[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 8 10:51:38 MDT 2014 

On 08/08/14 17:23, Ryan Ashley wrote:
> Alright, I went in and spent an hour verifying that every domain user 
> has a unique gidNumber and uidNumber, and that every group has a 
> unique gidNumber. Everybody does, and here are three users as proof.
>
> root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb 
> sAMAccountName=daquanm
> # record 1
> dn: CN=<hidden for privacy>,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: DaQuan Major

Can I point out that there is not much point of doing something like this:

dn: CN=<hidden for privacy>

If you then do not alter this:

cn: DaQuan Major

It is very easy to come up with this:

dn: CN=DaQuan Major ;-)

Apart from that, there does not seem to be anything wrong with the users 
that you have posted, so the problem would seem to be elsewhere.

Do you have selinux or apparmor running on the server or client ?
firewall ?
is /etc/nsswitch set up correctly ?
have you removed that 'auth methods' line ?
is /etc/krb5.conf correct ?

Rowland

> sn: Major
> givenName: DaQuan
> instanceType: 4
> whenCreated: 20140714195118.0Z
> displayName: DaQuan Major
> uSNCreated: 4016
> name: <hidden for privacy>
> objectGUID: 3674d02b-cb02-4f60-a681-7c5c4331b3f6
> codePage: 0
> countryCode: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1282933182-1339137838-203774845-1117
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: daquanm
> sAMAccountType: 805306368
> userPrincipalName: daquanm at truevine.lan
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
> userAccountControl: 512
> pwdLastSet: 130500115540000000
> badPasswordTime: 130509892377138980
> badPwdCount: 0
> memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> uidNumber: 10004
> gidNumber: 10019
> whenChanged: 20140808160635.0Z
> uSNChanged: 124816
> distinguishedName: CN=<hidden for privacy>,OU=Standard 
> Users,OU=TVM,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
> root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb 
> sAMAccountName=reach_support
> # record 1
> dn: CN=Reach Support,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Reach Support
> sn: Support
> givenName: Reach
> instanceType: 4
> whenCreated: 20140714194354.0Z
> displayName: Reach Support
> uSNCreated: 3978
> name: Reach Support
> objectGUID: ec33dabc-3cc0-4f45-82bf-2668f77330ac
> codePage: 0
> countryCode: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1282933182-1339137838-203774845-1108
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: reach_support
> sAMAccountType: 805306368
> userPrincipalName: reach_support at truevine.lan
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
> userAccountControl: 66048
> lockoutTime: 0
> pwdLastSet: 130510333270000000
> badPasswordTime: 130517332316439030
> badPwdCount: 0
> memberOf: CN=VPN Users,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=FBC,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> uidNumber: 10002
> gidNumber: 10017
> whenChanged: 20140808160527.0Z
> uSNChanged: 124814
> distinguishedName: CN=Reach Support,OU=Standard 
> Users,OU=TVM,DC=truevine,DC=la
>  n
>
> # Referral
> ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
> root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb 
> sAMAccountName=yolandab
> # record 1
> dn: CN=<hidden for privacy>,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Yolanda Bennett
> sn: Bennett
> givenName: Yolanda
> instanceType: 4
> whenCreated: 20140714194958.0Z
> displayName: <hidden for privacy>
> uSNCreated: 4004
> name: Yolanda Bennett
> objectGUID: b65b3c8c-5b90-4ff2-b6c1-9570caea0437
> codePage: 0
> countryCode: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1282933182-1339137838-203774845-1115
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: yolandab
> sAMAccountType: 805306368
> userPrincipalName: yolandab at truevine.lan
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
> userAccountControl: 512
> pwdLastSet: 130499222690000000
> badPasswordTime: 130499223708567390
> badPwdCount: 0
> memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=NewMembers,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
> uidNumber: 10013
> gidNumber: 10028
> whenChanged: 20140808161008.0Z
> uSNChanged: 124838
> distinguishedName: CN=<hidden for privacy>,OU=Standard 
> Users,OU=TVM,DC=truevine,DC=
>  lan
>
> # Referral
> ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
>
> # Referral
> ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> My configuration file has not changed since I last posted it. As you 
> can see, smb.conf is configured for 10001-40000 and all of my 
> uidNumber/gidNumber attributes are well within that range. Still, it 
> is assigning 70001 and above, no matter what I do. You claim that I am 
> making this difficult, but I do not know what minor thing I am 
> missing. You had me setup reverse DNS zones, do the Kerberos keytab 
> thing, and all kinds of things I never knew about, but as you can 
> clearly see, despite your best efforts and mine, and despite the ID's 
> being in the correct range, it does not work. If it is so simple, what 
> am I overlooking? I am not trying to be rude, but I was told I am 
> making this difficult. I do not know how.
>
> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>> On 08/08/14 14:45, Ryan Ashley wrote:
>>> Alright, I believe I figured something out, but may be mistaken. 
>>> Again, I don't see anything in plain English explaining, so this is 
>>> my guess. Please let me know if I am right.
>>>
>>> [global]
>>>   netbios name = FS01
>>>   workgroup = TRUEVINE
>>>   security = ADS
>>>   realm = TRUEVINE.LAN
>>>   encrypt passwords = yes
>>>   dedicated keytab file = /etc/krb5.keytab
>>>   kerberos method = secrets and keytab
>>>
>>>   idmap config *:backend = tdb
>>>   idmap config *:range = 70001-80000
>>>   idmap config TRUEVINE:backend = ad
>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>   idmap config TRUEVINE:range = 10001-40000
>>>
>>>   winbind nss info = rfc2307
>>>   winbind trusted domains only = no
>>>   winbind use default domain = yes
>>>   winbind enum users = yes
>>>   winbind enum groups = yes
>>>
>>>   vfs objects = acl_xattr
>>>   map acl inherit = yes
>>>   store dos attributes = yes
>>>   auth methods = winbind
>>>
>>> The line "idmap config *:range = 70001-80000" assigns a unique ID to 
>>> anybody who is not in the Truevine domain or who does not have a 
>>> uidNumber/gidNumber attribute set. Is this correct? This is where 
>>> all of my users and groups are getting ID's from.
>>>
>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the 
>>> range of uidNumber/gidNumber attributes to search. This is the range 
>>> set aside for domain users and groups, so I assume if I set this to 
>>> something over 100k, it would never find anything. However, it is 
>>> not finding the uidNumber/gidNumber attributes in this range (which 
>>> is everybody) for some reason, and the users wind up with 70001 and 
>>> above for their ID's. So what am I doing wrong?
>>>
>>>
>> I know I said that I wouldn't post on this thread again, but you are 
>> doing my head in, you have taken a simple task and turned it into a 
>> farce!!!
>>
>> I advised you at least once to remove this line:
>>
>> auth methods = winbind
>>
>> Here is why (taken from 'man smb.conf')
>>
>>       auth methods (G)
>>
>>            This option allows the administrator to chose what 
>> authentication
>>            methods smbd will use when authenticating a user. This option
>>            defaults to sensible values based on security. This should be
>>            considered a developer option and used only in rare 
>> circumstances.
>>            In the majority (if not all) of production servers, the 
>> default
>>            setting should be adequate.
>>
>>            Default: auth methods =
>>
>> This is also from 'man smb.conf' (abridged):
>>
>>        idmap config:OPTION (G)
>>
>>            ID mapping in Samba is the mapping between Windows SIDs 
>> and Unix
>>            user and group IDs. This is performed by Winbindd with a
>>            configurable plugin interface. Samba's ID mapping is 
>> configured by
>>            options starting with the idmap config prefix. An idmap 
>> option
>>            consists of the idmap config prefix, followed by a domain 
>> name or
>>            the asterisk character (*), a colon, and the name of an idmap
>>            setting for the chosen domain.
>>
>>            The following example illustrates how to configure the 
>> idmap_ad(8)
>>            backend for the CORP domain and the idmap_tdb(8) backend 
>> for all
>>            other domains. This configuration assumes that the admin 
>> of CORP
>>            assigns unix ids below 1000000 via the SFU extensions, and 
>> winbind
>>            is supposed to use the next million entries for its own 
>> mappings
>>            from trusted domains and for local groups for example.
>>
>>                     idmap config * : backend = tdb
>>                     idmap config * : range = 1000000-1999999
>>
>>                     idmap config CORP : backend  = ad
>>                     idmap config CORP : range = 1000-999999
>>
>> YOURS:
>>
>>                      idmap config *:backend = tdb
>>                       idmap config *:range = 70001-80000
>>                       idmap config TRUEVINE:backend = ad
>>                       idmap config TRUEVINE:schema_mode = rfc2307
>>                       idmap config TRUEVINE:range = 10001-40000
>>
>> What the above means is that trusted domains and local groups will 
>> get mapped to numbers between 70001 and 80000, local groups etc being 
>> the windows builtin ones not UNIX ones.
>>
>> Your AD users will ONLY get pulled from AD if the 
>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>>
>> Have you actually got any normal users with uidNumber's & 
>> gidNumber's, the last time I heard, you were trying to use the 
>> renamed Administrator account as a normal account.
>>
>> I would suggest that you go and take a running jump into Glenville 
>> Lake to cool off, then come back and re-read your posts again, you 
>> might then realise just what a Prat you are coming over as.
>>
>> This is definitely my last post on this thread
>>
>> Rowland
>>
>

More information about the samba mailing list