[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Wed Aug 6 11:58:35 MDT 2014
On 06/08/14 18:50, Ryan Ashley wrote:
> Sorry Rowland! I accidentally sent this to you the first go around. My
> bad.
>
> I am actually surprised that a few others in the IT field know how to
> toy with carbs and such. My hobby is antique tractors and road
> vehicles. I love how easy it is to work on them. I wouldn't touch my
> 2013 F-150 with a ten-foot pole though. Too many computers and such.
> Also, the engine is covered in plastic guards, but I digress.
>
> What information have I not answered fully? If I did not understand
> what was asked, I asked about it. Like when "ute" was posted. I have
> posted my configs each time they are asked for. Nothing has been
> edited. I asked about NIS and you gave me the link at MS I read a
> while back. It says install the NIS stuff. S4 says NIS is installed.
> Now I am confused. I very obviously cannot install NIS stuff from 2008
> R2 into a Linux system with S4, and S4 says it is running NIS
> according to the test on the wiki page I linked below. Do you
> understand my confusion now?
>
> To add to that, MS says that once the NIS stuff is on the server
> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. This
> is why I have been very hesitant to use the advanced feature and
> attempt to add ID's. If the tool isn't detecting NIS and I force this
> stuff, will something break? If I can get a guarantee that nothing
> will break if I force ID's via the advanced options, I'll do it right
> now. My thought process is different however. It goes something like
> "I need to get NIS working on the S4 server, then the regular tab will
> show up, and I am golden. Since it is not showing up, I probably
> shouldn't attempt to force ID's through the advanced option". Am I
> wrong here?
>
> As for questions, I asked two or three times if I needed that line in
> my member server configurations, and I was just now told that I should
> only have it on DC's. This is fine, but we all miss or forget to
> answer once in a while, so if I forgot something, kindly remind me and
> I will be happy to answer it. Oh, and what about my question for the
> line that sets a range of 500-40000?
>
> I'm not aggravated with anybody, but I need this fixed. I am a VERY
> BUSY person and I may forget things. Do not take it personally,
> please. I love the S4 project and it has worked fine up until now. I
> believe my issue here is that I must assign an ID to each group and
> each user for file shares to work correctly under Linux. My other
> clients share files from Linux-based NAS devices and that is PROBABLY
> the key difference. Now I know I can add these ID numbers without the
> UNIX tab, but is it safe to do that
>
> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>> On 06/08/14 05:24, Ryan Ashley wrote:
>>> Plenty of replies since this afternoon! I will try to answer your
>>> questions in order, as well as ask questions.
>>>
>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it
>>> does not do anything else, it is up to you to use it. "
>>>
>>> Alright, how? Remember, all my domains are golden except this. I
>>> have never had to use ldif files or assign ID numbers because they
>>> always just worked.
>>>
>>
>> By adding whatever RFC2307 attributes that you will need, these are
>> usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How
>> you add them is up to you, you can use samba-tool, ADUC or even write
>> your own scripts around ldb-tools etc.
>>
>> I think that in the past you must have been using the winbind rid
>> backend, only problem with this is that (at the moment) you get
>> different id numbers on the server from any client.
>>
>>> "This is a known windows problem, search Google (other search
>>> providers are available) for a solution."
>>>
>>> I have been searching, and I have tried loads of results, to no
>>> avail. Some said install libnss-ldapd, which I still don't know what
>>> it does, others said to do various config entries, also to no avail,
>>> so I am back here. I have reverted my changes since nothing worked.
>>
>> You cannot have searched very hard, the search term 'no unix
>> attributes tab' turns up about 1,910,000 results and the top one is:
>>
>> http://support.microsoft.com/kb/921913
>>
>>>
>>> "I'd guess you don't have a UNIX tab because the Samba AD schema
>>> doesn't have it. I'm not sure why that would be, since I don't use
>>> any of the UNIX AD extensions myself."
>>
>> That was a very wrong statement, even if you do not provision with
>> rfc2307, you still get the rfc2307 attributes and objectclasses in AD
>> and it is not the reason you haven't got the tab
>>
>>>
>>> I never have either, it always JUST WORKED. This is not frustration
>>> with the help, it is frustration in that it just refuses to work for
>>> no good reason. That's why I am attempting to ditch Windows, because
>>> things just don't work and nobody knows why. I actually feel that
>>> Rowland and Steve have been great, and have made me SERIOUSLY
>>> question the highly incomplete guides on the wiki. I mean nowhere
>>> does it mention the line that creates the keytab for Kerberos in any
>>> guides. Nowhere does it mention the ID's or anything else they have
>>> talked with me about. I honestly believe the ID numbers will solve
>>> the issue, but I cannot do that yet.
>>>
>>> "You do not need to provision with rfc2307 nor do you need a UNIX
>>> tab to allocate uidNumbers. You already have what you need. Please
>>> try it."
>>>
>>> Alright, how? Again, and this is what I keep repeating, I have NEVER
>>> had to do this before. Up to this very point in time, S4 has been
>>> rock-solid. None of my other domains use the Kerberos keytab. None
>>> of them use uID's or gID's. They all just work. You're telling me I
>>> have the tools to do this, but it is like me telling you to adjust
>>> your main jet to 1.5 turns out. Unless you're into antiques like I
>>> am, you haven't a clue what I mean or how to do it. I am not trying
>>> to be rude, I just literally do not have a clue how to do this.
>>>
>>
>> er, I actually do know what you are talking about when it comes to
>> the main jet, this would be the initial setting on the carburettor
>> and you would adjust the high speed running from there, what do you
>> set the slow run jet to ?
>>
>> Just how did you setup samba prior to having these problems, did you
>> set it up as a PDC or a standalone or what ?
>>
>> You also seem very reticent about answering questions, you never seem
>> to quite answer them fully, sometimes not at all.
>>
>>> "You have to activate advanced features in ADUC and edit the
>>> attributes from the attribute editor tab."
>>>
>>> Yes, I did that and saw it in there, but chose not to edit that way
>>> for one reason. According to many posts I read on search results
>>> from Google, the UNIX tab shows up once the system detects NIS. I
>>> believe NIS is off for some reason, but I did the check at the link
>>> below and it returned one result, indicating that NIS is supposedly
>>> enabled. It would be better to simply show me a yes or no, but I
>>> guess that isn't an option.
>>>
>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>> Referenced from:
>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>
>>> Ricky:
>>> I have NOT pulled any packages from any repos. I cloned the official
>>> repo, configured and built. It turns out that by default it builds
>>> 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a
>>> 4.2 bug, I uninstalled (make uninstall) 4.2 and configured and built
>>> 4.1, then installed it. I completely removed any leftover files and
>>> directories by hand, with the exception of my configuration file.
>>> Here's the info you requested.
>>>
>>> root at fs01:~# getent passwd | grep reachfp
>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>> root at fs01:~# getent passwd | grep cynthiaj
>>> cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>> root at fs01:~# getent passwd | grep daquanm
>>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>>> root at fs01:~# getent passwd | grep reach_support
>>> reach_support:*:70015:70002:Reach
>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>
>>
>> All of those numbers are coming from the 'builtin' range
>> (70001-80000) and shouldn't be and wouldn't be if you gave your users
>> and groups uidNumber's & gidNumber's
>>
>> If you do not want to do this, change this line:
>>
>> idmap config TRUEVINE:backend = ad
>>
>> To this:
>>
>> idmap config TRUEVINE:backend = rid
>>
>> Remove these:
>>
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver
>> anyway, it's for the AD server
>> auth methods = winbind
>>
>> Rowland
>>
>>> =====================
>>> FS01 Configuration File:
>>> =====================
>>> [global]
>>> netbios name = FS01
>>> workgroup = TRUEVINE
>>> security = ADS
>>> realm = TRUEVINE.LAN
>>> encrypt passwords = yes
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> idmap config TRUEVINE:backend = ad
>>> idmap config TRUEVINE:schema_mode = rfc2307
>>> idmap config TRUEVINE:range = 500-40000
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>> auth methods = winbind
>>> log level = 3
>>>
>>> [install$]
>>> path = /home/shared/install
>>> comment = "Software installation files"
>>> read only = no
>>> guest ok = no
>>>
>>> [staff$]
>>> path = /home/shared/staff
>>> comment = "Staff file share"
>>> read only = no
>>> guest ok = no
>>>
>>> [fbc$]
>>> path = /home/shared/fbc
>>> comment = "Family Bible College file share"
>>> read only = no
>>> guest ok = no
>>>
>>>
>>> One thing I am unclear on is whether or not I need "idmap_ldb:use
>>> rfc2307 = yes" in member server configs or ONLY AD DC configs. Also,
>>> what does "idmap config TRUEVINE:range = 500-40000" specify? I was
>>> trying to set AD users to 70001-80000 for their ID's, but maybe I
>>> misunderstand things. Thanks for your help and input. I'm not
>>> frustrated with you guys, just the fact that ONE server is acting up
>>> and I am having to do all kinds of things I have never had to do
>>> before just to share files. It isn't a bad frustration however, I
>>> enjoy building projects from source and using Linux in general. If
>>> this was Windows I'd have found an alternative by now.
>>>
>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>> So IF I read the 70+ previous mails correctly, it looks like you have
>>>> tried both packages and samba source, if this is the case you could
>>>> have some seriously screwed up library files, causing various issues
>>>> (such as binaries just crashing at certain points). With that said,
>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>> mismatched from your current winbind causing exactly this issue.
>>>>
>>>> Is there any chance you can give us a current recap of your
>>>> issue/setup? Include current configs (if you need to mask something,
>>>> make that clear). Also please provide the output of getent passwd |
>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>> (package or source, and which package you are using) you currently
>>>> have (as well as what you have tried there too).
>>>>
>>>> Thanks,
>>>> Ricky
>>>>
>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com>
>>>> wrote:
>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>> Well, again, no issues until now. I never did the Kerberos keytab
>>>>>> thing
>>>>>> before, and everything works. Never did the NIS thing before, and
>>>>>> everything
>>>>>> works. Now I am learning these things should be done and I have
>>>>>> been told
>>>>>> what to do and have done them as well as documented them in our
>>>>>> technical
>>>>>> reference. However, I am now at the point where I cannot set ID's
>>>>>> due to not
>>>>>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307"
>>>>>> and it is
>>>>>> in all of my S4 configuration files, but no luck yet. What do I
>>>>>> need to
>>>>>> check to get that tab to appear? If assigning an ID fixes this, I
>>>>>> will
>>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>>>>
>>>>> You have to activate advanced features in ADUC and edit the
>>>>> attributes
>>>>> from the attribute editor tab.
>>>>>
>>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>>> strange that it doesn't work at this particular server as you say
>>>>> that
>>>>> this is the standard way of yours to configure Samba. Why it doesn't
>>>>> work, I really don't know. One thing that springs to mind is, and I
>>>>> don't have knowledge enough to back it up, when using the TDB backend
>>>>> you're not guaranteed consistent id mapping through the server
>>>>> park. I
>>>>> have found nothing that states that winbind populates the
>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>> other mechanism). Which of course might give you different uidnumbers
>>>>> (from the *:range) for different accounts. Please correct me if I'm
>>>>> wrong. Is there a way to check this?
>>>>>
>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers with an
>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>> Linux and windows. And it's a low-cost activation and maintenance. I
>>>>> think you should consider their advice and rethink your setup.
>>>>>
>>>>> Well, I'm out of ideas except that I have noticed that the activation
>>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>>> always/ever work on a mounted volume created from LVM. You might need
>>>>> to/have to put it in the share section.
>>>>>
>>>>> If you find out what caused this, please let us know.
>>>>>
>>>>> Regards
>>>>> Davor
>>>>>
>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>> The way that sounds, the "file server" guide is incomplete,
>>>>>>>> because
>>>>>>>> nowhere does it mention any of what you're telling me. I also have
>>>>>>>> little trouble finding good documentation on every Linux
>>>>>>>> product I use.
>>>>>>>> S4 is the one big exception, but with the guides, it eliminates
>>>>>>>> some of
>>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>>> documentation, because 90% of their documentation is rambling
>>>>>>>> crud. When
>>>>>>>> you get an error and have an ID, the docs don't have the ID you
>>>>>>>> want,
>>>>>>>> you are hosed.
>>>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2
>>>>>>>> with the
>>>>>>>> latest updates. The stable repos have an OLD version of S4, and
>>>>>>>> I do not
>>>>>>>> mind building it myself anyway.
>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>> Finally, you have told me I need this and that, but no
>>>>>>>> direction is
>>>>>>>> noted.
>>>>>>> http://bit.ly/1s8LTZc
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>
Too late, I already replied ;-)
Rowland
More information about the samba
mailing list