[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Wed Aug 13 13:06:47 MDT 2014


Still no luck. I even tried adding "valid users = +"TRUEVINE\Staff"" to 
the staff share but no change. I did notice this in my logs though.

[2014/08/13 14:57:05.551413,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2014/08/13 14:57:05.551463,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2014/08/13 14:57:05.551489,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2014/08/13 14:57:05.551514,  3] 
../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got server principal name = 
not_defined_in_RFC4178 at please_ignore
[2014/08/13 14:57:05.551621,  3] 
../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2014/08/13 14:57:05.661384,  3] 
../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] 
expiration Thu, 14 Aug 2014 00:57:05 EDT
[2014/08/13 14:57:05.727677,  3] 
../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
   msrpc_name_to_sid: name=TRUEVINE\STAFF
[2014/08/13 14:57:05.727730,  3] 
../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
   name_to_sid [rpc] TRUEVINE\STAFF for domain TRUEVINE
[2014/08/13 14:58:08.145175,  3] 
../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
   msrpc_name_to_sid: name=TRUEVINE\ROOT
[2014/08/13 14:58:08.145234,  3] 
../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
   name_to_sid [rpc] TRUEVINE\ROOT for domain TRUEVINE
[2014/08/13 15:01:29.069958,  3] 
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
   [ 2059]: list trusted domains
[2014/08/13 15:01:29.070074,  3] 
../source3/winbindd/winbindd_ads.c:1419(trusted_domains)
   ads: trusted_domains

It tells me nothing but maybe somebody else here can say whether or not 
it is an issue. I Have got to get this up. At this point both myself and 
another Linux IT guy are blaming this on a bug. I mean let's look at 
this from a logical standpoint. The configuration file is correct. The 
ACLs are correct. Users and groups resolve. It just flat out denies 
access to anybody EXCEPT the domain admin.

On 08/13/2014 09:51 AM, Ryan Ashley wrote:
> I already tried removing it from the global section. I had the same 
> idea you do. Unfortunately, the only thing testparm shows as being 
> recognized is the path, comment, and read only flag. Still does not 
> work. I did open a bug report since I have now been through this LONG 
> email chain twice and tried everything as well as my variations on 
> everything several times now. It just seems to want to deny access. I 
> wish it was just denying it to 7, so I could blame 7, but it denies 
> access to all OSes including my Android phone and my Debian Wheezy 
> laptop.
>
> Thanks for your help, but I am not up yet. Maybe we'll get it sooner 
> rather than later. Also, I have set all shared directories to 777 and 
> all files in said directories to 666 until we get it working. Then I 
> can worry about locking it down.
>
> On 08/13/2014 12:30 AM, Davor Vusir wrote:
>> 2014-08-12 23:06 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>> Just so you know, those attributes only work in the global section. 
>>> I added
>>> them to my shares, but it does not use them. I was still unable to 
>>> access
>>> said shares after rebooting the member server to insure the changes 
>>> were
>>> accepted.
>>>
>> Sorry to hear that. I guess I'm out of ideas. For now...
>>
>>> root at fs01:~# testparm /etc/samba/smb.conf
>>> Load smb config files from /etc/samba/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[install$]"
>>> Processing section "[staff$]"
>>> Processing section "[fbc$]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
>>> Press enter to see a dump of your service definitions
>>>
>>> [global]
>>>          workgroup = TRUEVINE
>>>          realm = TRUEVINE.LAN
>>>          security = ADS
>>>          ntlm auth = No
>>>
>>>          dedicated keytab file = /etc/krb5.keytab
>>>          kerberos method = secrets and keytab
>>>          local master = No
>>>          domain master = No
>>>          winbind enum users = Yes
>>>          winbind enum groups = Yes
>>>          winbind use default domain = Yes
>>>          winbind nss info = rfc2307
>>>          idmap config TRUEVINE:range = 10001-40000
>>>          idmap config TRUEVINE:schema_mode = rfc2307
>>>          idmap config TRUEVINE:backend = ad
>>>          idmap config *:range = 70001-80000
>>>          idmap config * : backend = tdb
>>>          map acl inherit = Yes
>>>          store dos attributes = Yes
>>>          vfs objects = acl_xattr
>>>
>>> [install$]
>>>          comment = "Software installation files"
>>>          path = /home/shared/install
>>>          read only = No
>>>
>>> [staff$]
>>>          comment = "Staff file share"
>>>          path = /home/shared/staff
>>>          read only = No
>>>
>>> [fbc$]
>>>          comment = "Family Bible College file share"
>>>          path = /home/shared/fbc
>>>          read only = No
>>>
>>> As you can see, testparm ignores them in the share sections. I will 
>>> remove
>>> them since they do not work.
>>>
>> What happens if you remove them from the global section and only have
>> them in the share sections?
>>
>> Regards
>> Davor
>>
>>> On 8/12/2014 4:57 PM, Ryan Ashley wrote:
>>>> I do not have those attributes on my actual AD DC, only on my member
>>>> servers. I followed the guide to the letter and put them in global, 
>>>> but I
>>>> will happily try putting them in the share section as suggested. If 
>>>> it works
>>>> I will let you know. Thanks for the help. If this fixes it I will also
>>>> update my ticket and advise the guide be updated.
>>>>
>>>> On 8/12/2014 4:29 PM, Rowland Penny wrote:
>>>>> On 12/08/14 20:41, Davor Vusir wrote:
>>>>>> In my first setup, a combined (compiled) AD DC and file server I 
>>>>>> never
>>>>>> got it to work with "vfs objects = acl_xattr" in the global 
>>>>>> section. I
>>>>>> had two more shares and could not get the permissions to work 
>>>>>> until I
>>>>>> put "vfs objects = acl_xattr" in the share sections. The shares were
>>>>>> on LVM volumes mapped to directories later shared with Samba. My
>>>>>> conclusion is that "vfs objects = acl_xattr" in the global 
>>>>>> section on
>>>>>> a AD DC does not extend (or how to put it) beyond the netlogon and
>>>>>> sysvol shares. I have not tested this configuration on one (1) 
>>>>>> mounted
>>>>>> LVM volume where /usr/local and Sambashares reside.
>>>>>
>>>>> If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD 
>>>>> DC, you
>>>>> are turning off the 'dfs_samba4' vfs module. If you run 'testpam
>>>>> --suppress-prompt --verbose', you will find 'vfs objects = 
>>>>> dfs_samba4,
>>>>> acl_xattr'.
>>>>>
>>>>>> I have now changed the setup to a dedicated virtual AD DC and a
>>>>>> physical file server because of poor network performance. After the
>>>>>> switch I experienced the same; proper permissions denies 
>>>>>> access... The
>>>>>> setup is still the same; mounted LVM volumes later shared with 
>>>>>> samba.
>>>>>> By removing "vfs objects = acl_xattr, map acl inherit = Yes and 
>>>>>> store
>>>>>> dos attributes = Yes" from the global section, as mentioned in
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs, 
>>>>>>
>>>>>
>>>>> You only add these line to a member server, they are not required 
>>>>> on the
>>>>> AD DC.
>>>>>
>>>>> Rowland
>>>>>
>>>>>> and instead putting "vfs objects = acl_xattr" in the share section
>>>>>> solves it. If you are using more vfs objects you may have to reorder
>>>>>> them. And I also noticed that removing Everyone from the Share tab
>>>>>> will neither let you edit nor remove ACE:s in the Security tab. So
>>>>>> first let Everyone be there, add Domain Admins, press Apply. Add
>>>>>> Domain Admins to the ACL, press Apply. Take ownership. After this
>>>>>> procedure you are able to edit ACE:s. This will not guarantee that
>>>>>> inheritence is correct. Again, "vfs objects = acl_xattr" in the 
>>>>>> global
>>>>>> section does not seem to extend beyond global section. And I'm not
>>>>>> sure why "map acl inherit = Yes and store dos attributes = Yes" 
>>>>>> are in
>>>>>> the global section (I'm using neither). Both belongs to a share
>>>>>> section according to
>>>>>> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
>>>>>>
>>>>>> Hope it helps.
>>>>>>
>>>>>> Regards
>>>>>> Davor
>>>>>>
>>>>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list