[Samba] Fwd: Problems with ldap groups in share folders ACCESS_DENIED
Alberto Moreno
portsbsd at gmail.com
Mon Jun 14 10:18:53 MDT 2010
On Mon, Jun 14, 2010 at 8:41 AM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> On 06/14/2010 03:44 AM, Alberto Moreno wrote:
>>
>> On Sat, Jun 12, 2010 at 1:58 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>
>>>
>>> On each machine I would try running
>>>
>>> net groupmap list
>>>
>>> net user info someuser -U Administrator
>>>
>>>
>>> That is to make sure that the group mappings for key groups (e.g. Domain
>>> Users) is setup to verify that users are in the groups you think that
>>> they
>>> are. You don't need group mappings for all your user groups (you will
>>> see
>>> warnings in logs about missing SID's) but for the well known groups and
>>> groups used in shares you will need mappings.
>>>
>>>
>>> I found that when I moved to samba 3.4.x that the ou=groups seemed to be
>>> ignored, and that the entire LDAP branch for the domain was searched for
>>> groups (I had had one ou for unix groups and one ou for group mappings.)
>>> The results was that access was broken if it required a user being in
>>> the
>>> "domain users" group, or "domain users" being in the local users groups
>>> on
>>> windows server.
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org]
>>> On Behalf Of Alberto Moreno
>>> Sent: Friday, June 11, 2010 9:27 PM
>>> To: samba at lists.samba.org
>>> Subject: [Samba] Problems with ldap groups in share folders ACCESS_DENIED
>>>
>>> Hi I have been working all week with samba 3.4.7 in Centos 5.5
>>> PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave.
>>>
>>> I already have 5 clients join.
>>>
>>> 1 Windows XP
>>> 1 Windows 7 UE
>>> 1 Centos 5.5 Desktop
>>> 1 Ubuntu 9.x
>>> 1 Centos 5.5
>>>
>>> I can browse inside windows and see my clients, access some shares. I
>>> want to create private shares inside my PDC, I use:
>>>
>>> force group
>>> valid users
>>> write list
>>>
>>> I create a group with smbldap-tools name :it, add 2 users: test1,test2.
>>>
>>> Centos PDC and others are enable to get users+groups from LDAP:
>>>
>>> id test1
>>> id test1
>>> uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it)
>>>
>>> getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> bin:x:1:1:bin:/bin:/sbin/nologin
>>> daemon:x:2:2:daemon:/sbin:/sbin/nologin
>>> adm:x:3:4:adm:/var/adm:/sbin/nologin
>>> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
>>> sync:x:5:0:sync:/sbin:/bin/sync
>>> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
>>> halt:x:7:0:halt:/sbin:/sbin/halt
>>> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
>>> news:x:9:13:news:/etc/news:
>>> uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
>>> operator:x:11:0:operator:/root:/sbin/nologin
>>> games:x:12:100:games:/usr/games:/sbin/nologin
>>> gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
>>> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
>>> nobody:x:99:99:Nobody:/:/sbin/nologin
>>> nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
>>> vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
>>> rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
>>> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
>>> dbus:x:81:81:System message bus:/:/sbin/nologin
>>> avahi:x:70:70:Avahi daemon:/:/sbin/nologin
>>> haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
>>>
>>> avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
>>> exim:x:93:93::/var/spool/exim:/sbin/nologin
>>> ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
>>> pcap:x:77:77::/var/arpwatch:/sbin/nologin
>>> apache:x:48:48:Apache:/var/www:/sbin/nologin
>>> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
>>> nobody:x:999:514:nobody:/dev/null:/bin/false
>>> rot:x:1004:513:System User:/home/rot:/sbin/nologin
>>> smbbdc$:*:1005:515:Computer:/dev/null:/bin/false
>>> pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false
>>> test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin
>>> test2:x:10002:513:Test Test2:/home/test2:/bin/bash
>>> smbpdc$:*:1007:515:Computer:/dev/null:/bin/false
>>> pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false
>>> pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false
>>> pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false
>>>
>>> getent group
>>>
>>> root:x:0:root
>>> bin:x:1:root,bin,daemon
>>> daemon:x:2:root,bin,daemon
>>> sys:x:3:root,bin,adm
>>> adm:x:4:root,adm,daemon
>>> tty:x:5:
>>> disk:x:6:root
>>> lp:x:7:daemon,lp
>>> mem:x:8:
>>> kmem:x:9:
>>> wheel:x:10:root
>>> mail:x:12:mail,exim
>>> news:x:13:news
>>> uucp:x:14:uucp
>>> man:x:15:
>>> games:x:20:
>>> gopher:x:30:
>>> dip:x:40:
>>> ftp:x:50:
>>> lock:x:54:
>>> nobody:x:99:
>>> users:x:100:
>>> nscd:x:28:
>>> floppy:x:19:
>>> vcsa:x:69:
>>> utmp:x:22:
>>> utempter:x:35:
>>> slocate:x:21:
>>> audio:x:63:
>>> rpc:x:32:
>>> ecryptfs:x:101:
>>> sshd:x:74:
>>> dbus:x:81:
>>> avahi:x:70:
>>> haldaemon:x:68:
>>> avahi-autoipd:x:102:
>>> exim:x:93:
>>> ldap:x:55:
>>> screen:x:84:
>>> pcap:x:77:
>>> apache:x:48:
>>> Domain Admins:*:512:root
>>> Domain Users:*:513:test1
>>> Domain Guests:*:514:
>>> Domain Computers:*:515:
>>> Administrators:*:544:
>>> Account Operators:*:548:
>>> Print Operators:*:550:
>>> Backup Operators:*:551:
>>> Replicators:*:552:
>>> it:*:10001:test1,test2ll
>>>
>>> I can add ldap groups to directories:
>>>
>>> total 2088
>>> drwxrwx--- 5 root it 4096 Jun 8 19:32 it
>>>
>>> This is my smb.conf for this share:
>>> [sis]
>>> path = /opt/it
>>> available = Yes
>>> browseable = Yes
>>> read only = No
>>> guest ok = No
>>> writeable = Yes
>>> valid users = @it
>>> write list = @PIMPOM\it
>>> directory mode = 0770
>>>
>>> I have try:
>>> valid users: @it
>>> valid users = \it
>>> valid users = @PIMPOM\it
>>>
>>> the same for write list, combinations, etc and cannot make this happen.
>>>
>>> If I handle this by user it works, example:
>>>
>>> valid users = test1
>>> write list = test1
>>>
>>> I just need this small thing to work and done.
>>>
>>> log:
>>>
>>> [2010/06/08 19:52:04, 3] smbd/process.c:1273(switch_message)
>>> switch message SMBtconX (pid 11075) conn 0x0
>>> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
>>> NT user token: (NULL)
>>> [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
>>> UNIX token of user 0
>>> Primary group is 0 and contains 0 supplementary groups
>>> [2010/06/08 19:52:04, 5] smbd/uid.c:368(change_to_root_user)
>>> change_to_root_user: now uid=(0,0) gid=(0,0)
>>> [2010/06/08 19:52:04, 4] smbd/reply.c:680(reply_tcon_and_X)
>>> Client requested device type [?????] for share [SIS]
>>> [2010/06/08 19:52:04, 5] smbd/service.c:1216(make_connection)
>>> making a connection to 'normal' service sistemas
>>> [2010/06/08 19:52:04, 3] lib/access.c:362(only_ipaddrs_in_list)
>>> only_ipaddrs_in_list: list has non-ip address (127.)
>>> [2010/06/08 19:52:04, 3] lib/access.c:396(check_access)
>>> check_access: hostnames in host allow/deny list.
>>> [2010/06/08 19:52:04, 2] lib/access.c:406(check_access)
>>> Allowed connection from 172.16.5.204 (172.16.5.204)
>>> [2010/06/08 19:52:04, 3] lib/util_sid.c:228(string_to_sid)
>>> string_to_sid: Sid @PIMPOM\it does not start with 'S-'.
>>> [2010/06/08 19:52:04, 5] smbd/password.c:403(user_in_netgroup)
>>> Unable to get default yp domain, let's try without specifying it
>>> [2010/06/08 19:52:04, 5] smbd/password.c:407(user_in_netgroup)
>>> looking for user test1 of domain (ANY) in netgroup PIMPOM\it
>>> [2010/06/08 19:52:04, 5] smbd/password.c:423(user_in_netgroup)
>>> looking for user test1 of domain (ANY) in netgroup PIMPOM\it
>>> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>> [2010/06/08 19:52:04, 3] smbd/uid.c:428(push_conn_ctx)
>>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>> [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token)
>>> NT user token: (NULL)
>>> [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token)
>>> UNIX token of user 0
>>> Primary group is 0 and contains 0 supplementary groups
>>> [2010/06/08 19:52:04, 5] lib/smbldap.c:1295(smbldap_search_ext)
>>> smbldap_search_ext: base => [dc=pimpom,dc=loc], filter =>
>>> [(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope
>>> => [2]
>>> [2010/06/08 19:52:04, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
>>> init_group_from_ldap: Entry found for group: 10001
>>> [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2010/06/08 19:52:04, 2]
>>> smbd/service.c:596(create_connection_server_info)
>>> user 'test1' (from session setup) not permitted to access this share
>>> (SIS)
>>> [2010/06/08 19:52:04, 1] smbd/service.c:676(make_connection_snum)
>>> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>>> [2010/06/08 19:52:04, 3] smbd/error.c:60(error_packet_set)
>>> error packet at smbd/reply.c(689) cmd=117 (SMBtconX)
>>> NT_STATUS_ACCESS_DENIED
>>> [2010/06/08 19:52:04, 5] lib/util.c:632(show_msg)
>>> [2010/06/08 19:52:04, 5] lib/util.c:642(show_msg)
>>>
>>> My smb.cong general settings are:
>>>
>>> [global]
>>> workgroup = PIMPOM
>>> server string = PDC Domain
>>> netbios name = SMBPDC
>>> hosts allow = 172.16.0.0/16 127.
>>> interfaces = eth0, lo
>>> bind interfaces only = Yes
>>> deny hosts = 0.0.0.0
>>> # passwd backend
>>> encrypt passwords = yes
>>> passdb backend = ldapsam:ldap://127.0.0.1/
>>> enable privileges = yes
>>> pam password change= Yes
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *New*UNIX*password* %nn
>>> *ReType*new*UNIX*password* %nn *
>>> passwd:*all*authentication*tokens*updated*successfully*
>>> unix password sync = Yes
>>>
>>> # Log options
>>> log level = 5
>>> log file = /var/log/samba/%m.%U.log
>>> max log size = 500
>>> syslog = 1
>>>
>>> # Name resolution
>>> name resolve order = wins hosts bcast lmhost
>>>
>>> # misc
>>> timeserver = No
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> # Dos-Attribute
>>> map hidden = No
>>> map system = No
>>> map archive = No
>>> map read only = No
>>> store dos attributes = Yes
>>> host msdfs = No
>>> # printers - configured to use CUPS and automatically load them
>>> load printers = No
>>> printcap name =
>>> #printing =
>>> cups options =
>>> show add printer wizard = No
>>>
>>>
>>> # scripts invoked by samba
>>> add user script = /usr/sbin/smbldap-useradd -m %u
>>> delete user script = /usr/sbin/smbldap-userdel %u
>>> add group script = /usr/sbin/smbldap-groupadd -p %g
>>> delete group script = /usr/sbin/smbldap-groupdel %g
>>> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x %u
>>> %g
>>> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>> add machine script = /usr/sbin/smbldap-useradd -w %m
>>>
>>> # LDAP-iConfiguration
>>> #ldap delete dn = Yes
>>> ldap ssl = off
>>> ldap passwd sync = Yes
>>> ldap suffix = dc=pimpom,dc=loc
>>> ldap machine suffix = ou=Computers
>>> ldap user suffix = ou=Users
>>> ldap group suffix = ou=Groups
>>> ldap idmap suffix = ou=Idmap
>>> ldap admin dn = cn=Manager,dc=pimpom,dc=loc
>>> idmap backend = ldap:ldap://127.0.0.1
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> # logon options
>>> logon script =
>>> logon path =
>>> logon path =
>>> logon home =
>>> logon drive =
>>>
>>> # setting up as domain controller
>>> username map = /home/samba/usermap
>>> preferred master = Yes
>>> wins support = Yes
>>> domain logons = Yes
>>> domain master = Yes
>>> local master = Yes
>>> os level = 64
>>> map acl inherit = Yes
>>> unix charset = UTF8
>>> password level = 6
>>>
>>> Do u see any issues with my settings?
>>>
>>> Thanks for your time, any help will be appreciated!!!
>>> --
>>> LIving the dream...
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> mmm interesting.
>>
>> In this case u have sometime like:
>>
>> ou=Group
>> ou=Groups
>>
>> Under the same domain?
>>
>> How do u handle this or could u explain in more detail, I will
>> appreciated, thanks!!!
>>
>>
>
> You need to see what groups are in each ou. You will need to consolidate
> into one OU or the other. You may need to update smb.conf (for samba)
> and/or /etc/ldap.conf (for an linux client ldap authentication.)
>
>
> I would consolidate everything into "ou=group" so that you don't break any
> linux ldap client functionality.
>
>
> 1 - export the contents of "ou=groups" to an ldif file
> 2 - delete ou=groups from ldap,
> 3- make a backup of the ldif file, then edit the ldif file to remove
> groups already defined in "ou=group." Change text strings "ou=groups" to
> ou=group" and reimport the file into LDAP.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I was thinking that will be more complicated.
Hey what distro are u using?
do already has this on production?
Thanks!!!
--
LIving the dream...
More information about the samba
mailing list