[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Fri Aug 15 09:15:16 MDT 2014
On 15/08/14 16:07, Ryan Ashley wrote:
> I did add the "-t wheezy-backports" parameter. In fact when I load
> Linux desktops with Debian, I use the backports repo (Mozilla also) to
> get the current version of Iceweasel. Here is the output that we are
> going through on the forum. I just typed this into the server so it is
> fresh.
>
> root at fs01:~# aptitude -t wheezy-backports install samba4-common-bin
> samba4-clients
The problem there is that you are trying to install the wrong packages LOL
try:
apt-get -t wheezy-backports install samba attr krb5-config krb5-user
dnsutils winbind libpam-winbind libpam-krb5 libnss-winbind libsmbclient
smbclient
Rowland
> The following NEW packages will be installed:
> libasn1-8-heimdal{a} libavahi-client3{a} libavahi-common-data{a}
> libavahi-common3{a} libcups2{a} libdbus-1-3{a} libdcerpc0{a}
> libgensec0{a} libgssapi3-heimdal{a} libhcrypto4-heimdal{a}
> libhdb9-heimdal{a} libheimbase1-heimdal{a} libheimntlm0-heimdal{a}
> libhx509-5-heimdal{a} libkrb5-26-heimdal{a} libldb1{a}
> libndr-standard0{a} libndr0{a} libntdb1{a} libroken18-heimdal{a}
> libsamba-credentials0{a} libsamba-hostconfig0{a} libsamba-util0{a}
> libsamdb0{ab} libsmbclient{a} libsmbclient-raw0{a} libtalloc2{a}
> libtdb1{a} libtevent0{a} libwbclient0{a} libwind0-heimdal{a}
> python-talloc{a} samba-common{a} samba-dsdb-modules{a} samba-libs{ab}
> samba4-clients samba4-common-bin{b} smbclient{ab}
> The following packages are RECOMMENDED but will NOT be installed:
> dbus samba-common-bin
> 0 packages upgraded, 38 newly installed, 0 to remove and 28 not upgraded.
> Need to get 13.8 MB of archives. After unpacking 40.0 MB will be used.
> The following packages have unmet dependencies:
> smbclient : Conflicts: samba4-clients (< 4.0.5) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> libsamdb0 : Depends: libldb1 (< 1:1.1.7~) but 1:1.1.16-1~bpo70+1 is
> to be installed.
> samba4-common-bin : Depends: python-samba (=
> 4.0.0~beta2+dfsg1-3.2+deb7u2) but it is not going to be installed.
> samba-libs : Breaks: libdcerpc0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libgensec0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libndr-standard0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libndr0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libsamba-credentials0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libsamba-hostconfig0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libsamba-util0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libsamdb0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> Breaks: libsmbclient-raw0 (< 2:4.0.9) but
> 4.0.0~beta2+dfsg1-3.2+deb7u2 is to be installed.
> The following actions will resolve these dependencies:
>
> Keep the following packages at their current version:
> 1) libdcerpc0 [Not Installed]
> 2) libgensec0 [Not Installed]
> 3) libndr-standard0 [Not Installed]
> 4) libndr0 [Not Installed]
> 5) libsamba-credentials0 [Not Installed]
> 6) libsamba-hostconfig0 [Not Installed]
> 7) libsamba-util0 [Not Installed]
> 8) libsamdb0 [Not Installed]
> 9) libsmbclient-raw0 [Not Installed]
> 10) samba4-clients [Not Installed]
> 11) samba4-common-bin [Not Installed]
>
> root at fs01:~# aptitude search smbclient
> p libfilesys-smbclient-perl - perl interface to access Samba
> filesystem
> p libsmbclient - shared library for communication
> with SMB/
> p libsmbclient-dev - development files for libsmbclient
> p libsmbclient-raw-dev - SMB client library - development
> files
> c libsmbclient-raw0 - SMB client library
> p smbclient - command-line SMB/CIFS clients
> for Unix
> root at fs01:~#
>
> As you can see, smbclient is not installed and I am guessing the first
> error spawns from "libsmbclient-raw0". I will not ask for help with
> this here since this is an OS issue and not a Samba issue. I get
> pretty good help at the Debian forum and expect an answer soon.
>
> I will keep the PAM stuff in-place as you have suggested. Thank you
> for the info.
>
> On 08/15/2014 10:31 AM, Rowland Penny wrote:
>> On 15/08/14 15:19, Ryan Ashley wrote:
>>> I added those lines based on recommendations from another list user
>>> who contacted me off-list. I will remove them after I send this email.
>>>
>>> As for the backports, I did try this, but I kept getting broken
>>> dependencies. I have an open thread on the Debian forums attempting
>>> to work this out right now. I would be happy to hear your
>>> methodology for installing it though.
>>
>> I 'think' that what happened, is you added some packages with '-t
>> wheezy-backports' in the apt-get line and then tried to install
>> something without ' -t wheezy-backports', the package that you tried
>> to add was available from the standard repos but conflicted with the
>> samba packages that you had installed from backports, The cure is to
>> add ' -t wheezy-backports' to the apt-get line if this happens and
>> you should then get the right package installed.
>>
>>>
>>> Do I need PAM for simple file-sharing though? Somebody said I did
>>> and somebody else said I did not. You and Steve seem to be the Samba
>>> authority here, so I will take your word for it.
>>>
>>
>> Do you need PAM, In a word YES.
>>
>> Rowland
>>
>>> On 08/15/2014 10:14 AM, Rowland Penny wrote:
>>>> On 15/08/14 14:34, Ryan Ashley wrote:
>>>>> I removed the 70028 (SYSTEM) group a few days ago thinking it
>>>>> might be the issue. I will post my information one final time in
>>>>> an attempt to show you that I am doing this the correct way, now
>>>>> with functioning PAM support on the member server. If you want
>>>>> ANYTHING else, I will do it, just ask. Nothing would make me
>>>>> happier than to be out of your hair. I did not come here with the
>>>>> intent to upset people, I simply wanted help.
>>>>>
>>>>> root at fs01:~# cat /etc/samba/smb.conf
>>>>> [global]
>>>>> netbios name = FS01
>>>>> workgroup = TRUEVINE
>>>>> security = ADS
>>>>> realm = TRUEVINE.LAN
>>>>> encrypt passwords = true
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> idmap config *:backend = tdb
>>>>> idmap config *:range = 70001-80000
>>>>> idmap config TRUEVINE:backend = ad
>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>
>>>>> winbind nss info = rfc2307
>>>>> winbind trusted domains only = no
>>>>> winbind use default domain = yes
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind refresh tickets = yes
>>>>>
>>>>> # ntlm auth = no
>>>>> # lanman auth = no
>>>>> # client ntlmv2 auth = yes
>>>>>
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = yes
>>>>> acl group control = yes
>>>>> store dos attributes = yes
>>>>>
>>>>> [install$]
>>>>> path = /home/shared/install
>>>>> comment = "Software installation files"
>>>>> read only = no
>>>>>
>>>>> [staff$]
>>>>> path = /home/shared/staff
>>>>> comment = "Staff file share"
>>>>> read only = no
>>>>> create mask = 0660
>>>>> force create mode = 0660
>>>>> directory mask = 0770
>>>>> force directory mode = 0770
>>>>>
>>>>> [fbc$]
>>>>> path = /home/shared/fbc
>>>>> comment = "Family Bible College file share"
>>>>> read only = no
>>>>> create mask = 0660
>>>>> force create mode = 0660
>>>>> directory mask = 0770
>>>>> force directory mode = 0770
>>>>>
>>>>
>>>> OK, only problem that I can see in your smb.conf is this:
>>>>
>>>> create mask = 0660
>>>> force create mode = 0660
>>>> directory mask = 0770
>>>> force directory mode = 0770
>>>>
>>>> As you are using ACL's, you should not be using the above, ACL's
>>>> supersede the above lines.
>>>>
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/install/
>>>>> # owner: reachfp
>>>>> # group: domain\040admins
>>>>> # flags: -s-
>>>>> user::rwx
>>>>> group::rwx
>>>>> other::---
>>>>>
>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/staff/
>>>>> # owner: reachfp
>>>>> # group: staff
>>>>> # flags: -s-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:staff:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:staff:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at fs01:~# getfacl /home/shared/fbc
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/fbc
>>>>> # owner: reachfp
>>>>> # group: fbc
>>>>> # flags: -s-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:fbc:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:fbc:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at fs01:~# id yolandab
>>>>> uid=10014(yolandab) gid=20002(domain users) groups=20002(domain
>>>>> users),20041(staff),20040(newmembers),20038(audiovideo),70002(BUILTIN\users)
>>>>>
>>>>>
>>>>> root at fs01:~# id reach_support
>>>>> uid=10003(reach_support) gid=20002(domain users)
>>>>> groups=20002(domain users),20042(vpn
>>>>> users),20041(staff),20038(audiovideo),20039(fbc),20040(newmembers),70002(BUILTIN\users)
>>>>>
>>>>> root at fs01:~# id daquanm
>>>>> uid=10005(daquanm) gid=20002(domain users) groups=20002(domain
>>>>> users),20038(audiovideo),20041(staff),70002(BUILTIN\users)
>>>>>
>>>>> root at fs01:~# iptables -S
>>>>> -P INPUT ACCEPT
>>>>> -P FORWARD ACCEPT
>>>>> -P OUTPUT ACCEPT
>>>>>
>>>>> root at fs01:~# cat /etc/krb5.conf
>>>>> [libdefaults]
>>>>> default_realm = TRUEVINE.LAN
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>>
>>>>> root at fs01:~# cat /etc/pam.d/common-account
>>>>> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
>>>>> account requisite pam_deny.so
>>>>> account required pam_permit.so
>>>>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>>>>
>>>>> root at fs01:~# cat /etc/pam.d/common-auth
>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>>>> auth requisite pam_deny.so
>>>>> auth required pam_permit.so
>>>>> auth sufficient pam_winbind.so use_first_pass
>>>>>
>>>>> root at fs01:~# cat /etc/pam.d/common-password
>>>>> password [success=1 default=ignore] pam_unix.so obscure sha512
>>>>> password requisite pam_deny.so
>>>>> password required pam_permit.so
>>>>> password sufficient pam_winbind.so use_authtok
>>>>>
>>>>> root at fs01:~# cat /etc/pam.d/common-session
>>>>> session [default=1] pam_permit.so
>>>>> session requisite pam_deny.so
>>>>> session required pam_permit.so
>>>>> session required pam_unix.so
>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>> crond quiet use_uid
>>>>>
>>>>
>>>> These are the lines from my PAM files:
>>>>
>>>> cat /etc/pam.d/common-account
>>>> account [success=2 new_authtok_reqd=done default=ignore]
>>>> pam_unix.so
>>>> account [success=1 new_authtok_reqd=done default=ignore]
>>>> pam_winbind.so
>>>> account requisite pam_deny.so
>>>> account required pam_permit.so
>>>> account required pam_krb5.so minimum_uid=1000
>>>>
>>>> cat /etc/pam.d/common-auth
>>>> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>>>> auth [success=2 default=ignore] pam_unix.so nullok_secure
>>>> try_first_pass
>>>> auth [success=1 default=ignore] pam_winbind.so krb5_auth
>>>> krb5_ccache_type=FILE cached_login try_first_pass
>>>> auth requisite pam_deny.so
>>>> auth required pam_permit.so
>>>> auth optional pam_ecryptfs.so unwrap
>>>> auth optional pam_cap.so
>>>>
>>>> cat /etc/pam.d/common-password
>>>> password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>>>> password [success=2 default=ignore] pam_unix.so obscure
>>>> use_authtok try_first_pass sha512
>>>> password [success=1 default=ignore] pam_winbind.so
>>>> use_authtok try_first_pass
>>>> password requisite pam_deny.so
>>>> password required pam_permit.so
>>>> password optional pam_gnome_keyring.so
>>>> password optional pam_ecryptfs.so
>>>>
>>>> cat /etc/pam.d/common-session
>>>> session [default=1] pam_permit.so
>>>> session requisite pam_deny.so
>>>> session required pam_permit.so
>>>> session optional pam_umask.so
>>>> session optional pam_krb5.so minimum_uid=1000
>>>> session required pam_unix.so
>>>> session optional pam_winbind.so
>>>> session optional pam_systemd.so
>>>> session optional pam_ecryptfs.so unwrap
>>>> session optional pam_ck_connector.so nox11
>>>>
>>>>
>>>> Try removing the lines from smb.conf that I have indicated and see
>>>> how you go on.
>>>>
>>>> I would still suggest that you stop building Samba4 yourself, I
>>>> seem to remember that you are using Debian Wheezy, if you use
>>>> backports (I can provide instructions) you will get 4.1.9, but
>>>> seeing as how 4.1.11 is in Jessie it is likely that backports will
>>>> be updated to this very soon. If you do go with the Debian packages
>>>> and install the required PAM packages, you will get the PAM files
>>>> altered for you.
>>>>
>>>> Rowland
>>>>
>>>>> root at fs01:~# l /lib/security/
>>>>> total 0
>>>>> lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so ->
>>>>> /usr/lib/security/pam_winbind.so
>>>>>
>>>>> root at fs01:~# l /lib | grep winbind
>>>>> lrwxrwxrwx 1 root root 28 Aug 15 09:24 libnss_winbind.so ->
>>>>> /usr/lib/libnss_winbind.so.2
>>>>>
>>>>> root at fs01:~# getent passwd
>>>>> ...
>>>>> shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
>>>>> richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
>>>>> yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
>>>>> joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
>>>>> patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
>>>>> cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
>>>>> jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
>>>>> reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
>>>>> daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
>>>>> ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
>>>>> jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
>>>>> thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
>>>>> reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
>>>>> guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh
>>>>>
>>>>> root at fs01:~# getent group
>>>>> ...
>>>>> allowed rodc password replication group:x:20012:
>>>>> enterprise read-only domain controllers:x:20007:
>>>>> denied rodc password replication group:x:20014:
>>>>> read-only domain controllers:x:20010:
>>>>> audiovideo:x:20038:
>>>>> group policy creator owners:x:20008:
>>>>> newmembers:x:20040:
>>>>> vpn users:x:20042:
>>>>> staff:x:20041:
>>>>> fbc:x:20039:
>>>>> ras and ias servers:x:20009:
>>>>> domain controllers:x:20004:
>>>>> enterprise admins:x:20006:
>>>>> domain computers:x:20003:
>>>>> cert publishers:x:20013:
>>>>> dnsupdateproxy:x:20016:
>>>>> domain admins:x:20001:
>>>>> domain guests:x:20005:
>>>>> schema admins:x:20011:
>>>>> domain users:x:20002:
>>>>> dnsadmins:x:20015:
>>>>>
>>>>> Now if you can tell me where in my configuration I am wrong, I
>>>>> will gladly apologize for all of the trouble and I will not bother
>>>>> you again. I already apologized to you and Steve personally for
>>>>> whatever it was I did to get under your skin, but you told me I
>>>>> needed to do more googling. I did, and when I found out, from the
>>>>> Samba build parameters page, that PAM was not built by default and
>>>>> mentioned it, I was attacked for that also, despite me providing
>>>>> proof on the Samba wiki. If googling returns false results and you
>>>>> want me to search for results, what do I do? Do you see my
>>>>> predicament now? I come here and am told to search. I search and
>>>>> find a fix to one of my issues and I am told I am wrong. How do I
>>>>> know what to believe?
>>>>>
>>>>> On 08/15/2014 08:48 AM, Rowland Penny wrote:
>>>>>>
>>>>>> OK, getting a bit fed up with this now, so I setup a share on my
>>>>>> test domain, the share is on one PC running Linux Mint 17 and I
>>>>>> connected from another, again running Linux Mint 17. The two AD
>>>>>> DC are running Debian 7.5 with samba 4.1.9 from backports, the
>>>>>> two Mint machines are both running samba 4.1.6 .
>>>>>>
>>>>>> This is the ACL's from the share:
>>>>>>
>>>>>> getfacl /home/shared/staff/
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: home/shared/staff/
>>>>>> # owner: emily
>>>>>> # group: administration
>>>>>> user::rwx
>>>>>> user:emily:rwx
>>>>>> group::rwx
>>>>>> group:administration:rwx
>>>>>> group:domain_admins:rwx
>>>>>> mask::rwx
>>>>>> other::rwx
>>>>>> default:user::rwx
>>>>>> default:user:emily:rwx
>>>>>> default:group::---
>>>>>> default:group:administration:rwx
>>>>>> default:group:domain_admins:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
>>>>>>
>>>>>> Running 'id rowland' gets me this:
>>>>>>
>>>>>> uid=10000(rowland) gid=10000(domain_users)
>>>>>> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
>>>>>>
>>>>>> As you can see, rowland is not mentioned in the shares ACL's, but
>>>>>> is a member of the group 'administration' which is.
>>>>>>
>>>>>> So I now try to connect from the other PC:
>>>>>>
>>>>>> smbclient //EmilysPC/staff
>>>>>> Enter rowland's password:
>>>>>> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
>>>>>> smb: \> ls
>>>>>> . D 0 Fri Aug 15
>>>>>> 12:55:50 2014
>>>>>> .. D 0 Fri Aug 15
>>>>>> 12:55:50 2014
>>>>>>
>>>>>> 55743 blocks of size 8388608. 43330 blocks available
>>>>>> smb: \> quit
>>>>>>
>>>>>> So as far as I can see there is no problem, what do you think ?
>>>>>>
>>>>>> Rowland
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list