[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Mon Aug 11 10:11:42 MDT 2014
Just so it can be avoided, all shares had directory permissions of 777
and file permissions of 666. Still getting access denied. I just changed
permissions to 770 and 660 for security. I can change them back if needed.
root at fs01:/home/shared# l
total 40
drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
drwxrwsrwx 8 reachfp domain admins 4096 Jul 23 11:14 install
drwx------ 2 root root 16384 Jul 15 10:00 lost+found
drwxrws---+ 13 reachfp staff 4096 Jul 23 11:30 staff
root at fs01:/home/shared# l -n
total 40
drwxrws---+ 6 10001 10030 4096 Jul 23 11:31 fbc
drwxrwsrwx 8 10001 10002 4096 Jul 23 11:14 install
drwx------ 2 0 0 16384 Jul 15 10:00 lost+found
drwxrws---+ 13 10001 10032 4096 Jul 23 11:30 staff
root at fs01:/home/shared#
root at fs01:/home/shared# getent group
<snipped out the UNIX groups>
allowed rodc password replication group:x:10007:
enterprise read-only domain controllers:x:10013:
denied rodc password replication group:x:10009:krbtgt
read-only domain controllers:x:10015:
audiovideo:x:10029:reach_support,yolandab,daquanm,richards
group policy creator owners:x:10014:reachfp
newmembers:x:10031:cynthiaj,joyces,yolandab,jovanm,thomasa
vpn users:x:10033:reach_support
staff:x:10032:reach_support,ernestj,cynthiaj,joyces,yolandab,jovanm,daquanm,patriceb,jessicaj,shamekias,thomasa,richards
fbc:x:10030:reach_support,ernestj,cynthiaj,joyces,jessicaj
ras and ias servers:x:10015:
domain controllers:x:10005:
enterprise admins:x:10012:reachfp
domain computers:x:10004:
cert publishers:x:10008:
dnsupdateproxy:x:10011:
domain admins:x:10002:reachfp
domain guests:x:10006:
schema admins:x:10016:reachfp
domain users:x:10003:
dnsadmins:x:10010:
root at fs01:/home/shared# getent passwd
<snipped the UNIX stuff again>
shamekias:*:10011:10003:<???>:/home/TRUEVINE/shamekias:/bin/false
richards:*:10010:10003:<???>:/home/TRUEVINE/richards:/bin/false
yolandab:*:10013:10003:<???>:/home/TRUEVINE/yolandab:/bin/false
joyces:*:10008:10003:<???>:/home/TRUEVINE/joyces:/bin/false
patriceb:*:10009:10003:<???>:/home/TRUEVINE/patriceb:/bin/false
cynthiaj:*:10003:10003:<???>:/home/TRUEVINE/cynthiaj:/bin/false
jessicaj:*:10006:10003:<???>:/home/TRUEVINE/jessicaj:/bin/false
reach_support:*:10002:10003:Reach
Support:/home/TRUEVINE/reach_support:/bin/false
daquanm:*:10004:10003:<???>:/home/TRUEVINE/daquanm:/bin/false
ernestj:*:10005:10003:<???>:/home/TRUEVINE/ernestj:/bin/false
jovanm:*:10007:10003:<???>:/home/TRUEVINE/jovanm:/bin/false
thomasa:*:10012:10003:<???>:/home/TRUEVINE/thomasa:/bin/false
reachfp:*:10001:10003:reachfp:/home/TRUEVINE/reachfp:/bin/false
root at fs01:/home/shared#
On 08/11/2014 11:52 AM, Ryan Ashley wrote:
> Just to let everybody know, I rebuilt S4 from scratch using
> "--with-shared-modules=idmap_ad" in the configuration parameters, and
> now I am getting the correct ID's on both member servers. Now my issue
> is that despite this, only the domain admin can browse the mapped
> drives. Permissions are correct on all shares (I redid them by hand)
> but people in those groups are NOT allowed access despite having "full
> control" over the share.
>
> At least we made some progress. Now what should I look at since the
> ID's are being pulled from AD correctly? My nsswitch.conf nis set to
> use winbind and winbind is running. Everything appears to work
> correctly on both servers including same ID and such, but it still
> denies access to everybody EXCEPT the owner.
>
> On 08/11/2014 09:48 AM, Ryan Ashley wrote:
>> Thank you for that information. I just ran the command on out
>> print-server and it appears to be using the correct configuration
>> file, but there are LOADS of extra parameters I am assuming are at
>> default settings. However, I do not appear to have /var/run/samba o9r
>> /var/lock/samba directories. I am going to create those and see if it
>> helps, but if it does I do not know why.
>>
>> Also, I cannot seem to be able to install the S4 packages from
>> backports onto ANY Wheezy system, including my laptop. The
>> "samba4-common-bin" is configured to depend on "python-samba" but the
>> only version available is 4.0.x so it won't install. I am working
>> that issue out on the Debian forums and may result in a bug report.
>>
>> root at ps01:~# testparm -v /etc/samba/smb.conf
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[Xerox7545]"
>> Loaded services file OK.
>> ERROR: lock directory /var/lock/samba does not exist
>> ERROR: pid directory /var/run/samba does not exist
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>>
>> [global]
>> dos charset = CP850
>> unix charset = UTF-8
>> workgroup = TRUEVINE
>> realm = TRUEVINE.LAN
>> netbios name = PS01
>> netbios aliases =
>> netbios scope =
>> server string = Samba 4.1.11
>> interfaces =
>> bind interfaces only = No
>> server role = auto
>> security = ADS
>> auth methods = winbind
>> encrypt passwords = Yes
>> client schannel = Auto
>> server schannel = Auto
>> allow trusted domains = Yes
>> map to guest = Never
>> null passwords = No
>> obey pam restrictions = No
>> password server = *
>> smb passwd file = /var/lib/samba/private/smbpasswd
>> private dir = /var/lib/samba/private
>> passdb backend = tdbsam
>> algorithmic rid base = 1000
>> root directory =
>> guest account = nobody
>> enable privileges = Yes
>> pam password change = No
>> passwd program =
>> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
>> passwd chat debug = No
>> passwd chat timeout = 2
>> check password script =
>> username map =
>> username level = 0
>> unix password sync = No
>> restrict anonymous = 0
>> lanman auth = No
>> ntlm auth = Yes
>> client NTLMv2 auth = Yes
>> client lanman auth = No
>> client plaintext auth = No
>> client use spnego principal = No
>> preload modules =
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> map untrusted to domain = No
>> log level = 2
>> syslog = 1
>> syslog only = No
>> log file =
>> max log size = 5000
>> debug timestamp = Yes
>> debug prefix timestamp = No
>> debug hires timestamp = Yes
>> debug pid = No
>> debug uid = No
>> debug class = No
>> enable core files = Yes
>> smb ports = 445, 139
>> large readwrite = Yes
>> server max protocol = SMB3
>> server min protocol = LANMAN1
>> client max protocol = NT1
>> client min protocol = CORE
>> unicode = Yes
>> min receivefile size = 0
>> read raw = Yes
>> write raw = Yes
>> disable netbios = No
>> reset on zero vc = No
>> log writeable files on exit = No
>> defer sharing violations = Yes
>> nt pipe support = Yes
>> nt status support = Yes
>> max mux = 50
>> max xmit = 16644
>> name resolve order = lmhosts, wins, host, bcast
>> max ttl = 259200
>> max wins ttl = 518400
>> min wins ttl = 21600
>> time server = No
>> unix extensions = Yes
>> use spnego = Yes
>> client signing = default
>> server signing = default
>> client use spnego = Yes
>> client ldap sasl wrapping = plain
>> enable asu support = No
>> svcctl list =
>> cldap port = 0
>> dgram port = 0
>> nbt port = 0
>> krb5 port = 0
>> kpasswd port = 0
>> web port = 0
>> rpc big endian = No
>> deadtime = 0
>> getwd cache = Yes
>> keepalive = 300
>> lpq cache time = 30
>> max smbd processes = 0
>> max disk size = 0
>> max open files = 16384
>> socket options = TCP_NODELAY
>> use mmap = Yes
>> use ntdb = No
>> hostname lookups = No
>> name cache timeout = 660
>> ctdbd socket =
>> cluster addresses =
>> clustering = No
>> ctdb timeout = 0
>> ctdb locktime warn threshold = 0
>> smb2 max read = 1048576
>> smb2 max write = 1048576
>> smb2 max trans = 1048576
>> smb2 max credits = 8192
>> load printers = Yes
>> printcap cache time = 750
>> printcap name =
>> cups server =
>> cups encrypt = No
>> cups connection timeout = 30
>> iprint server =
>> disable spoolss = No
>> addport command =
>> enumports command =
>> addprinter command =
>> deleteprinter command =
>> show add printer wizard = Yes
>> os2 driver map =
>> mangling method = hash2
>> mangle prefix = 1
>> max stat cache size = 256
>> stat cache = Yes
>> machine password timeout = 604800
>> add user script =
>> rename user script =
>> delete user script =
>> add group script =
>> delete group script =
>> add user to group script =
>> delete user from group script =
>> set primary group script =
>> add machine script =
>> shutdown script =
>> abort shutdown script =
>> username map script =
>> username map cache time = 0
>> logon script =
>> logon path = \\%N\%U\profile
>> logon drive =
>> logon home = \\%N\%U
>> domain logons = No
>> init logon delayed hosts =
>> init logon delay = 100
>> os level = 20
>> lm announce = Auto
>> lm interval = 60
>> preferred master = No
>> local master = Yes
>> domain master = Auto
>> browse list = Yes
>> enhanced browsing = Yes
>> dns proxy = Yes
>> wins proxy = No
>> wins server =
>> wins support = No
>> wins hook =
>> lock spin time = 200
>> oplock break wait time = 0
>> ldap admin dn =
>> ldap delete dn = No
>> ldap group suffix =
>> ldap idmap suffix =
>> ldap machine suffix =
>> ldap passwd sync = no
>> ldap replication sleep = 1000
>> ldap suffix =
>> ldap ssl = start tls
>> ldap ssl ads = No
>> ldap deref = auto
>> ldap follow referral = Auto
>> ldap timeout = 15
>> ldap connection timeout = 2
>> ldap page size = 1024
>> ldap user suffix =
>> ldap debug level = 0
>> ldap debug threshold = 10
>> eventlog list =
>> add share command =
>> change share command =
>> delete share command =
>> preload =
>> lock directory = /var/lock/samba
>> state directory = /var/lib/samba
>> cache directory = /var/cache/samba
>> pid directory = /var/run/samba
>> ntp signd socket directory =
>> utmp directory =
>> wtmp directory =
>> utmp = No
>> default service =
>> message command =
>> get quota command =
>> set quota command =
>> remote announce =
>> remote browse sync =
>> nbt client socket address = 0.0.0.0
>> nmbd bind explicit broadcast = Yes
>> homedir map = auto.home
>> afs username map =
>> afs token lifetime = 604800
>> log nt token command =
>> NIS homedir = No
>> registry shares = No
>> usershare allow guests = No
>> usershare max shares = 0
>> usershare owner only = Yes
>> usershare path = /var/lib/samba/usershares
>> usershare prefix allow list =
>> usershare prefix deny list =
>> usershare template share =
>> async smb echo handler = No
>> panic action =
>> perfcount module =
>> host msdfs = Yes
>> passdb expand explicit = No
>> idmap backend = tdb
>> idmap cache time = 604800
>> idmap negative cache time = 120
>> idmap uid =
>> idmap gid =
>> template homedir = /home/%D/%U
>> template shell = /bin/false
>> winbind separator = \
>> winbind cache time = 300
>> winbind reconnect delay = 30
>> winbind max clients = 200
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 1
>> winbind nss info = rfc2307
>> winbind refresh tickets = No
>> winbind offline logon = No
>> winbind normalize names = No
>> winbind rpc only = No
>> create krb5 conf = Yes
>> ncalrpc dir = /var/run/samba/ncalrpc
>> winbind max domain connections = 1
>> winbindd socket directory =
>> winbindd privileged socket directory =
>> winbind sealed pipes = No
>> allow dns updates = disabled
>> dns forwarder =
>> dns update command =
>> nsupdate command =
>> rndc command =
>> multicast dns register = Yes
>> samba kcc command =
>> server services =
>> dcerpc endpoint servers =
>> spn update command =
>> share backend =
>> tls enabled = No
>> tls keyfile =
>> tls certfile =
>> tls cafile =
>> tls crlfile =
>> tls dh params file =
>> spoolss: architecture = Windows x64
>> rpc_daemon:spoolssd = fork
>> rpc_server:spoolss = external
>> idmap config TRUEVINE:range = 10000-40000
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:backend = ad
>> idmap config *:range = 70001-80000
>> idmap config * : backend = tdb
>> comment =
>> path =
>> username =
>> invalid users =
>> valid users =
>> admin users =
>> read list =
>> write list =
>> force user =
>> force group =
>> read only = Yes
>> acl check permissions = Yes
>> acl group control = No
>> acl map full control = Yes
>> acl allow execute always = No
>> create mask = 0744
>> force create mode = 00
>> directory mask = 0755
>> force directory mode = 00
>> force unknown acl user = No
>> inherit permissions = No
>> inherit acls = No
>> inherit owner = No
>> guest only = No
>> administrative share = No
>> guest ok = No
>> only user = No
>> hosts allow =
>> hosts deny =
>> allocation roundup size = 1048576
>> aio read size = 0
>> aio write size = 0
>> aio write behind =
>> ea support = No
>> nt acl support = Yes
>> profile acls = No
>> map acl inherit = Yes
>> afs share = No
>> smb encrypt = default
>> durable handles = Yes
>> block size = 1024
>> change notify = Yes
>> directory name cache size = 100
>> kernel change notify = Yes
>> max connections = 0
>> min print space = 0
>> strict allocate = No
>> strict sync = No
>> sync always = No
>> use sendfile = No
>> write cache size = 0
>> max reported print jobs = 0
>> max print jobs = 1000
>> printable = No
>> print notify backchannel = Yes
>> print ok = No
>> printing = cups
>> cups options =
>> print command =
>> lpq command = %p
>> lprm command =
>> lppause command =
>> lpresume command =
>> queuepause command =
>> queueresume command =
>> printer name =
>> use client driver = No
>> default devmode = Yes
>> force printername = No
>> printjob username = %U
>> default case = lower
>> case sensitive = Auto
>> preserve case = Yes
>> short preserve case = Yes
>> mangling char = ~
>> hide dot files = Yes
>> hide special files = No
>> hide unreadable = No
>> hide unwriteable files = No
>> delete veto files = No
>> veto files =
>> hide files =
>> veto oplock files =
>> map archive = Yes
>> map hidden = No
>> map system = No
>> map readonly = yes
>> mangled names = Yes
>> store dos attributes = Yes
>> dmapi support = No
>> browseable = Yes
>> access based share enum = No
>> blocking locks = Yes
>> csc policy = manual
>> fake oplocks = No
>> kernel oplocks = No
>> kernel share modes = Yes
>> locking = Yes
>> oplocks = Yes
>> level2 oplocks = Yes
>> oplock contention limit = 2
>> posix locking = Yes
>> strict locking = Auto
>> dfree cache time = 0
>> dfree command =
>> copy =
>> preexec =
>> preexec close = No
>> postexec =
>> root preexec =
>> root preexec close = No
>> root postexec =
>> available = Yes
>> volume =
>> fstype = NTFS
>> wide links = No
>> follow symlinks = Yes
>> dont descend =
>> magic script =
>> magic output =
>> delete readonly = No
>> dos filemode = No
>> dos filetimes = Yes
>> dos filetime resolution = No
>> fake directory create times = No
>> vfs objects = acl_xattr
>> msdfs root = No
>> msdfs proxy =
>> ntvfs handler =
>>
>> [printers]
>> path = /var/spool/samba
>> printable = Yes
>> print ok = Yes
>> browseable = No
>>
>> [print$]
>> comment = Printer drivers
>> path = /srv/samba/printer_drivers
>> read only = No
>>
>> [Xerox7545]
>> path = /var/spool/samba
>> printable = Yes
>> print ok = Yes
>> printer name = Xerox_WC_7545
>>
>> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>> Alright, I am calling it quits for the day unless somebody knows
>>>> what I have
>>>> screwed up here. If I do "getent passwd" it shows all local and domain
>>>> users, and the domain users have the wrong ID's. If I do "getent
>>>> passwd
>>>> <domain user>" I get absolutely nothing. Obviously I have done
>>>> something
>>>> wrong here, but I have no clue what. This behavior started after
>>>> modifying
>>>> the configuration file though. The modifications Rowland showed me
>>>> in his.
>>>> That tells me that maybe it is trying to do something right and
>>>> cannot. I
>>>> have one last idea of my own, then I will be installing the backports
>>>> version Monday on a clean VM.
>>>>
>>> Hey Ryan!
>>>
>>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
>>> samba is using the directories (lock directory =
>>> /usr/local/samba/var/lock) from the old selfcompiled installation.
>>> Now I'm using the Sernet package.
>>>
>>> When i run ''testparm -v | more' it reads
>>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf and shows
>>> only one out of two share definitions.
>>>
>>> The file /etc/samba/smb.conf is copied from an old AD DC serverconfig
>>> and later edited. The hidden entries like "lock directory =" above are
>>> present.
>>>
>>> Are you perhaps experienceing the same?
>>>
>>> Regards
>>> Davor
>>>
>>
>
More information about the samba
mailing list