:12:mail,exim
> news:x:13:news
> uucp:x:14:uucp
> man:x:15:
> games:x:20:
> gopher:x:30:
> dip:x:40:
> ftp:x:50:
> lock:x:54:
> nobody:x:99:
> users:x:100:
> nscd:x:28:
> floppy:x:19:
> vcsa:x:69:
> utmp:x:22:
> utempter:x:35:
> slocate:x:21:
> audio:x:63:
> rpc:x:32:
> ecryptfs:x:101:
> sshd:x:74:
> dbus:x:81:
> avahi:x:70:
> haldaemon:x:68:
> avahi-autoipd:x:102:
> exim:x:93:
> ldap:x:55:
> screen:x:84:
> pcap:x:77:
> apache:x:48:
> Domain Admins:*:512:root
> Domain Users:*:513:test1
> Domain Guests:*:514:
> Domain Computers:*:515:
> Administrators:*:544:
> Account Operators:*:548:
> Print Operators:*:550:
> Backup Operators:*:551:
> Replicators:*:552:
> it:*:10001:test1,test2ll
>
> I can add ldap groups to directories:
>
> total 2088
> drwxrwx--- 5 root it 4096 Jun 8 19:32 it
>
> This is my smb.conf for this share:
> [sis]
> path = /opt/it
> available = Yes
> browseable = Yes
> read only = No
> guest ok = No
> writeable = Yes
> valid users = @it
> write list = @PIMPOM\it
> directory mode = 0770
>
> I have try:
> valid users: @it
> valid users = \it
> valid users = @PIMPOM\it
>
> the same for write list, combinations, etc and cannot make this happen.
>
> If I handle this by user it works, example:
>
> valid users = test1
> write list = test1
>
> I just need this small thing to work and done.
>
> log:
>
> [2010/06/08 19:52:04, 3] smbd/process.c:1273(switch_message)
> switch message SMBtconX (pid 11075) conn 0x0
> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
> NT user token: (NULL)
> [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2010/06/08 19:52:04, 5] smbd/uid.c:368(change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2010/06/08 19:52:04, 4] smbd/reply.c:680(reply_tcon_and_X)
> Client requested device type [?????] for share [SIS]
> [2010/06/08 19:52:04, 5] smbd/service.c:1216(make_connection)
> making a connection to 'normal' service sistemas
> [2010/06/08 19:52:04, 3] lib/access.c:362(only_ipaddrs_in_list)
> only_ipaddrs_in_list: list has non-ip address (127.)
> [2010/06/08 19:52:04, 3] lib/access.c:396(check_access)
> check_access: hostnames in host allow/deny list.
> [2010/06/08 19:52:04, 2] lib/access.c:406(check_access)
> Allowed connection from 172.16.5.204 (172.16.5.204)
> [2010/06/08 19:52:04, 3] lib/util_sid.c:228(string_to_sid)
> string_to_sid: Sid @PIMPOM\it does not start with 'S-'.
> [2010/06/08 19:52:04, 5] smbd/password.c:403(user_in_netgroup)
> Unable to get default yp domain, let's try without specifying it
> [2010/06/08 19:52:04, 5] smbd/password.c:407(user_in_netgroup)
> looking for user test1 of domain (ANY) in netgroup PIMPOM\it
> [2010/06/08 19:52:04, 5] smbd/password.c:423(user_in_netgroup)
> looking for user test1 of domain (ANY) in netgroup PIMPOM\it
> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/06/08 19:52:04, 3] smbd/uid.c:428(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
> NT user token: (NULL)
> [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2010/06/08 19:52:04, 5] lib/smbldap.c:1295(smbldap_search_ext)
> smbldap_search_ext: base => [dc=pimpom,dc=loc], filter =>
> [(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope
> => [2]
> [2010/06/08 19:52:04, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
> init_group_from_ldap: Entry found for group: 10001
> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/06/08 19:52:04, 2] smbd/service.c:596(create_connection_server_info)
> user 'test1' (from session setup) not permitted to access this share (SIS)
> [2010/06/08 19:52:04, 1] smbd/service.c:676(make_connection_snum)
> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2010/06/08 19:52:04, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/reply.c(689) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> [2010/06/08 19:52:04, 5] lib/util.c:632(show_msg)
> [2010/06/08 19:52:04, 5] lib/util.c:642(show_msg)
>
> My smb.cong general settings are:
>
> [global]
> workgroup = PIMPOM
> server string = PDC Domain
> netbios name = SMBPDC
> hosts allow = 172.16.0.0/16 127.
> interfaces = eth0, lo
> bind interfaces only = Yes
> deny hosts = 0.0.0.0
> # passwd backend
> encrypt passwords = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> enable privileges = yes
> pam password change= Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %nn
> *ReType*new*UNIX*password* %nn *
> passwd:*all*authentication*tokens*updated*successfully*
> unix password sync = Yes
>
> # Log options
> log level = 5
> log file = /var/log/samba/%m.%U.log
> max log size = 500
> syslog = 1
>
> # Name resolution
> name resolve order = wins hosts bcast lmhost
>
> # misc
> timeserver = No
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> # Dos-Attribute
> map hidden = No
> map system = No
> map archive = No
> map read only = No
> store dos attributes = Yes
> host msdfs = No
> # printers - configured to use CUPS and automatically load them
> load printers = No
> printcap name =
> #printing =
> cups options =
> show add printer wizard = No
>
>
> # scripts invoked by samba
> add user script = /usr/sbin/smbldap-useradd -m %u
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd -p %g
> delete group script = /usr/sbin/smbldap-groupdel %g
> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
> delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
> add machine script = /usr/sbin/smbldap-useradd -w %m
>
> # LDAP-iConfiguration
> #ldap delete dn = Yes
> ldap ssl = off
> ldap passwd sync = Yes
> ldap suffix = dc=pimpom,dc=loc
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=pimpom,dc=loc
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> # logon options
> logon script =
> logon path =
> logon path =
> logon home =
> logon drive =
>
> # setting up as domain controller
> username map = /home/samba/usermap
> preferred master = Yes
> wins support = Yes
> domain logons = Yes
> domain master = Yes
> local master = Yes
> os level = 64
> map acl inherit = Yes
> unix charset = UTF8
> password level = 6
>
> Do u see any issues with my settings?
>
> Thanks for your time, any help will be appreciated!!!
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
mmm interesting.
In this case u have sometime like:
ou=Group
ou=Groups
Under the same domain?
How do u handle this or could u explain in more detail, I will
appreciated, thanks!!!
--
LIving the dream...
More information about the samba
mailing list