[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Fri Aug 15 08:14:56 MDT 2014
On 15/08/14 14:34, Ryan Ashley wrote:
> I removed the 70028 (SYSTEM) group a few days ago thinking it might be
> the issue. I will post my information one final time in an attempt to
> show you that I am doing this the correct way, now with functioning
> PAM support on the member server. If you want ANYTHING else, I will do
> it, just ask. Nothing would make me happier than to be out of your
> hair. I did not come here with the intent to upset people, I simply
> wanted help.
>
> root at fs01:~# cat /etc/samba/smb.conf
> [global]
> netbios name = FS01
> workgroup = TRUEVINE
> security = ADS
> realm = TRUEVINE.LAN
> encrypt passwords = true
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config TRUEVINE:backend = ad
> idmap config TRUEVINE:schema_mode = rfc2307
> idmap config TRUEVINE:range = 10001-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> # ntlm auth = no
> # lanman auth = no
> # client ntlmv2 auth = yes
>
> domain master = no
> local master = no
> preferred master = no
>
> vfs objects = acl_xattr
> map acl inherit = yes
> acl group control = yes
> store dos attributes = yes
>
> [install$]
> path = /home/shared/install
> comment = "Software installation files"
> read only = no
>
> [staff$]
> path = /home/shared/staff
> comment = "Staff file share"
> read only = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
>
> [fbc$]
> path = /home/shared/fbc
> comment = "Family Bible College file share"
> read only = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
>
OK, only problem that I can see in your smb.conf is this:
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
As you are using ACL's, you should not be using the above, ACL's
supersede the above lines.
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/install/
> # owner: reachfp
> # group: domain\040admins
> # flags: -s-
> user::rwx
> group::rwx
> other::---
>
> root at fs01:~# getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: reachfp
> # group: staff
> # flags: -s-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:staff:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:staff:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# getfacl /home/shared/fbc
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/fbc
> # owner: reachfp
> # group: fbc
> # flags: -s-
> user::rwx
> user:reachfp:rwx
> group::rwx
> group:fbc:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:reachfp:rwx
> default:group::---
> default:group:fbc:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# id yolandab
> uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
> users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
>
> root at fs01:~# id reach_support
> uid=10003(reach_support) gid=20002(domain users) groups=20002(domain
> users),20042(vpn
> users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
>
> root at fs01:~# id daquanm
> uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
> users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
>
> root at fs01:~# iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
>
> root at fs01:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = TRUEVINE.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> root at fs01:~# cat /etc/pam.d/common-account
> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
> account requisite pam_deny.so
> account required pam_permit.so
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>
> root at fs01:~# cat /etc/pam.d/common-auth
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth sufficient pam_winbind.so use_first_pass
>
> root at fs01:~# cat /etc/pam.d/common-password
> password [success=1 default=ignore] pam_unix.so obscure
> sha512
> password requisite pam_deny.so
> password required pam_permit.so
> password sufficient pam_winbind.so use_authtok
>
> root at fs01:~# cat /etc/pam.d/common-session
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session required pam_unix.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
>
These are the lines from my PAM files:
cat /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
cat /etc/pam.d/common-auth
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
cat /etc/pam.d/common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
session optional pam_ck_connector.so nox11
Try removing the lines from smb.conf that I have indicated and see how
you go on.
I would still suggest that you stop building Samba4 yourself, I seem to
remember that you are using Debian Wheezy, if you use backports (I can
provide instructions) you will get 4.1.9, but seeing as how 4.1.11 is in
Jessie it is likely that backports will be updated to this very soon. If
you do go with the Debian packages and install the required PAM
packages, you will get the PAM files altered for you.
Rowland
> root at fs01:~# l /lib/security/
> total 0
> lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
> /usr/lib/security/pam_winbind.so
>
> root at fs01:~# l /lib | grep winbind
> lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
> /usr/lib/libnss_winbind.so.2
>
> root at fs01:~# getent passwd
> ...
> shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
> richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
> yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
> joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
> patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
> cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
> jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
> reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
> daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
> ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
> jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
> thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
> reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
> guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
>
> root at fs01:~# getent group
> ...
> allowed rodc password replication group:x:20012:
> enterprise read-only domain controllers:x:20007:
> denied rodc password replication group:x:20014:
> read-only domain controllers:x:20010:
> audiovideo:x:20038:
> group policy creator owners:x:20008:
> newmembers:x:20040:
> vpn users:x:20042:
> staff:x:20041:
> fbc:x:20039:
> ras and ias servers:x:20009:
> domain controllers:x:20004:
> enterprise admins:x:20006:
> domain computers:x:20003:
> cert publishers:x:20013:
> dnsupdateproxy:x:20016:
> domain admins:x:20001:
> domain guests:x:20005:
> schema admins:x:20011:
> domain users:x:20002:
> dnsadmins:x:20015:
>
> Now if you can tell me where in my configuration I am wrong, I will
> gladly apologize for all of the trouble and I will not bother you
> again. I already apologized to you and Steve personally for whatever
> it was I did to get under your skin, but you told me I needed to do
> more googling. I did, and when I found out, from the Samba build
> parameters page, that PAM was not built by default and mentioned it, I
> was attacked for that also, despite me providing proof on the Samba
> wiki. If googling returns false results and you want me to search for
> results, what do I do? Do you see my predicament now? I come here and
> am told to search. I search and find a fix to one of my issues and I
> am told I am wrong. How do I know what to believe?
>
> On 08/15/2014 08:48 AM, Rowland Penny wrote:
>>
>> OK, getting a bit fed up with this now, so I setup a share on my test
>> domain, the share is on one PC running Linux Mint 17 and I connected
>> from another, again running Linux Mint 17. The two AD DC are running
>> Debian 7.5 with samba 4.1.9 from backports, the two Mint machines are
>> both running samba 4.1.6 .
>>
>> This is the ACL's from the share:
>>
>> getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: emily
>> # group: administration
>> user::rwx
>> user:emily:rwx
>> group::rwx
>> group:administration:rwx
>> group:domain_admins:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:emily:rwx
>> default:group::---
>> default:group:administration:rwx
>> default:group:domain_admins:rwx
>> default:mask::rwx
>> default:other::---
>>
>> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>>
>> Running 'id rowland' gets me this:
>>
>> uid=10000(rowland) gid=10000(domain_users)
>> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>>
>> As you can see, rowland is not mentioned in the shares ACL's, but is
>> a member of the group 'administration' which is.
>>
>> So I now try to connect from the other PC:
>>
>> smbclient //EmilysPC/staff
>> Enter rowland's password:
>> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
>> smb: \> ls
>> . D 0 Fri Aug 15 12:55:50
>> 2014
>> .. D 0 Fri Aug 15 12:55:50
>> 2014
>>
>> 55743 blocks of size 8388608. 43330 blocks available
>> smb: \> quit
>>
>> So as far as I can see there is no problem, what do you think ?
>>
>> Rowland
>
More information about the samba
mailing list