[Samba] Samba 4.1 DFS Share only access by administrator
Garming Sam
garming at catalyst.net.nz
Thu Dec 5 21:59:33 MST 2013
On 05/12/13 20:24, Daniel Müller wrote:
> How do I start trace?
>
> Here is the output when I try to connect to the dfs on the samba localhost with smbclient.
> First administrator:
>
> [root at linux2 ~]# smbclient //localhost/dfs -U 'administrator'
> Enter administrator's password:
> Domain=[DIFAEM] OS=[Unix] Server=[Samba 4.1.1]
> smb: \>
> smb: \> ls
> . D 0 Mon Dec 2 09:30:01 2013
> .. D 0 Wed Dec 4 13:19:59 2013
> difaem D 0 Mon Dec 2 09:29:15 2013
> leitung D 0 Mon Dec 2 09:29:38 2013
> programmassistenz D 0 Mon Dec 2 09:30:01 2013
>
> 58585 blocks of size 33553920. 51596 blocks available
> smb: \>
>
> smb: \> cd difaem
> smb: \difaem\> ls
> . D 0 Wed Dec 4 15:16:51 2013
> .. D 0 Wed Dec 4 13:19:59 2013
> 5_Teambesprechungen Difaem D 0 Tue Dec 3 13:42:42 2013
> Gapminder_HIV_presentation_v1.exe A 21821912 Wed Jul 14 13:18:32 2010
> Jakob D 0 Wed Sep 11 13:08:00 2013
> Medien D 0 Wed Dec 4 08:07:17 2013
> Sara D 0 Wed Dec 4 08:01:26 201
>
> AS YOU SEE NO PROBLEM AT ALL!!
>
> Now a user:
>
> [root at linux2 ~]# smbclient //localhost/dfs -U 'harter'
> Enter harter's password:
> Domain=[DIFAEM] OS=[Unix] Server=[Samba 4.1.1]
> smb: \>
> smb: \> ls
> . D 0 Mon Dec 2 09:30:01 2013
> .. D 0 Wed Dec 4 13:19:59 2013
> difaem D 0 Mon Dec 2 09:29:15 2013
> leitung D 0 Mon Dec 2 09:29:38 2013
> programmassistenz D 0 Mon Dec 2 09:30:01 2013
>
> 58585 blocks of size 33553920. 51596 blocks available
> smb: \>
> smb: \> cd difaem
> cd \difaem\: NT_STATUS_UNSUCCESSFUL
> smb: \>
>
> YOU SEE CANNOT CHANGE AND ENTER?????
>
> The same User and the same share without dfs!!!
>
> [root at linux2 ~]# smbclient //localhost/difaem -U 'harter'
> Enter harter's password:
> Domain=[DIFAEM] OS=[Unix] Server=[Samba 4.1.1]
> smb: \>
>
> smb: \> ls
> . D 0 Wed Dec 4 15:16:51 2013
> .. D 0 Wed Dec 4 13:19:59 2013
> 5_Teambesprechungen Difaem D 0 Tue Dec 3 13:42:42 2013
> Gapminder_HIV_presentation_v1.exe A 21821912 Wed Jul 14 13:18:32 2010
> Jakob D 0 Wed Sep 11 13:08:00 2013
> Medien D 0 Wed Dec 4 08:07:17 2013
>
>
> Absolutly strange!!!
>
> This is in /var/log/messages:
> Dec 5 08:10:58 linux2 smbd[5859]: ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: Unable to open tdb '/usr/local/samba/private/sam.ldb.d/DC=DIFAEM,DC=LOC.ldb'
> Dec 5 08:10:58 linux2 smbd[5859]: [2013/12/05 08:10:58.777538, 0] ../source3/modules/vfs_dfs_samba4.c:81(dfs_samba4_connect)
> Dec 5 08:10:58 linux2 smbd[5859]: samdb_connect failed
> Dec 5 08:10:58 linux2 smbd[5859]: [2013/12/05 08:10:58.777630, 0] ../source3/smbd/msdfs.c:338(create_conn_struct)
> Dec 5 08:10:58 linux2 smbd[5859]: VFS connect failed!
>
>
> [root at linux2 sam.ldb.d]# ls -la
> insgesamt 37008
> drwxr-x--- 2 root named 4096 19. Nov 07:34 .
> drwxr-xr-x 7 root root 4096 5. Dez 08:12 ..
> -rw------- 1 root root 14319616 2. Dez 09:39 CN=CONFIGURATION,DC=DIFAEM,DC=LOC.ldb
> -rw------- 1 root root 10391552 19. Nov 07:34 CN=SCHEMA,CN=CONFIGURATION,DC=DIFAEM,DC=LOC.ldb
> -rw------- 1 root root 4251648 5. Dez 07:43 DC=DIFAEM,DC=LOC.ldb
> -rw-rw---- 2 root named 4251648 4. Dez 12:23 DC=DOMAINDNSZONES,DC=DIFAEM,DC=LOC.ldb
> -rw-rw---- 2 root named 4251648 19. Nov 07:34 DC=FORESTDNSZONES,DC=DIFAEM,DC=LOC.ldb
> -rw-rw---- 2 root named 421888 5. Dez 07:43 metadata.tdb
>
> Steps I did undertake to establish the dfs share:
>
> Mkdir /windows/dfs
> Ln -s msdfs inside /windows/dfs
>
> Wrote the share in /usr/local/samba/etc/smb.conf. Restarted samba. That’s all
> No further steps as I would have done with samba 3
>
> Greetings
> Daniel
>
>
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail:mueller at tropenklinik.de
> Internet:www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Garming Sam [mailto:garming at catalyst.net.nz]
> Gesendet: Mittwoch, 4. Dezember 2013 22:39
> An:mueller at tropenklinik.de;samba at lists.samba.org
> Cc: 'Andrew Bartlett'
> Betreff: Re: [Samba] Samba 4.1 DFS Share only access by administrator
>
> On 04/12/13 22:30, Daniel Müller wrote:
>> The Error logs when a user try to connect a share linked in dfs:
>>
>> [2013/12/04 11:12:11.804551, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module samba_dsdb initialization failed : Operations error
>> [2013/12/04 11:12:11.804626, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: Unable to load modules for /usr/local/samba/private/sam.ldb:
>> Unable to open tdb '/usr/local/samba/private/sam.ldb.d/DC=DIFAEM,DC=LOC.ldb'
>> [2013/12/04 11:12:11.804733, 0]
>> ../source3/modules/vfs_dfs_samba4.c:81(dfs_samba4_connect)
>> samdb_connect failed
>> [2013/12/04 11:12:11.804817, 0]
>> ../source3/smbd/msdfs.c:338(create_conn_struct)
>> VFS connect failed!
>> [2013/12/04 11:12:11.806657, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module partition initialization failed : Operations error
>> [2013/12/04 11:12:11.806748, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module show_deleted initialization failed : Operations error
>> [2013/12/04 11:12:11.806826, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module extended_dn_out_ldb initialization failed : Operations
>> error
>> [2013/12/04 11:12:11.806900, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module linked_attributes initialization failed : Operations
>> error
>> [2013/12/04 11:12:11.806982, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module repl_meta_data initialization failed : Operations error
>> [2013/12/04 11:12:11.807057, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module subtree_delete initialization failed : Operations error
>> [2013/12/04 11:12:11.807133, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module operational initialization failed : Operations error
>> [2013/12/04 11:12:11.807205, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module aclread initialization failed : Operations error
>> [2013/12/04 11:12:11.807298, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module acl initialization failed : Operations error
>> [2013/12/04 11:12:11.807377, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module descriptor initialization failed : Operations error
>> [2013/12/04 11:12:11.807448, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module objectclass initialization failed : Operations error
>> [2013/12/04 11:12:11.807518, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module asq initialization failed : Operations error
>> [2013/12/04 11:12:11.807588, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module server_sort initialization failed : Operations error
>> [2013/12/04 11:12:11.807660, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module paged_results initialization failed : Operations error
>> [2013/12/04 11:12:11.807730, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module dirsync initialization failed : Operations error
>> [2013/12/04 11:12:11.807801, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module schema_load initialization failed : Operations error
>> [2013/12/04 11:12:11.807871, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module rootdse initialization failed : Operations error
>> [2013/12/04 11:12:11.807941, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: module samba_dsdb initialization failed : Operations error
>> [2013/12/04 11:12:11.808031, 0]
>> ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>> ldb: Unable to load modules for /usr/local/samba/private/sam.ldb:
>> Unable to open tdb '/usr/local/samba/private/sam.ldb.d/DC=DIFAEM,DC=LOC.ldb'
>> [2013/12/04 11:12:11.808198, 0]
>> ../source3/modules/vfs_dfs_samba4.c:81(dfs_samba4_connect)
>> samdb_connect failed
>> [2013/12/04 11:12:11.808335, 0]
>> ../source3/smbd/msdfs.c:338(create_conn_struct)
>> VFS connect failed!
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail:mueller at tropenklinik.de
>> Internet:www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von:samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Daniel Müller
>> Gesendet: Mittwoch, 4. Dezember 2013 10:30
>> An:samba at lists.samba.org
>> Betreff: [Samba] Samba 4.1 DFS Share only access by administrator
>>
>> Dear all,
>>
>> I am testeing the dfs functions with Samba4.
>> In my global section: host msdfs=yes
>> vfs objects = dfs_samba4
>> Later on setting a dfs root:
>>
>> [dfs]
>> path = /windows/dfs
>> read only = No
>> msdfs root = Yes
>>
>> ls -s the shares in this root.
>>
>> lrwxrwxrwx 1 root root 19 2. Dez 09:29 difaem -> msdfs:linux2\difaem
>> lrwxrwxrwx 1 root root 20 2. Dez 09:29 leitung -> msdfs:linux2\leitung
>> lrwxrwxrwx 1 root root 30 2. Dez 09:30 programmassistenz ->
>> msdfs:linux2\programmassistenz
>>
>>
>> [root at linux2 windows]# getfacl dfs
>> # file: dfs
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> group::r-x
>> group:root:r-x
>> group:users:r-x
>> group:3000002:rwx
>> group:DIFAEM\134Domain\040Admins:rwx
>> mask::rwx
>> other::r-x
>> default:user::rwx
>> default:user:root:rwx
>> default:group::r-x
>> default:group:root:r-x
>> default:group:users:r-x
>> default:group:3000002:rwx
>> default:group:DIFAEM\134Domain\040Admins:rwx
>> default:mask::rwx
>> default:other::r-x
>>
>>
>> On the single shares the users can login without any issue.
>> When trying to connect over [dfs] access is denied. Only administrator
>> can login the shares!?
>>
>> What has changed since samba3?
>>
>> Greetings
>> Daniel
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail:mueller at tropenklinik.de
>> Internet:www.tropenklinik.de
>> -----------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba
>>
> Hi there,
>
> I just tested the issue myself. I didn't have any luck replicating it unfortunately.
>
> Would it be possible to get a network trace of the isssue? A clear list of reproducible steps would be good, just making sure that you haven't done anything additional which could be different to what I've done.
>
> We think it may have to do with code in rpc_server/srvsvc/srv_srvsvc_nt.c but it would be good to have a trace to confirm this.
>
>
>
> Cheers,
>
> Garming Sam
>
>
>
So in order to get a network trace, you'll need a program called
Wireshark. If you're unfamiliar with the name, it's just a fairly
standard program that we typically use for capturing network packets.
https://wiki.samba.org/index.php/Capture_Packets
Install it and start it up. To start off you'd have to point it to the
correct network adapter/interface.
Start the trace, reproduce the issue and then stop the trace. Then you
just need to save the file and send it in.
Thanks,
Garming Sam
More information about the samba
mailing list