[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Sat Jul 26 03:36:07 MDT 2014 

On 26/07/14 10:04, steve wrote:
> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>> On 26/07/14 03:07, Ryan Ashley wrote:
>>> As per suggestion, I deleted the TDB files after a reboot, then
>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>> share access appears to only be granted to the owner. I need this
>>> fixed ASAP. I am out of ideas now.
>>>
>>>
>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>> I'll reply to you offline also, as these comments are fairly
>>>> insignificant.
>>>>
>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>> exhausted when I did this. I will make the change now. Could this
>>>>> cause my issues though?
>>>> In a word, yes.  It appears to be essential.
>>>>
>>>> To answer the question in your list email, if you should have any
>>>> further problems, the cache tdb's may have to be regenerated. There
>>>> are probably some SAMDOM entries in the default backend, but this may
>>>> never be an issue since the domain doesn't exist.  Beyond that, I
>>>> can't offer any specific advice because I don't have the ability to
>>>> use the ad backend here.  We have no Samba DC's nor Windows DC's with
>>>> SFU installed.
>>>>
>>>> Good luck,
>>>> Dale
>>>>
>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>> Ryan,
>>>>>>
>>>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>
>>>>>> Dale
>>>>>>
>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>> print-server. I just setup my first member-server designed solely
>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>> mapping it correctly for the users in the group, but those users
>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>> 64bit clients when accessing the share. I have configured ACLs and
>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>> the shares. Below I attached all of the information I believe to
>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>
>>>>>>> smb.conf:
>>>>>>> ======
>>>>>>> [global]
>>>>>>>    netbios name = FS01
>>>>>>>    workgroup = TRUEVINE
>>>>>>>    security = ADS
>>>>>>>    realm = TRUEVINE.LAN
>>>>>>>    encrypt passwords = yes
>>>>>>>
>>>>>>>    idmap config *:backend = tdb
>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>    idmap config SAMDOM:range = 500-40000
>>>>>>>
>>>>>>>    winbind nss info = rfc2307
>>>>>>>    winbind trusted domains only = no
>>>>>>>    winbind use default domain = yes
>>>>>>>    winbind enum users = yes
>>>>>>>    winbind enum groups = yes
>>>>>>>
>>>>>>>    vfs objects = acl_xattr
>>>>>>>    map acl inherit = yes
>>>>>>>    store dos attributes = yes
>>>>>>>    auth methods = winbind
>>>>>>>
>>>>>>> [install$]
>>>>>>>    path = /home/shared/install
>>>>>>>    comment = "Software installation files"
>>>>>>>    read only = no
>>>>>>>
>>>>>>> [staff$]
>>>>>>>    path = /home/shared/staff
>>>>>>>    comment = "Staff file share"
>>>>>>>    read only = no
>>>>>>>
>>>>>>> [fbc$]
>>>>>>>    path = /home/shared/fbc
>>>>>>>    comment = "Family Bible College file share"
>>>>>>>    read only = no
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ACL List:
>>>>>>> ======
>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/staff/
>>>>>>> # owner: reachfp
>>>>>>> # group: administration
>>>>>>> # flags: ss-
>>>>>>> user::rwx
>>>>>>> user:reachfp:rwx
>>>>>>> group::rwx
>>>>>>> group:administration:rwx
>>>>>>> group:domain\040admins:rwx
>>>>>>> group:70028:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:reachfp:rwx
>>>>>>> default:group::---
>>>>>>> default:group:administration:rwx
>>>>>>> default:group:domain\040admins:rwx
>>>>>>> default:group:70028:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
>>>>>>>
>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/fbc/
>>>>>>> # owner: reachfp
>>>>>>> # group: fbc
>>>>>>> # flags: ss-
>>>>>>> user::rwx
>>>>>>> user:reachfp:rwx
>>>>>>> group::rwx
>>>>>>> group:fbc:rwx
>>>>>>> group:domain\040admins:rwx
>>>>>>> group:70028:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:reachfp:rwx
>>>>>>> default:group::---
>>>>>>> default:group:fbc:rwx
>>>>>>> default:group:domain\040admins:rwx
>>>>>>> default:group:70028:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> NSSwitch:
>>>>>>> ======
>>>>>>> # /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>> installed, try:
>>>>>>> # `info libc "Name Service Switch"' for information about this file.
>>>>>>>
>>>>>>> passwd:         compat winbind
>>>>>>> group:          compat winbind
>>>>>>> shadow:         compat
>>>>>>>
>>>>>>> hosts:          files dns
>>>>>>> networks:       files
>>>>>>>
>>>>>>> protocols:      db files
>>>>>>> services:       db files
>>>>>>> ethers:         db files
>>>>>>> rpc:            db files
>>>>>>>
>>>>>>> netgroup:       nis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> FS Permissions:
>>>>>>> ==========
>>>>>>> root at fs01:~# l /home/shared
>>>>>>> total 40
>>>>>>> drwsrwsrwx+  6 reachfp fbc             4096 Jul 23 11:31 fbc
>>>>>>> drwsrws---+  8 reachfp domain admins   4096 Jul 23 11:14 install
>>>>>>> drwx------   2 root    root           16384 Jul 15 10:00 lost+found
>>>>>>> drwsrwsrwx+ 13 reachfp administration  4096 Jul 23 11:30 staff
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> As you can see, I even tried changing the directory permissions to
>>>>>>> 777 and still no go. The users in the "administration" group are
>>>>>>> getting the drive mapped but are being denied access to it. Same
>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>> anywhere. What should I try next?
>> You seem to have 'flags' set on the directories, as I have never seen
>> this before I read the manpage and found this means that all files in
>> the directory will be owned by whoever owns the directory. I do not know
>> how you set the 'flags' but I suggest you find out how to remove them, I
>> think that this will cure your problem.
>>
>> Rowland
>>
> Hi
> @Rowland
> chmod u-s <folder>
> and
> chmod g-s <folder>

Hi, I actually knew that ;-) I was trying to get the OP to read up on 
getfacl a bit more.
>
> I think that's OK, but I've suggested removing everything and starting
> with only the sticky bit on group:
> chmod g+s
> in combination with the group rw acl. That is all we are using here for
> our group access share. What we are not seeing here are the xacls, but
> the OP is doing it on the samba side. The group rw maps fine in windows.
> It also looks as though windows has had its say too as there is a
> builtin acl set too.
> Cheers,
> Steve
>
>
>
I would also suggest that the OP has a read here:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

Rowland

More information about the samba mailing list