[Samba] Samba 4 AD share: Access denied

steve steve at steve-ss.com
Sat Jul 26 03:04:18 MDT 2014 

On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
> On 26/07/14 03:07, Ryan Ashley wrote:
> > As per suggestion, I deleted the TDB files after a reboot, then 
> > brought up nmbd, smbd, and winbindd. All TDB files were regenerated 
> > but the problem persists. I can resolve AD groups with wbinfo, but 
> > share access appears to only be granted to the owner. I need this 
> > fixed ASAP. I am out of ideas now.
> >
> >
> > On 7/25/2014 5:00 PM, Dale Schroeder wrote:
> >> I'll reply to you offline also, as these comments are fairly 
> >> insignificant.
> >>
> >> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
> >>> You are correct. I forgot to change it. Chalk it up to being 
> >>> exhausted when I did this. I will make the change now. Could this 
> >>> cause my issues though?
> >> In a word, yes.  It appears to be essential.
> >>
> >> To answer the question in your list email, if you should have any 
> >> further problems, the cache tdb's may have to be regenerated. There 
> >> are probably some SAMDOM entries in the default backend, but this may 
> >> never be an issue since the domain doesn't exist.  Beyond that, I 
> >> can't offer any specific advice because I don't have the ability to 
> >> use the ad backend here.  We have no Samba DC's nor Windows DC's with 
> >> SFU installed.
> >>
> >> Good luck,
> >> Dale
> >>
> >>>
> >>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
> >>>> Ryan,
> >>>>
> >>>> Assuming this is a verbatim copy of your config, should not "idmap 
> >>>> config SAMDOM" actually be "idmap config TRUEVINE"?
> >>>>
> >>>> Dale
> >>>>
> >>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
> >>>>> I have been using Samba4 for ages and love it as a DC and a 
> >>>>> print-server. I just setup my first member-server designed solely 
> >>>>> to host file shares, and have hit an issue. Group policy is 
> >>>>> mapping it correctly for the users in the group, but those users 
> >>>>> are getting an access denied message from their Windows 7 Pro 
> >>>>> 64bit clients when accessing the share. I have configured ACLs and 
> >>>>> the box resolves users and groups. Everything works, except for 
> >>>>> the shares. Below I attached all of the information I believe to 
> >>>>> be useful. Ask if you need more, and thank you for your help!
> >>>>>
> >>>>> smb.conf:
> >>>>> ======
> >>>>> [global]
> >>>>>   netbios name = FS01
> >>>>>   workgroup = TRUEVINE
> >>>>>   security = ADS
> >>>>>   realm = TRUEVINE.LAN
> >>>>>   encrypt passwords = yes
> >>>>>
> >>>>>   idmap config *:backend = tdb
> >>>>>   idmap config *:range = 70001-80000
> >>>>>   idmap config SAMDOM:backend = ad
> >>>>>   idmap config SAMDOM:schema_mode = rfc2307
> >>>>>   idmap config SAMDOM:range = 500-40000
> >>>>>
> >>>>>   winbind nss info = rfc2307
> >>>>>   winbind trusted domains only = no
> >>>>>   winbind use default domain = yes
> >>>>>   winbind enum users = yes
> >>>>>   winbind enum groups = yes
> >>>>>
> >>>>>   vfs objects = acl_xattr
> >>>>>   map acl inherit = yes
> >>>>>   store dos attributes = yes
> >>>>>   auth methods = winbind
> >>>>>
> >>>>> [install$]
> >>>>>   path = /home/shared/install
> >>>>>   comment = "Software installation files"
> >>>>>   read only = no
> >>>>>
> >>>>> [staff$]
> >>>>>   path = /home/shared/staff
> >>>>>   comment = "Staff file share"
> >>>>>   read only = no
> >>>>>
> >>>>> [fbc$]
> >>>>>   path = /home/shared/fbc
> >>>>>   comment = "Family Bible College file share"
> >>>>>   read only = no
> >>>>>
> >>>>>
> >>>>>
> >>>>> ACL List:
> >>>>> ======
> >>>>> root at fs01:~# getfacl /home/shared/staff/
> >>>>> getfacl: Removing leading '/' from absolute path names
> >>>>> # file: home/shared/staff/
> >>>>> # owner: reachfp
> >>>>> # group: administration
> >>>>> # flags: ss-
> >>>>> user::rwx
> >>>>> user:reachfp:rwx
> >>>>> group::rwx
> >>>>> group:administration:rwx
> >>>>> group:domain\040admins:rwx
> >>>>> group:70028:rwx
> >>>>> mask::rwx
> >>>>> other::rwx
> >>>>> default:user::rwx
> >>>>> default:user:reachfp:rwx
> >>>>> default:group::---
> >>>>> default:group:administration:rwx
> >>>>> default:group:domain\040admins:rwx
> >>>>> default:group:70028:rwx
> >>>>> default:mask::rwx
> >>>>> default:other::---
> >>>>>
> >>>>> root at fs01:~# getfacl /home/shared/fbc/
> >>>>> getfacl: Removing leading '/' from absolute path names
> >>>>> # file: home/shared/fbc/
> >>>>> # owner: reachfp
> >>>>> # group: fbc
> >>>>> # flags: ss-
> >>>>> user::rwx
> >>>>> user:reachfp:rwx
> >>>>> group::rwx
> >>>>> group:fbc:rwx
> >>>>> group:domain\040admins:rwx
> >>>>> group:70028:rwx
> >>>>> mask::rwx
> >>>>> other::rwx
> >>>>> default:user::rwx
> >>>>> default:user:reachfp:rwx
> >>>>> default:group::---
> >>>>> default:group:fbc:rwx
> >>>>> default:group:domain\040admins:rwx
> >>>>> default:group:70028:rwx
> >>>>> default:mask::rwx
> >>>>> default:other::---
> >>>>>
> >>>>>
> >>>>>
> >>>>> NSSwitch:
> >>>>> ======
> >>>>> # /etc/nsswitch.conf
> >>>>> #
> >>>>> # Example configuration of GNU Name Service Switch functionality.
> >>>>> # If you have the `glibc-doc-reference' and `info' packages 
> >>>>> installed, try:
> >>>>> # `info libc "Name Service Switch"' for information about this file.
> >>>>>
> >>>>> passwd:         compat winbind
> >>>>> group:          compat winbind
> >>>>> shadow:         compat
> >>>>>
> >>>>> hosts:          files dns
> >>>>> networks:       files
> >>>>>
> >>>>> protocols:      db files
> >>>>> services:       db files
> >>>>> ethers:         db files
> >>>>> rpc:            db files
> >>>>>
> >>>>> netgroup:       nis
> >>>>>
> >>>>>
> >>>>>
> >>>>> FS Permissions:
> >>>>> ==========
> >>>>> root at fs01:~# l /home/shared
> >>>>> total 40
> >>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
> >>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
> >>>>> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
> >>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
> >>>>>
> >>>>>
> >>>>>
> >>>>> As you can see, I even tried changing the directory permissions to 
> >>>>> 777 and still no go. The users in the "administration" group are 
> >>>>> getting the drive mapped but are being denied access to it. Same 
> >>>>> for FBC. I have worked on this for days now and cannot get 
> >>>>> anywhere. What should I try next? 
> >
> You seem to have 'flags' set on the directories, as I have never seen 
> this before I read the manpage and found this means that all files in 
> the directory will be owned by whoever owns the directory. I do not know 
> how you set the 'flags' but I suggest you find out how to remove them, I 
> think that this will cure your problem.
> 
> Rowland
> 
Hi
@Rowland
chmod u-s <folder>
and
chmod g-s <folder>

I think that's OK, but I've suggested removing everything and starting
with only the sticky bit on group:
chmod g+s
in combination with the group rw acl. That is all we are using here for
our group access share. What we are not seeing here are the xacls, but
the OP is doing it on the samba side. The group rw maps fine in windows.
It also looks as though windows has had its say too as there is a
builtin acl set too.
Cheers,
Steve

More information about the samba mailing list