[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Sat Jul 26 03:36:07 MDT 2014
On 26/07/14 10:04, steve wrote:
> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>> On 26/07/14 03:07, Ryan Ashley wrote:
>>> As per suggestion, I deleted the TDB files after a reboot, then
>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>> share access appears to only be granted to the owner. I need this
>>> fixed ASAP. I am out of ideas now.
>>>
>>>
>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>> I'll reply to you offline also, as these comments are fairly
>>>> insignificant.
>>>>
>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>> exhausted when I did this. I will make the change now. Could this
>>>>> cause my issues though?
>>>> In a word, yes. It appears to be essential.
>>>>
>>>> To answer the question in your list email, if you should have any
>>>> further problems, the cache tdb's may have to be regenerated. There
>>>> are probably some SAMDOM entries in the default backend, but this may
>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>> can't offer any specific advice because I don't have the ability to
>>>> use the ad backend here. We have no Samba DC's nor Windows DC's with
>>>> SFU installed.
>>>>
>>>> Good luck,
>>>> Dale
>>>>
>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>> Ryan,
>>>>>>
>>>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>
>>>>>> Dale
>>>>>>
>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>> print-server. I just setup my first member-server designed solely
>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>> mapping it correctly for the users in the group, but those users
>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>> 64bit clients when accessing the share. I have configured ACLs and
>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>> the shares. Below I attached all of the information I believe to
>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>
>>>>>>> smb.conf:
>>>>>>> ======
>>>>>>> [global]
>>>>>>> netbios name = FS01
>>>>>>> workgroup = TRUEVINE
>>>>>>> security = ADS
>>>>>>> realm = TRUEVINE.LAN
>>>>>>> encrypt passwords = yes
>>>>>>>
>>>>>>> idmap config *:backend = tdb
>>>>>>> idmap config *:range = 70001-80000
>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind trusted domains only = no
>>>>>>> winbind use default domain = yes
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>>
>>>>>>> vfs objects = acl_xattr
>>>>>>> map acl inherit = yes
>>>>>>> store dos attributes = yes
>>>>>>> auth methods = winbind
>>>>>>>
>>>>>>> [install$]
>>>>>>> path = /home/shared/install
>>>>>>> comment = "Software installation files"
>>>>>>> read only = no
>>>>>>>
>>>>>>> [staff$]
>>>>>>> path = /home/shared/staff
>>>>>>> comment = "Staff file share"
>>>>>>> read only = no
>>>>>>>
>>>>>>> [fbc$]
>>>>>>> path = /home/shared/fbc
>>>>>>> comment = "Family Bible College file share"
>>>>>>> read only = no
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ACL List:
>>>>>>> ======
>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/staff/
>>>>>>> # owner: reachfp
>>>>>>> # group: administration
>>>>>>> # flags: ss-
>>>>>>> user::rwx
>>>>>>> user:reachfp:rwx
>>>>>>> group::rwx
>>>>>>> group:administration:rwx
>>>>>>> group:domain\040admins:rwx
>>>>>>> group:70028:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:reachfp:rwx
>>>>>>> default:group::---
>>>>>>> default:group:administration:rwx
>>>>>>> default:group:domain\040admins:rwx
>>>>>>> default:group:70028:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
>>>>>>>
>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/fbc/
>>>>>>> # owner: reachfp
>>>>>>> # group: fbc
>>>>>>> # flags: ss-
>>>>>>> user::rwx
>>>>>>> user:reachfp:rwx
>>>>>>> group::rwx
>>>>>>> group:fbc:rwx
>>>>>>> group:domain\040admins:rwx
>>>>>>> group:70028:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:reachfp:rwx
>>>>>>> default:group::---
>>>>>>> default:group:fbc:rwx
>>>>>>> default:group:domain\040admins:rwx
>>>>>>> default:group:70028:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> NSSwitch:
>>>>>>> ======
>>>>>>> # /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>> installed, try:
>>>>>>> # `info libc "Name Service Switch"' for information about this file.
>>>>>>>
>>>>>>> passwd: compat winbind
>>>>>>> group: compat winbind
>>>>>>> shadow: compat
>>>>>>>
>>>>>>> hosts: files dns
>>>>>>> networks: files
>>>>>>>
>>>>>>> protocols: db files
>>>>>>> services: db files
>>>>>>> ethers: db files
>>>>>>> rpc: db files
>>>>>>>
>>>>>>> netgroup: nis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> FS Permissions:
>>>>>>> ==========
>>>>>>> root at fs01:~# l /home/shared
>>>>>>> total 40
>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> As you can see, I even tried changing the directory permissions to
>>>>>>> 777 and still no go. The users in the "administration" group are
>>>>>>> getting the drive mapped but are being denied access to it. Same
>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>> anywhere. What should I try next?
>> You seem to have 'flags' set on the directories, as I have never seen
>> this before I read the manpage and found this means that all files in
>> the directory will be owned by whoever owns the directory. I do not know
>> how you set the 'flags' but I suggest you find out how to remove them, I
>> think that this will cure your problem.
>>
>> Rowland
>>
> Hi
> @Rowland
> chmod u-s <folder>
> and
> chmod g-s <folder>
Hi, I actually knew that ;-) I was trying to get the OP to read up on
getfacl a bit more.
>
> I think that's OK, but I've suggested removing everything and starting
> with only the sticky bit on group:
> chmod g+s
> in combination with the group rw acl. That is all we are using here for
> our group access share. What we are not seeing here are the xacls, but
> the OP is doing it on the samba side. The group rw maps fine in windows.
> It also looks as though windows has had its say too as there is a
> builtin acl set too.
> Cheers,
> Steve
>
>
>
I would also suggest that the OP has a read here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
Rowland
More information about the samba
mailing list