[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Wed Aug 6 12:20:58 MDT 2014
Alright, I already gave every group a gIDNumber using the "advanced
features" option via the "Attribute Editor". Each group has a unique ID.
There are 16 built-in groups (domain admins, domain users, etc) and five
I have. My last group ended with 10021. The first group was 10001. I
then stopped S4 on my print-server, deleted "group_mapping.tdb",
"winbind_cache.tdb", and "winbind_idmap.tdb", rebooted the server, and
(S4 starts automatically) changed group ownership of a directory to
"domain admins". When listing the directory with "ls -lAn", it showed
70012, not 10001. So they all have gIDNumber set now, but it isn't
pulling through. What could cause that?
On 08/06/2014 01:58 PM, Rowland Penny wrote:
> On 06/08/14 18:50, Ryan Ashley wrote:
>> Sorry Rowland! I accidentally sent this to you the first go around.
>> My bad.
>>
>> I am actually surprised that a few others in the IT field know how to
>> toy with carbs and such. My hobby is antique tractors and road
>> vehicles. I love how easy it is to work on them. I wouldn't touch my
>> 2013 F-150 with a ten-foot pole though. Too many computers and such.
>> Also, the engine is covered in plastic guards, but I digress.
>>
>> What information have I not answered fully? If I did not understand
>> what was asked, I asked about it. Like when "ute" was posted. I have
>> posted my configs each time they are asked for. Nothing has been
>> edited. I asked about NIS and you gave me the link at MS I read a
>> while back. It says install the NIS stuff. S4 says NIS is installed.
>> Now I am confused. I very obviously cannot install NIS stuff from
>> 2008 R2 into a Linux system with S4, and S4 says it is running NIS
>> according to the test on the wiki page I linked below. Do you
>> understand my confusion now?
>>
>> To add to that, MS says that once the NIS stuff is on the server
>> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. This
>> is why I have been very hesitant to use the advanced feature and
>> attempt to add ID's. If the tool isn't detecting NIS and I force this
>> stuff, will something break? If I can get a guarantee that nothing
>> will break if I force ID's via the advanced options, I'll do it right
>> now. My thought process is different however. It goes something like
>> "I need to get NIS working on the S4 server, then the regular tab
>> will show up, and I am golden. Since it is not showing up, I probably
>> shouldn't attempt to force ID's through the advanced option". Am I
>> wrong here?
>>
>> As for questions, I asked two or three times if I needed that line in
>> my member server configurations, and I was just now told that I
>> should only have it on DC's. This is fine, but we all miss or forget
>> to answer once in a while, so if I forgot something, kindly remind me
>> and I will be happy to answer it. Oh, and what about my question for
>> the line that sets a range of 500-40000?
>>
>> I'm not aggravated with anybody, but I need this fixed. I am a VERY
>> BUSY person and I may forget things. Do not take it personally,
>> please. I love the S4 project and it has worked fine up until now. I
>> believe my issue here is that I must assign an ID to each group and
>> each user for file shares to work correctly under Linux. My other
>> clients share files from Linux-based NAS devices and that is PROBABLY
>> the key difference. Now I know I can add these ID numbers without the
>> UNIX tab, but is it safe to do that
>>
>> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>>> On 06/08/14 05:24, Ryan Ashley wrote:
>>>> Plenty of replies since this afternoon! I will try to answer your
>>>> questions in order, as well as ask questions.
>>>>
>>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it
>>>> does not do anything else, it is up to you to use it. "
>>>>
>>>> Alright, how? Remember, all my domains are golden except this. I
>>>> have never had to use ldif files or assign ID numbers because they
>>>> always just worked.
>>>>
>>>
>>> By adding whatever RFC2307 attributes that you will need, these are
>>> usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How
>>> you add them is up to you, you can use samba-tool, ADUC or even
>>> write your own scripts around ldb-tools etc.
>>>
>>> I think that in the past you must have been using the winbind rid
>>> backend, only problem with this is that (at the moment) you get
>>> different id numbers on the server from any client.
>>>
>>>> "This is a known windows problem, search Google (other search
>>>> providers are available) for a solution."
>>>>
>>>> I have been searching, and I have tried loads of results, to no
>>>> avail. Some said install libnss-ldapd, which I still don't know
>>>> what it does, others said to do various config entries, also to no
>>>> avail, so I am back here. I have reverted my changes since nothing
>>>> worked.
>>>
>>> You cannot have searched very hard, the search term 'no unix
>>> attributes tab' turns up about 1,910,000 results and the top one is:
>>>
>>> http://support.microsoft.com/kb/921913
>>>
>>>>
>>>> "I'd guess you don't have a UNIX tab because the Samba AD schema
>>>> doesn't have it. I'm not sure why that would be, since I don't use
>>>> any of the UNIX AD extensions myself."
>>>
>>> That was a very wrong statement, even if you do not provision with
>>> rfc2307, you still get the rfc2307 attributes and objectclasses in
>>> AD and it is not the reason you haven't got the tab
>>>
>>>>
>>>> I never have either, it always JUST WORKED. This is not frustration
>>>> with the help, it is frustration in that it just refuses to work
>>>> for no good reason. That's why I am attempting to ditch Windows,
>>>> because things just don't work and nobody knows why. I actually
>>>> feel that Rowland and Steve have been great, and have made me
>>>> SERIOUSLY question the highly incomplete guides on the wiki. I mean
>>>> nowhere does it mention the line that creates the keytab for
>>>> Kerberos in any guides. Nowhere does it mention the ID's or
>>>> anything else they have talked with me about. I honestly believe
>>>> the ID numbers will solve the issue, but I cannot do that yet.
>>>>
>>>> "You do not need to provision with rfc2307 nor do you need a UNIX
>>>> tab to allocate uidNumbers. You already have what you need. Please
>>>> try it."
>>>>
>>>> Alright, how? Again, and this is what I keep repeating, I have
>>>> NEVER had to do this before. Up to this very point in time, S4 has
>>>> been rock-solid. None of my other domains use the Kerberos keytab.
>>>> None of them use uID's or gID's. They all just work. You're telling
>>>> me I have the tools to do this, but it is like me telling you to
>>>> adjust your main jet to 1.5 turns out. Unless you're into antiques
>>>> like I am, you haven't a clue what I mean or how to do it. I am not
>>>> trying to be rude, I just literally do not have a clue how to do this.
>>>>
>>>
>>> er, I actually do know what you are talking about when it comes to
>>> the main jet, this would be the initial setting on the carburettor
>>> and you would adjust the high speed running from there, what do you
>>> set the slow run jet to ?
>>>
>>> Just how did you setup samba prior to having these problems, did you
>>> set it up as a PDC or a standalone or what ?
>>>
>>> You also seem very reticent about answering questions, you never
>>> seem to quite answer them fully, sometimes not at all.
>>>
>>>> "You have to activate advanced features in ADUC and edit the
>>>> attributes from the attribute editor tab."
>>>>
>>>> Yes, I did that and saw it in there, but chose not to edit that way
>>>> for one reason. According to many posts I read on search results
>>>> from Google, the UNIX tab shows up once the system detects NIS. I
>>>> believe NIS is off for some reason, but I did the check at the link
>>>> below and it returned one result, indicating that NIS is supposedly
>>>> enabled. It would be better to simply show me a yes or no, but I
>>>> guess that isn't an option.
>>>>
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
>>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>> Referenced from:
>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>
>>>> Ricky:
>>>> I have NOT pulled any packages from any repos. I cloned the
>>>> official repo, configured and built. It turns out that by default
>>>> it builds 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to
>>>> rule out a 4.2 bug, I uninstalled (make uninstall) 4.2 and
>>>> configured and built 4.1, then installed it. I completely removed
>>>> any leftover files and directories by hand, with the exception of
>>>> my configuration file. Here's the info you requested.
>>>>
>>>> root at fs01:~# getent passwd | grep reachfp
>>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>> root at fs01:~# getent passwd | grep cynthiaj
>>>> cynthiaj:*:70016:70002:Cynthia
>>>> Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>>> root at fs01:~# getent passwd | grep daquanm
>>>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>>>> root at fs01:~# getent passwd | grep reach_support
>>>> reach_support:*:70015:70002:Reach
>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>
>>>
>>> All of those numbers are coming from the 'builtin' range
>>> (70001-80000) and shouldn't be and wouldn't be if you gave your
>>> users and groups uidNumber's & gidNumber's
>>>
>>> If you do not want to do this, change this line:
>>>
>>> idmap config TRUEVINE:backend = ad
>>>
>>> To this:
>>>
>>> idmap config TRUEVINE:backend = rid
>>>
>>> Remove these:
>>>
>>> idmap config TRUEVINE:schema_mode = rfc2307
>>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver
>>> anyway, it's for the AD server
>>> auth methods = winbind
>>>
>>> Rowland
>>>
>>>> =====================
>>>> FS01 Configuration File:
>>>> =====================
>>>> [global]
>>>> netbios name = FS01
>>>> workgroup = TRUEVINE
>>>> security = ADS
>>>> realm = TRUEVINE.LAN
>>>> encrypt passwords = yes
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 70001-80000
>>>> idmap config TRUEVINE:backend = ad
>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>> idmap config TRUEVINE:range = 500-40000
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> store dos attributes = yes
>>>> auth methods = winbind
>>>> log level = 3
>>>>
>>>> [install$]
>>>> path = /home/shared/install
>>>> comment = "Software installation files"
>>>> read only = no
>>>> guest ok = no
>>>>
>>>> [staff$]
>>>> path = /home/shared/staff
>>>> comment = "Staff file share"
>>>> read only = no
>>>> guest ok = no
>>>>
>>>> [fbc$]
>>>> path = /home/shared/fbc
>>>> comment = "Family Bible College file share"
>>>> read only = no
>>>> guest ok = no
>>>>
>>>>
>>>> One thing I am unclear on is whether or not I need "idmap_ldb:use
>>>> rfc2307 = yes" in member server configs or ONLY AD DC configs.
>>>> Also, what does "idmap config TRUEVINE:range = 500-40000" specify?
>>>> I was trying to set AD users to 70001-80000 for their ID's, but
>>>> maybe I misunderstand things. Thanks for your help and input. I'm
>>>> not frustrated with you guys, just the fact that ONE server is
>>>> acting up and I am having to do all kinds of things I have never
>>>> had to do before just to share files. It isn't a bad frustration
>>>> however, I enjoy building projects from source and using Linux in
>>>> general. If this was Windows I'd have found an alternative by now.
>>>>
>>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>>> So IF I read the 70+ previous mails correctly, it looks like you have
>>>>> tried both packages and samba source, if this is the case you could
>>>>> have some seriously screwed up library files, causing various issues
>>>>> (such as binaries just crashing at certain points). With that said,
>>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>>> mismatched from your current winbind causing exactly this issue.
>>>>>
>>>>> Is there any chance you can give us a current recap of your
>>>>> issue/setup? Include current configs (if you need to mask something,
>>>>> make that clear). Also please provide the output of getent passwd |
>>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>>> (package or source, and which package you are using) you currently
>>>>> have (as well as what you have tried there too).
>>>>>
>>>>> Thanks,
>>>>> Ricky
>>>>>
>>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir
>>>>> <davortvusir at gmail.com> wrote:
>>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>> Well, again, no issues until now. I never did the Kerberos
>>>>>>> keytab thing
>>>>>>> before, and everything works. Never did the NIS thing before,
>>>>>>> and everything
>>>>>>> works. Now I am learning these things should be done and I have
>>>>>>> been told
>>>>>>> what to do and have done them as well as documented them in our
>>>>>>> technical
>>>>>>> reference. However, I am now at the point where I cannot set
>>>>>>> ID's due to not
>>>>>>> having the UNIX tab in ADUC. I did provision with
>>>>>>> "--use-rfc2307" and it is
>>>>>>> in all of my S4 configuration files, but no luck yet. What do I
>>>>>>> need to
>>>>>>> check to get that tab to appear? If assigning an ID fixes this,
>>>>>>> I will
>>>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>>>>>
>>>>>> You have to activate advanced features in ADUC and edit the
>>>>>> attributes
>>>>>> from the attribute editor tab.
>>>>>>
>>>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>>>> strange that it doesn't work at this particular server as you say
>>>>>> that
>>>>>> this is the standard way of yours to configure Samba. Why it doesn't
>>>>>> work, I really don't know. One thing that springs to mind is, and I
>>>>>> don't have knowledge enough to back it up, when using the TDB
>>>>>> backend
>>>>>> you're not guaranteed consistent id mapping through the server
>>>>>> park. I
>>>>>> have found nothing that states that winbind populates the
>>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>>> other mechanism). Which of course might give you different
>>>>>> uidnumbers
>>>>>> (from the *:range) for different accounts. Please correct me if I'm
>>>>>> wrong. Is there a way to check this?
>>>>>>
>>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers
>>>>>> with an
>>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>>> Linux and windows. And it's a low-cost activation and maintenance. I
>>>>>> think you should consider their advice and rethink your setup.
>>>>>>
>>>>>> Well, I'm out of ideas except that I have noticed that the
>>>>>> activation
>>>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>>>> always/ever work on a mounted volume created from LVM. You might
>>>>>> need
>>>>>> to/have to put it in the share section.
>>>>>>
>>>>>> If you find out what caused this, please let us know.
>>>>>>
>>>>>> Regards
>>>>>> Davor
>>>>>>
>>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>>> The way that sounds, the "file server" guide is incomplete,
>>>>>>>>> because
>>>>>>>>> nowhere does it mention any of what you're telling me. I also
>>>>>>>>> have
>>>>>>>>> little trouble finding good documentation on every Linux
>>>>>>>>> product I use.
>>>>>>>>> S4 is the one big exception, but with the guides, it
>>>>>>>>> eliminates some of
>>>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>>>> documentation, because 90% of their documentation is rambling
>>>>>>>>> crud. When
>>>>>>>>> you get an error and have an ID, the docs don't have the ID
>>>>>>>>> you want,
>>>>>>>>> you are hosed.
>>>>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer
>>>>>>>>> 6.2 with the
>>>>>>>>> latest updates. The stable repos have an OLD version of S4,
>>>>>>>>> and I do not
>>>>>>>>> mind building it myself anyway.
>>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>>> Finally, you have told me I need this and that, but no
>>>>>>>>> direction is
>>>>>>>>> noted.
>>>>>>>> http://bit.ly/1s8LTZc
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
> Too late, I already replied ;-)
>
> Rowland
>
More information about the samba
mailing list