[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 15 09:07:06 MDT 2014
I did add the "-t wheezy-backports" parameter. In fact when I load Linux
desktops with Debian, I use the backports repo (Mozilla also) to get the
current version of Iceweasel. Here is the output that we are going
through on the forum. I just typed this into the server so it is fresh.
root at fs01:~# aptitude -t wheezy-backports install samba4-common-bin
samba4-clients
The following NEW packages will be installed:
libasn1-8-heimdal{a} libavahi-client3{a} libavahi-common-data{a}
libavahi-common3{a} libcups2{a} libdbus-1-3{a} libdcerpc0{a}
libgensec0{a} libgssapi3-heimdal{a} libhcrypto4-heimdal{a}
libhdb9-heimdal{a} libheimbase1-heimdal{a} libheimntlm0-heimdal{a}
libhx509-5-heimdal{a} libkrb5-26-heimdal{a} libldb1{a}
libndr-standard0{a} libndr0{a} libntdb1{a} libroken18-heimdal{a}
libsamba-credentials0{a} libsamba-hostconfig0{a} libsamba-util0{a}
libsamdb0{ab} libsmbclient{a} libsmbclient-raw0{a} libtalloc2{a}
libtdb1{a} libtevent0{a} libwbclient0{a} libwind0-heimdal{a}
python-talloc{a} samba-common{a} samba-dsdb-modules{a} samba-libs{ab}
samba4-clients samba4-common-bin{b} smbclient{ab}
The following packages are RECOMMENDED but will NOT be installed:
dbus samba-common-bin
0 packages upgraded, 38 newly installed, 0 to remove and 28 not upgraded.
Need to get 13.8 MB of archives. After unpacking 40.0 MB will be used.
The following packages have unmet dependencies:
smbclient : Conflicts: samba4-clients (< 4.0.5) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
libsamdb0 : Depends: libldb1 (< 1:1.1.7~) but 1:1.1.16-1~bpo70+1 is to
be installed.
samba4-common-bin : Depends: python-samba (=
4.0.0~beta2+dfsg1-3.2+deb7u2) but it is not going to be installed.
samba-libs : Breaks: libdcerpc0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libgensec0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libndr-standard0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libndr0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libsamba-credentials0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libsamba-hostconfig0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libsamba-util0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libsamdb0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
Breaks: libsmbclient-raw0 (< 2:4.0.9) but
4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
The following actions will resolve these dependencies:
Keep the following packages at their current version:
1) libdcerpc0 [Not Installed]
2) libgensec0 [Not Installed]
3) libndr-standard0 [Not Installed]
4) libndr0 [Not Installed]
5) libsamba-credentials0 [Not Installed]
6) libsamba-hostconfig0 [Not Installed]
7) libsamba-util0 [Not Installed]
8) libsamdb0 [Not Installed]
9) libsmbclient-raw0 [Not Installed]
10) samba4-clients [Not Installed]
11) samba4-common-bin [Not Installed]
root at fs01:~# aptitude search smbclient
p libfilesys-smbclient-perl - perl interface to access Samba
filesystem
p libsmbclient - shared library for communication
with SMB/
p libsmbclient-dev - development files for libsmbclient
p libsmbclient-raw-dev - SMB client library - development
files
c libsmbclient-raw0 - SMB client library
p smbclient - command-line SMB/CIFS clients for
Unix
root at fs01:~#
As you can see, smbclient is not installed and I am guessing the first
error spawns from "libsmbclient-raw0". I will not ask for help with this
here since this is an OS issue and not a Samba issue. I get pretty good
help at the Debian forum and expect an answer soon.
I will keep the PAM stuff in-place as you have suggested. Thank you for
the info.
On 08/15/2014 10:31 AM, Rowland Penny wrote:
> On 15/08/14 15:19, Ryan Ashley wrote:
>> I added those lines based on recommendations from another list user
>> who contacted me off-list. I will remove them after I send this email.
>>
>> As for the backports, I did try this, but I kept getting broken
>> dependencies. I have an open thread on the Debian forums attempting
>> to work this out right now. I would be happy to hear your methodology
>> for installing it though.
>
> I 'think' that what happened, is you added some packages with '-t
> wheezy-backports' in the apt-get line and then tried to install
> something without ' -t wheezy-backports', the package that you tried
> to add was available from the standard repos but conflicted with the
> samba packages that you had installed from backports, The cure is to
> add ' -t wheezy-backports' to the apt-get line if this happens and you
> should then get the right package installed.
>
>>
>> Do I need PAM for simple file-sharing though? Somebody said I did and
>> somebody else said I did not. You and Steve seem to be the Samba
>> authority here, so I will take your word for it.
>>
>
> Do you need PAM, In a word YES.
>
> Rowland
>
>> On 08/15/2014 10:14 AM, Rowland Penny wrote:
>>> On 15/08/14 14:34, Ryan Ashley wrote:
>>>> I removed the 70028 (SYSTEM) group a few days ago thinking it might
>>>> be the issue. I will post my information one final time in an
>>>> attempt to show you that I am doing this the correct way, now with
>>>> functioning PAM support on the member server. If you want ANYTHING
>>>> else, I will do it, just ask. Nothing would make me happier than to
>>>> be out of your hair. I did not come here with the intent to upset
>>>> people, I simply wanted help.
>>>>
>>>> root at fs01:~# cat /etc/samba/smb.conf
>>>> [global]
>>>> netbios name = FS01
>>>> workgroup = TRUEVINE
>>>> security = ADS
>>>> realm = TRUEVINE.LAN
>>>> encrypt passwords = true
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 70001-80000
>>>> idmap config TRUEVINE:backend = ad
>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>> idmap config TRUEVINE:range = 10001-40000
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = yes
>>>>
>>>> # ntlm auth = no
>>>> # lanman auth = no
>>>> # client ntlmv2 auth = yes
>>>>
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> acl group control = yes
>>>> store dos attributes = yes
>>>>
>>>> [install$]
>>>> path = /home/shared/install
>>>> comment = "Software installation files"
>>>> read only = no
>>>>
>>>> [staff$]
>>>> path = /home/shared/staff
>>>> comment = "Staff file share"
>>>> read only = no
>>>> create mask = 0660
>>>> force create mode = 0660
>>>> directory mask = 0770
>>>> force directory mode = 0770
>>>>
>>>> [fbc$]
>>>> path = /home/shared/fbc
>>>> comment = "Family Bible College file share"
>>>> read only = no
>>>> create mask = 0660
>>>> force create mode = 0660
>>>> directory mask = 0770
>>>> force directory mode = 0770
>>>>
>>>
>>> OK, only problem that I can see in your smb.conf is this:
>>>
>>> create mask = 0660
>>> force create mode = 0660
>>> directory mask = 0770
>>> force directory mode = 0770
>>>
>>> As you are using ACL's, you should not be using the above, ACL's
>>> supersede the above lines.
>>>
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/install/
>>>> # owner: reachfp
>>>> # group: domain\040admins
>>>> # flags: -s-
>>>> user::rwx
>>>> group::rwx
>>>> other::---
>>>>
>>>> root at fs01:~# getfacl /home/shared/staff/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/staff/
>>>> # owner: reachfp
>>>> # group: staff
>>>> # flags: -s-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:staff:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:staff:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~# getfacl /home/shared/fbc
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/fbc
>>>> # owner: reachfp
>>>> # group: fbc
>>>> # flags: -s-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:fbc:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:fbc:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~# id yolandab
>>>> uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
>>>> users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
>>>>
>>>>
>>>> root at fs01:~# id reach_support
>>>> uid=10003(reach_support) gid=20002(domain users)
>>>> groups=20002(domain users),20042(vpn
>>>> users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
>>>>
>>>> root at fs01:~# id daquanm
>>>> uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
>>>> users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
>>>>
>>>> root at fs01:~# iptables -S
>>>> -P INPUT ACCEPT
>>>> -P FORWARD ACCEPT
>>>> -P OUTPUT ACCEPT
>>>>
>>>> root at fs01:~# cat /etc/krb5.conf
>>>> [libdefaults]
>>>> default_realm = TRUEVINE.LAN
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> root at fs01:~# cat /etc/pam.d/common-account
>>>> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
>>>> account requisite pam_deny.so
>>>> account required pam_permit.so
>>>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>>>
>>>> root at fs01:~# cat /etc/pam.d/common-auth
>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>>> auth requisite pam_deny.so
>>>> auth required pam_permit.so
>>>> auth sufficient pam_winbind.so use_first_pass
>>>>
>>>> root at fs01:~# cat /etc/pam.d/common-password
>>>> password [success=1 default=ignore] pam_unix.so obscure
>>>> sha512
>>>> password requisite pam_deny.so
>>>> password required pam_permit.so
>>>> password sufficient pam_winbind.so use_authtok
>>>>
>>>> root at fs01:~# cat /etc/pam.d/common-session
>>>> session [default=1] pam_permit.so
>>>> session requisite pam_deny.so
>>>> session required pam_permit.so
>>>> session required pam_unix.so
>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>>
>>>
>>> These are the lines from my PAM files:
>>>
>>> cat /etc/pam.d/common-account
>>> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
>>> account [success=1 new_authtok_reqd=done default=ignore]
>>> pam_winbind.so
>>> account requisite pam_deny.so
>>> account required pam_permit.so
>>> account required pam_krb5.so minimum_uid=1000
>>>
>>> cat /etc/pam.d/common-auth
>>> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>>> auth [success=2 default=ignore] pam_unix.so nullok_secure
>>> try_first_pass
>>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>>> krb5_ccache_type=FILE cached_login try_first_pass
>>> auth requisite pam_deny.so
>>> auth required pam_permit.so
>>> auth optional pam_ecryptfs.so unwrap
>>> auth optional pam_cap.so
>>>
>>> cat /etc/pam.d/common-password
>>> password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>>> password [success=2 default=ignore] pam_unix.so obscure
>>> use_authtok try_first_pass sha512
>>> password [success=1 default=ignore] pam_winbind.so use_authtok
>>> try_first_pass
>>> password requisite pam_deny.so
>>> password required pam_permit.so
>>> password optional pam_gnome_keyring.so
>>> password optional pam_ecryptfs.so
>>>
>>> cat /etc/pam.d/common-session
>>> session [default=1] pam_permit.so
>>> session requisite pam_deny.so
>>> session required pam_permit.so
>>> session optional pam_umask.so
>>> session optional pam_krb5.so minimum_uid=1000
>>> session required pam_unix.so
>>> session optional pam_winbind.so
>>> session optional pam_systemd.so
>>> session optional pam_ecryptfs.so unwrap
>>> session optional pam_ck_connector.so nox11
>>>
>>>
>>> Try removing the lines from smb.conf that I have indicated and see
>>> how you go on.
>>>
>>> I would still suggest that you stop building Samba4 yourself, I seem
>>> to remember that you are using Debian Wheezy, if you use backports
>>> (I can provide instructions) you will get 4.1.9, but seeing as how
>>> 4.1.11 is in Jessie it is likely that backports will be updated to
>>> this very soon. If you do go with the Debian packages and install
>>> the required PAM packages, you will get the PAM files altered for you.
>>>
>>> Rowland
>>>
>>>> root at fs01:~# l /lib/security/
>>>> total 0
>>>> lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
>>>> /usr/lib/security/pam_winbind.so
>>>>
>>>> root at fs01:~# l /lib | grep winbind
>>>> lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
>>>> /usr/lib/libnss_winbind.so.2
>>>>
>>>> root at fs01:~# getent passwd
>>>> ...
>>>> shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
>>>> richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
>>>> yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
>>>> joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
>>>> patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
>>>> cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
>>>> jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
>>>> reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
>>>> daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
>>>> ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
>>>> jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
>>>> thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
>>>> reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
>>>> guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
>>>>
>>>> root at fs01:~# getent group
>>>> ...
>>>> allowed rodc password replication group:x:20012:
>>>> enterprise read-only domain controllers:x:20007:
>>>> denied rodc password replication group:x:20014:
>>>> read-only domain controllers:x:20010:
>>>> audiovideo:x:20038:
>>>> group policy creator owners:x:20008:
>>>> newmembers:x:20040:
>>>> vpn users:x:20042:
>>>> staff:x:20041:
>>>> fbc:x:20039:
>>>> ras and ias servers:x:20009:
>>>> domain controllers:x:20004:
>>>> enterprise admins:x:20006:
>>>> domain computers:x:20003:
>>>> cert publishers:x:20013:
>>>> dnsupdateproxy:x:20016:
>>>> domain admins:x:20001:
>>>> domain guests:x:20005:
>>>> schema admins:x:20011:
>>>> domain users:x:20002:
>>>> dnsadmins:x:20015:
>>>>
>>>> Now if you can tell me where in my configuration I am wrong, I will
>>>> gladly apologize for all of the trouble and I will not bother you
>>>> again. I already apologized to you and Steve personally for
>>>> whatever it was I did to get under your skin, but you told me I
>>>> needed to do more googling. I did, and when I found out, from the
>>>> Samba build parameters page, that PAM was not built by default and
>>>> mentioned it, I was attacked for that also, despite me providing
>>>> proof on the Samba wiki. If googling returns false results and you
>>>> want me to search for results, what do I do? Do you see my
>>>> predicament now? I come here and am told to search. I search and
>>>> find a fix to one of my issues and I am told I am wrong. How do I
>>>> know what to believe?
>>>>
>>>> On 08/15/2014 08:48 AM, Rowland Penny wrote:
>>>>>
>>>>> OK, getting a bit fed up with this now, so I setup a share on my
>>>>> test domain, the share is on one PC running Linux Mint 17 and I
>>>>> connected from another, again running Linux Mint 17. The two AD
>>>>> DC are running Debian 7.5 with samba 4.1.9 from backports, the two
>>>>> Mint machines are both running samba 4.1.6 .
>>>>>
>>>>> This is the ACL's from the share:
>>>>>
>>>>> getfacl /home/shared/staff/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/staff/
>>>>> # owner: emily
>>>>> # group: administration
>>>>> user::rwx
>>>>> user:emily:rwx
>>>>> group::rwx
>>>>> group:administration:rwx
>>>>> group:domain_admins:rwx
>>>>> mask::rwx
>>>>> other::rwx
>>>>> default:user::rwx
>>>>> default:user:emily:rwx
>>>>> default:group::---
>>>>> default:group:administration:rwx
>>>>> default:group:domain_admins:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>>>>>
>>>>> Running 'id rowland' gets me this:
>>>>>
>>>>> uid=10000(rowland) gid=10000(domain_users)
>>>>> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>>>>>
>>>>> As you can see, rowland is not mentioned in the shares ACL's, but
>>>>> is a member of the group 'administration' which is.
>>>>>
>>>>> So I now try to connect from the other PC:
>>>>>
>>>>> smbclient //EmilysPC/staff
>>>>> Enter rowland's password:
>>>>> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
>>>>> smb: \> ls
>>>>> . D 0 Fri Aug 15
>>>>> 12:55:50 2014
>>>>> .. D 0 Fri Aug 15
>>>>> 12:55:50 2014
>>>>>
>>>>> 55743 blocks of size 8388608. 43330 blocks available
>>>>> smb: \> quit
>>>>>
>>>>> So as far as I can see there is no problem, what do you think ?
>>>>>
>>>>> Rowland
>>>>
>>>
>>
>
More information about the samba
mailing list