[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Fri Aug 15 08:31:43 MDT 2014
On 15/08/14 15:19, Ryan Ashley wrote:
> I added those lines based on recommendations from another list user
> who contacted me off-list. I will remove them after I send this email.
>
> As for the backports, I did try this, but I kept getting broken
> dependencies. I have an open thread on the Debian forums attempting to
> work this out right now. I would be happy to hear your methodology for
> installing it though.
I 'think' that what happened, is you added some packages with '-t
wheezy-backports' in the apt-get line and then tried to install
something without ' -t wheezy-backports', the package that you tried to
add was available from the standard repos but conflicted with the samba
packages that you had installed from backports, The cure is to add ' -t
wheezy-backports' to the apt-get line if this happens and you should
then get the right package installed.
>
> Do I need PAM for simple file-sharing though? Somebody said I did and
> somebody else said I did not. You and Steve seem to be the Samba
> authority here, so I will take your word for it.
>
Do you need PAM, In a word YES.
Rowland
> On 08/15/2014 10:14 AM, Rowland Penny wrote:
>> On 15/08/14 14:34, Ryan Ashley wrote:
>>> I removed the 70028 (SYSTEM) group a few days ago thinking it might
>>> be the issue. I will post my information one final time in an
>>> attempt to show you that I am doing this the correct way, now with
>>> functioning PAM support on the member server. If you want ANYTHING
>>> else, I will do it, just ask. Nothing would make me happier than to
>>> be out of your hair. I did not come here with the intent to upset
>>> people, I simply wanted help.
>>>
>>> root at fs01:~# cat /etc/samba/smb.conf
>>> [global]
>>> netbios name = FS01
>>> workgroup = TRUEVINE
>>> security = ADS
>>> realm = TRUEVINE.LAN
>>> encrypt passwords = true
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> idmap config TRUEVINE:backend = ad
>>> idmap config TRUEVINE:schema_mode = rfc2307
>>> idmap config TRUEVINE:range = 10001-40000
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = yes
>>>
>>> # ntlm auth = no
>>> # lanman auth = no
>>> # client ntlmv2 auth = yes
>>>
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> acl group control = yes
>>> store dos attributes = yes
>>>
>>> [install$]
>>> path = /home/shared/install
>>> comment = "Software installation files"
>>> read only = no
>>>
>>> [staff$]
>>> path = /home/shared/staff
>>> comment = "Staff file share"
>>> read only = no
>>> create mask = 0660
>>> force create mode = 0660
>>> directory mask = 0770
>>> force directory mode = 0770
>>>
>>> [fbc$]
>>> path = /home/shared/fbc
>>> comment = "Family Bible College file share"
>>> read only = no
>>> create mask = 0660
>>> force create mode = 0660
>>> directory mask = 0770
>>> force directory mode = 0770
>>>
>>
>> OK, only problem that I can see in your smb.conf is this:
>>
>> create mask = 0660
>> force create mode = 0660
>> directory mask = 0770
>> force directory mode = 0770
>>
>> As you are using ACL's, you should not be using the above, ACL's
>> supersede the above lines.
>>
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/install/
>>> # owner: reachfp
>>> # group: domain\040admins
>>> # flags: -s-
>>> user::rwx
>>> group::rwx
>>> other::---
>>>
>>> root at fs01:~# getfacl /home/shared/staff/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/staff/
>>> # owner: reachfp
>>> # group: staff
>>> # flags: -s-
>>> user::rwx
>>> user:reachfp:rwx
>>> group::rwx
>>> group:staff:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:reachfp:rwx
>>> default:group::---
>>> default:group:staff:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at fs01:~# getfacl /home/shared/fbc
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/fbc
>>> # owner: reachfp
>>> # group: fbc
>>> # flags: -s-
>>> user::rwx
>>> user:reachfp:rwx
>>> group::rwx
>>> group:fbc:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:reachfp:rwx
>>> default:group::---
>>> default:group:fbc:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at fs01:~# id yolandab
>>> uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
>>> users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
>>>
>>>
>>> root at fs01:~# id reach_support
>>> uid=10003(reach_support) gid=20002(domain users) groups=20002(domain
>>> users),20042(vpn
>>> users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
>>>
>>> root at fs01:~# id daquanm
>>> uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
>>> users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
>>>
>>> root at fs01:~# iptables -S
>>> -P INPUT ACCEPT
>>> -P FORWARD ACCEPT
>>> -P OUTPUT ACCEPT
>>>
>>> root at fs01:~# cat /etc/krb5.conf
>>> [libdefaults]
>>> default_realm = TRUEVINE.LAN
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> root at fs01:~# cat /etc/pam.d/common-account
>>> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
>>> account requisite pam_deny.so
>>> account required pam_permit.so
>>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>>
>>> root at fs01:~# cat /etc/pam.d/common-auth
>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>> auth requisite pam_deny.so
>>> auth required pam_permit.so
>>> auth sufficient pam_winbind.so use_first_pass
>>>
>>> root at fs01:~# cat /etc/pam.d/common-password
>>> password [success=1 default=ignore] pam_unix.so obscure
>>> sha512
>>> password requisite pam_deny.so
>>> password required pam_permit.so
>>> password sufficient pam_winbind.so use_authtok
>>>
>>> root at fs01:~# cat /etc/pam.d/common-session
>>> session [default=1] pam_permit.so
>>> session requisite pam_deny.so
>>> session required pam_permit.so
>>> session required pam_unix.so
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>>
>>
>> These are the lines from my PAM files:
>>
>> cat /etc/pam.d/common-account
>> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
>> account [success=1 new_authtok_reqd=done default=ignore]
>> pam_winbind.so
>> account requisite pam_deny.so
>> account required pam_permit.so
>> account required pam_krb5.so minimum_uid=1000
>>
>> cat /etc/pam.d/common-auth
>> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>> auth [success=2 default=ignore] pam_unix.so nullok_secure
>> try_first_pass
>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> auth requisite pam_deny.so
>> auth required pam_permit.so
>> auth optional pam_ecryptfs.so unwrap
>> auth optional pam_cap.so
>>
>> cat /etc/pam.d/common-password
>> password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>> password [success=2 default=ignore] pam_unix.so obscure
>> use_authtok try_first_pass sha512
>> password [success=1 default=ignore] pam_winbind.so use_authtok
>> try_first_pass
>> password requisite pam_deny.so
>> password required pam_permit.so
>> password optional pam_gnome_keyring.so
>> password optional pam_ecryptfs.so
>>
>> cat /etc/pam.d/common-session
>> session [default=1] pam_permit.so
>> session requisite pam_deny.so
>> session required pam_permit.so
>> session optional pam_umask.so
>> session optional pam_krb5.so minimum_uid=1000
>> session required pam_unix.so
>> session optional pam_winbind.so
>> session optional pam_systemd.so
>> session optional pam_ecryptfs.so unwrap
>> session optional pam_ck_connector.so nox11
>>
>>
>> Try removing the lines from smb.conf that I have indicated and see
>> how you go on.
>>
>> I would still suggest that you stop building Samba4 yourself, I seem
>> to remember that you are using Debian Wheezy, if you use backports (I
>> can provide instructions) you will get 4.1.9, but seeing as how
>> 4.1.11 is in Jessie it is likely that backports will be updated to
>> this very soon. If you do go with the Debian packages and install the
>> required PAM packages, you will get the PAM files altered for you.
>>
>> Rowland
>>
>>> root at fs01:~# l /lib/security/
>>> total 0
>>> lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
>>> /usr/lib/security/pam_winbind.so
>>>
>>> root at fs01:~# l /lib | grep winbind
>>> lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
>>> /usr/lib/libnss_winbind.so.2
>>>
>>> root at fs01:~# getent passwd
>>> ...
>>> shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
>>> richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
>>> yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
>>> joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
>>> patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
>>> cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
>>> jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
>>> reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
>>> daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
>>> ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
>>> jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
>>> thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
>>> reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
>>> guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
>>>
>>> root at fs01:~# getent group
>>> ...
>>> allowed rodc password replication group:x:20012:
>>> enterprise read-only domain controllers:x:20007:
>>> denied rodc password replication group:x:20014:
>>> read-only domain controllers:x:20010:
>>> audiovideo:x:20038:
>>> group policy creator owners:x:20008:
>>> newmembers:x:20040:
>>> vpn users:x:20042:
>>> staff:x:20041:
>>> fbc:x:20039:
>>> ras and ias servers:x:20009:
>>> domain controllers:x:20004:
>>> enterprise admins:x:20006:
>>> domain computers:x:20003:
>>> cert publishers:x:20013:
>>> dnsupdateproxy:x:20016:
>>> domain admins:x:20001:
>>> domain guests:x:20005:
>>> schema admins:x:20011:
>>> domain users:x:20002:
>>> dnsadmins:x:20015:
>>>
>>> Now if you can tell me where in my configuration I am wrong, I will
>>> gladly apologize for all of the trouble and I will not bother you
>>> again. I already apologized to you and Steve personally for whatever
>>> it was I did to get under your skin, but you told me I needed to do
>>> more googling. I did, and when I found out, from the Samba build
>>> parameters page, that PAM was not built by default and mentioned it,
>>> I was attacked for that also, despite me providing proof on the
>>> Samba wiki. If googling returns false results and you want me to
>>> search for results, what do I do? Do you see my predicament now? I
>>> come here and am told to search. I search and find a fix to one of
>>> my issues and I am told I am wrong. How do I know what to believe?
>>>
>>> On 08/15/2014 08:48 AM, Rowland Penny wrote:
>>>>
>>>> OK, getting a bit fed up with this now, so I setup a share on my
>>>> test domain, the share is on one PC running Linux Mint 17 and I
>>>> connected from another, again running Linux Mint 17. The two AD DC
>>>> are running Debian 7.5 with samba 4.1.9 from backports, the two
>>>> Mint machines are both running samba 4.1.6 .
>>>>
>>>> This is the ACL's from the share:
>>>>
>>>> getfacl /home/shared/staff/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/staff/
>>>> # owner: emily
>>>> # group: administration
>>>> user::rwx
>>>> user:emily:rwx
>>>> group::rwx
>>>> group:administration:rwx
>>>> group:domain_admins:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:user:emily:rwx
>>>> default:group::---
>>>> default:group:administration:rwx
>>>> default:group:domain_admins:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>>>>
>>>> Running 'id rowland' gets me this:
>>>>
>>>> uid=10000(rowland) gid=10000(domain_users)
>>>> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>>>>
>>>> As you can see, rowland is not mentioned in the shares ACL's, but
>>>> is a member of the group 'administration' which is.
>>>>
>>>> So I now try to connect from the other PC:
>>>>
>>>> smbclient //EmilysPC/staff
>>>> Enter rowland's password:
>>>> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
>>>> smb: \> ls
>>>> . D 0 Fri Aug 15
>>>> 12:55:50 2014
>>>> .. D 0 Fri Aug 15
>>>> 12:55:50 2014
>>>>
>>>> 55743 blocks of size 8388608. 43330 blocks available
>>>> smb: \> quit
>>>>
>>>> So as far as I can see there is no problem, what do you think ?
>>>>
>>>> Rowland
>>>
>>
>
More information about the samba
mailing list