[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 15 06:48:29 MDT 2014 

On 15/08/14 04:54, Ryan Ashley wrote:
> I just had a thought and would like some input. I just discovered a 
> major flaw in the member server guide (it doesn't build the PAM 
> modules by default, the guide does not tell you to build them, and 
> once you modify your PAM settings, you can no longer login to the box) 
> due to a change in the way Samba builds. It no longer builds the PAM 
> stuff by default nor does the guide tell you to add "--with-pam" to 
> the configuration. Is it possible that something I need has also been 
> turned off by default? Right now my member servers are built with 
> "--with-ads --with-pam --with-shared-modules=idmap_ad". I do not add 
> ANY of those to my AD DC. Do I need PAM, ADS, or anything else on my 
> actual DC? Will it hurt to build ADS or PAM on the DC? Is it possible 
> that something I need is not built on the DC and the DC is not 
> authenticating my requests to the shares on the member server?
>
> On 8/14/2014 11:38 PM, Ryan Ashley wrote:
>> Alright, I do not know why my first reply to this still has not come 
>> back, but I mentioned wanting to try this anyway. I finally did. It 
>> took some time because the member server guide does not give 
>> instructions for building the PAM modules, and they are not built by 
>> default, so I spent hours figuring it out. Anyway, PAM now works, but 
>> I still get access denied for the shares from the Windows systems.
>>
>> Now, here is my current theory as to my issue. Back in 4.0 almost 
>> everything was built by default. When I did a basic build I got PAM, 
>> idmap_ad, everything. Now after viewing the build parameters page on 
>> the wiki, I see loads of things which are not built by default 
>> anymore. I believe something I need is not being built. What it is, I 
>> do not know. I do have the rfc2307 things in my configuration file on 
>> the member server and winbind is pulling the correct ID's for both 
>> users and groups, so it works. Both getent and id show the correct 
>> information. I have also added the user to their groups both the 
>> Windows AD way and the NIS group way. Still, only domain admins can 
>> access the share at all. Is there a permission I need to grant to 
>> domain users for viewing shares they are supposed to have access to? 
>> I did grant the domain admins group the permission mentioned in the 
>> member server guide, but nothing was granted to other groups.
>>
>> On 8/14/2014 3:44 PM, Sébastien Le Ray wrote:
>>> Hi,
>>>
>>> There's no need to configure PAM to get a working setup
>>>
>>> Do you have the rfc2307 stuff in your fileserver smb.conf and do all 
>>> your groups have an assigned Unix GID? Did you try running winbindd 
>>> in "debug" mode?
>>>
>>> Regards
>>>
>>> Le 2014-08-14 21:01, Ryan Ashley a écrit :
>>>> Well, guess I will be configuring PAM! On a side note, I finally got
>>>> my UNIX Attributes tab! I assigned all built-in groups ID's starting
>>>> at 20001 and all built-in user accounts ID's starting at 10001.
>>>> Assigned primary groups and all, and it went VERY smoothly. No change
>>>> though. I still cannot access the shares as a normal user. Yes, I did
>>>> reboot the file-server and chown the shares to the new ID's.
>>>>
>>>> Anyway, I will do the PAM configuration now. Just one question. How
>>>> can I prevent login if I do the PAM configuration? Also, why did it
>>>> work without PAM for weeks? On top of that, why do my other locations
>>>> without any PAM configuration work fine and have worked fine for up to
>>>> two years? Seems odd that this one location requires PAM.
>>>>
>>
>
OK, getting a bit fed up with this now, so I setup a share on my test 
domain, the share is on one PC running Linux Mint 17 and I connected  
from another, again running Linux Mint 17. The two AD DC are running 
Debian 7.5 with samba 4.1.9 from backports, the two Mint machines are 
both running samba 4.1.6 .

This is the ACL's from the share:

getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: emily
# group: administration
user::rwx
user:emily:rwx
group::rwx
group:administration:rwx
group:domain_admins:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:emily:rwx
default:group::---
default:group:administration:rwx
default:group:domain_admins:rwx
default:mask::rwx
default:other::---

Virtually the same as the OP, mostly just lacking 'group:70028:rwx'

Running 'id rowland' gets me this:

uid=10000(rowland) gid=10000(domain_users) 
groups=10000(domain_users),10001(administration),2001(BUILTIN\users)

As you can see, rowland is not mentioned in the shares ACL's, but is a 
member of the group 'administration' which is.

So I now try to connect from the other PC:

smbclient //EmilysPC/staff
Enter rowland's password:
Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
smb: \> ls
   .                                   D        0  Fri Aug 15 12:55:50 2014
   ..                                  D        0  Fri Aug 15 12:55:50 2014

         55743 blocks of size 8388608. 43330 blocks available
smb: \> quit

So as far as I can see there is no problem, what do you think ?

Rowland

More information about the samba mailing list