[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 15 08:19:21 MDT 2014
I added those lines based on recommendations from another list user who
contacted me off-list. I will remove them after I send this email.
As for the backports, I did try this, but I kept getting broken
dependencies. I have an open thread on the Debian forums attempting to
work this out right now. I would be happy to hear your methodology for
installing it though.
Do I need PAM for simple file-sharing though? Somebody said I did and
somebody else said I did not. You and Steve seem to be the Samba
authority here, so I will take your word for it.
On 08/15/2014 10:14 AM, Rowland Penny wrote:
> On 15/08/14 14:34, Ryan Ashley wrote:
>> I removed the 70028 (SYSTEM) group a few days ago thinking it might
>> be the issue. I will post my information one final time in an attempt
>> to show you that I am doing this the correct way, now with
>> functioning PAM support on the member server. If you want ANYTHING
>> else, I will do it, just ask. Nothing would make me happier than to
>> be out of your hair. I did not come here with the intent to upset
>> people, I simply wanted help.
>>
>> root at fs01:~# cat /etc/samba/smb.conf
>> [global]
>> netbios name = FS01
>> workgroup = TRUEVINE
>> security = ADS
>> realm = TRUEVINE.LAN
>> encrypt passwords = true
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config TRUEVINE:backend = ad
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:range = 10001-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = yes
>>
>> # ntlm auth = no
>> # lanman auth = no
>> # client ntlmv2 auth = yes
>>
>> domain master = no
>> local master = no
>> preferred master = no
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> acl group control = yes
>> store dos attributes = yes
>>
>> [install$]
>> path = /home/shared/install
>> comment = "Software installation files"
>> read only = no
>>
>> [staff$]
>> path = /home/shared/staff
>> comment = "Staff file share"
>> read only = no
>> create mask = 0660
>> force create mode = 0660
>> directory mask = 0770
>> force directory mode = 0770
>>
>> [fbc$]
>> path = /home/shared/fbc
>> comment = "Family Bible College file share"
>> read only = no
>> create mask = 0660
>> force create mode = 0660
>> directory mask = 0770
>> force directory mode = 0770
>>
>
> OK, only problem that I can see in your smb.conf is this:
>
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
>
> As you are using ACL's, you should not be using the above, ACL's
> supersede the above lines.
>
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/install/
>> # owner: reachfp
>> # group: domain\040admins
>> # flags: -s-
>> user::rwx
>> group::rwx
>> other::---
>>
>> root at fs01:~# getfacl /home/shared/staff/
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/staff/
>> # owner: reachfp
>> # group: staff
>> # flags: -s-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:staff:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:staff:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# getfacl /home/shared/fbc
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shared/fbc
>> # owner: reachfp
>> # group: fbc
>> # flags: -s-
>> user::rwx
>> user:reachfp:rwx
>> group::rwx
>> group:fbc:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:reachfp:rwx
>> default:group::---
>> default:group:fbc:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at fs01:~# id yolandab
>> uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
>> users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
>>
>>
>> root at fs01:~# id reach_support
>> uid=10003(reach_support) gid=20002(domain users) groups=20002(domain
>> users),20042(vpn
>> users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
>>
>> root at fs01:~# id daquanm
>> uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
>> users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
>>
>> root at fs01:~# iptables -S
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>>
>> root at fs01:~# cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = TRUEVINE.LAN
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> root at fs01:~# cat /etc/pam.d/common-account
>> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
>> account requisite pam_deny.so
>> account required pam_permit.so
>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>
>> root at fs01:~# cat /etc/pam.d/common-auth
>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>> auth requisite pam_deny.so
>> auth required pam_permit.so
>> auth sufficient pam_winbind.so use_first_pass
>>
>> root at fs01:~# cat /etc/pam.d/common-password
>> password [success=1 default=ignore] pam_unix.so obscure
>> sha512
>> password requisite pam_deny.so
>> password required pam_permit.so
>> password sufficient pam_winbind.so use_authtok
>>
>> root at fs01:~# cat /etc/pam.d/common-session
>> session [default=1] pam_permit.so
>> session requisite pam_deny.so
>> session required pam_permit.so
>> session required pam_unix.so
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>>
>
> These are the lines from my PAM files:
>
> cat /etc/pam.d/common-account
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so
> account requisite pam_deny.so
> account required pam_permit.so
> account required pam_krb5.so minimum_uid=1000
>
> cat /etc/pam.d/common-auth
> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> try_first_pass
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth optional pam_ecryptfs.so unwrap
> auth optional pam_cap.so
>
> cat /etc/pam.d/common-password
> password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
> password [success=2 default=ignore] pam_unix.so obscure
> use_authtok try_first_pass sha512
> password [success=1 default=ignore] pam_winbind.so use_authtok
> try_first_pass
> password requisite pam_deny.so
> password required pam_permit.so
> password optional pam_gnome_keyring.so
> password optional pam_ecryptfs.so
>
> cat /etc/pam.d/common-session
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_umask.so
> session optional pam_krb5.so minimum_uid=1000
> session required pam_unix.so
> session optional pam_winbind.so
> session optional pam_systemd.so
> session optional pam_ecryptfs.so unwrap
> session optional pam_ck_connector.so nox11
>
>
> Try removing the lines from smb.conf that I have indicated and see how
> you go on.
>
> I would still suggest that you stop building Samba4 yourself, I seem
> to remember that you are using Debian Wheezy, if you use backports (I
> can provide instructions) you will get 4.1.9, but seeing as how 4.1.11
> is in Jessie it is likely that backports will be updated to this very
> soon. If you do go with the Debian packages and install the required
> PAM packages, you will get the PAM files altered for you.
>
> Rowland
>
>> root at fs01:~# l /lib/security/
>> total 0
>> lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
>> /usr/lib/security/pam_winbind.so
>>
>> root at fs01:~# l /lib | grep winbind
>> lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
>> /usr/lib/libnss_winbind.so.2
>>
>> root at fs01:~# getent passwd
>> ...
>> shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
>> richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
>> yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
>> joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
>> patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
>> cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
>> jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
>> reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
>> daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
>> ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
>> jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
>> thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
>> reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
>> guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
>>
>> root at fs01:~# getent group
>> ...
>> allowed rodc password replication group:x:20012:
>> enterprise read-only domain controllers:x:20007:
>> denied rodc password replication group:x:20014:
>> read-only domain controllers:x:20010:
>> audiovideo:x:20038:
>> group policy creator owners:x:20008:
>> newmembers:x:20040:
>> vpn users:x:20042:
>> staff:x:20041:
>> fbc:x:20039:
>> ras and ias servers:x:20009:
>> domain controllers:x:20004:
>> enterprise admins:x:20006:
>> domain computers:x:20003:
>> cert publishers:x:20013:
>> dnsupdateproxy:x:20016:
>> domain admins:x:20001:
>> domain guests:x:20005:
>> schema admins:x:20011:
>> domain users:x:20002:
>> dnsadmins:x:20015:
>>
>> Now if you can tell me where in my configuration I am wrong, I will
>> gladly apologize for all of the trouble and I will not bother you
>> again. I already apologized to you and Steve personally for whatever
>> it was I did to get under your skin, but you told me I needed to do
>> more googling. I did, and when I found out, from the Samba build
>> parameters page, that PAM was not built by default and mentioned it,
>> I was attacked for that also, despite me providing proof on the Samba
>> wiki. If googling returns false results and you want me to search for
>> results, what do I do? Do you see my predicament now? I come here and
>> am told to search. I search and find a fix to one of my issues and I
>> am told I am wrong. How do I know what to believe?
>>
>> On 08/15/2014 08:48 AM, Rowland Penny wrote:
>>>
>>> OK, getting a bit fed up with this now, so I setup a share on my
>>> test domain, the share is on one PC running Linux Mint 17 and I
>>> connected from another, again running Linux Mint 17. The two AD DC
>>> are running Debian 7.5 with samba 4.1.9 from backports, the two Mint
>>> machines are both running samba 4.1.6 .
>>>
>>> This is the ACL's from the share:
>>>
>>> getfacl /home/shared/staff/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/staff/
>>> # owner: emily
>>> # group: administration
>>> user::rwx
>>> user:emily:rwx
>>> group::rwx
>>> group:administration:rwx
>>> group:domain_admins:rwx
>>> mask::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:user:emily:rwx
>>> default:group::---
>>> default:group:administration:rwx
>>> default:group:domain_admins:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>>>
>>> Running 'id rowland' gets me this:
>>>
>>> uid=10000(rowland) gid=10000(domain_users)
>>> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>>>
>>> As you can see, rowland is not mentioned in the shares ACL's, but is
>>> a member of the group 'administration' which is.
>>>
>>> So I now try to connect from the other PC:
>>>
>>> smbclient //EmilysPC/staff
>>> Enter rowland's password:
>>> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
>>> smb: \> ls
>>> . D 0 Fri Aug 15
>>> 12:55:50 2014
>>> .. D 0 Fri Aug 15
>>> 12:55:50 2014
>>>
>>> 55743 blocks of size 8388608. 43330 blocks available
>>> smb: \> quit
>>>
>>> So as far as I can see there is no problem, what do you think ?
>>>
>>> Rowland
>>
>
More information about the samba
mailing list