[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sat Jul 26 15:20:10 MDT 2014
Alright, I just read the responses. I have two pickup trucks and one is
older and acting up, so I have been working on it. On to the responses!
Also, I sent this once by accident to Rowland. Still not used to having
to change the reply field to the list. My apologies.
Yes I set g+s and u+s via chmod. This was great in Samba 3, but I can
undo it if needed. I believe 700028 is "SYSTEM". The directories and
files are owned by "administration", "domain admins", and "SYSTEM". Same
for the other share, except "fbc" instead of "administration". And I
used the linked article as a guide for setting up these shares, so it
has been used up. I only set the sticky bits after it wasn't working. I
was trying to get it working and wanted a standard user and group.
Either way, that was the guide I used before posting to this list.
On 7/26/2014 5:36 AM, Rowland Penny wrote:
> On 26/07/14 10:04, steve wrote:
>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
>>>> but the problem persists. I can resolve AD groups with wbinfo, but
>>>> share access appears to only be granted to the owner. I need this
>>>> fixed ASAP. I am out of ideas now.
>>>>
>>>>
>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>> I'll reply to you offline also, as these comments are fairly
>>>>> insignificant.
>>>>>
>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>> exhausted when I did this. I will make the change now. Could this
>>>>>> cause my issues though?
>>>>> In a word, yes. It appears to be essential.
>>>>>
>>>>> To answer the question in your list email, if you should have any
>>>>> further problems, the cache tdb's may have to be regenerated. There
>>>>> are probably some SAMDOM entries in the default backend, but this may
>>>>> never be an issue since the domain doesn't exist. Beyond that, I
>>>>> can't offer any specific advice because I don't have the ability to
>>>>> use the ad backend here. We have no Samba DC's nor Windows DC's with
>>>>> SFU installed.
>>>>>
>>>>> Good luck,
>>>>> Dale
>>>>>
>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>> Ryan,
>>>>>>>
>>>>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>
>>>>>>> Dale
>>>>>>>
>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>> print-server. I just setup my first member-server designed solely
>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>> mapping it correctly for the users in the group, but those users
>>>>>>>> are getting an access denied message from their Windows 7 Pro
>>>>>>>> 64bit clients when accessing the share. I have configured ACLs and
>>>>>>>> the box resolves users and groups. Everything works, except for
>>>>>>>> the shares. Below I attached all of the information I believe to
>>>>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>>>>
>>>>>>>> smb.conf:
>>>>>>>> ======
>>>>>>>> [global]
>>>>>>>> netbios name = FS01
>>>>>>>> workgroup = TRUEVINE
>>>>>>>> security = ADS
>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>> encrypt passwords = yes
>>>>>>>>
>>>>>>>> idmap config *:backend = tdb
>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>>
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind trusted domains only = no
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>>
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = yes
>>>>>>>> store dos attributes = yes
>>>>>>>> auth methods = winbind
>>>>>>>>
>>>>>>>> [install$]
>>>>>>>> path = /home/shared/install
>>>>>>>> comment = "Software installation files"
>>>>>>>> read only = no
>>>>>>>>
>>>>>>>> [staff$]
>>>>>>>> path = /home/shared/staff
>>>>>>>> comment = "Staff file share"
>>>>>>>> read only = no
>>>>>>>>
>>>>>>>> [fbc$]
>>>>>>>> path = /home/shared/fbc
>>>>>>>> comment = "Family Bible College file share"
>>>>>>>> read only = no
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ACL List:
>>>>>>>> ======
>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>> # file: home/shared/staff/
>>>>>>>> # owner: reachfp
>>>>>>>> # group: administration
>>>>>>>> # flags: ss-
>>>>>>>> user::rwx
>>>>>>>> user:reachfp:rwx
>>>>>>>> group::rwx
>>>>>>>> group:administration:rwx
>>>>>>>> group:domain\040admins:rwx
>>>>>>>> group:70028:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::rwx
>>>>>>>> default:user::rwx
>>>>>>>> default:user:reachfp:rwx
>>>>>>>> default:group::---
>>>>>>>> default:group:administration:rwx
>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>> default:group:70028:rwx
>>>>>>>> default:mask::rwx
>>>>>>>> default:other::---
>>>>>>>>
>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>> # file: home/shared/fbc/
>>>>>>>> # owner: reachfp
>>>>>>>> # group: fbc
>>>>>>>> # flags: ss-
>>>>>>>> user::rwx
>>>>>>>> user:reachfp:rwx
>>>>>>>> group::rwx
>>>>>>>> group:fbc:rwx
>>>>>>>> group:domain\040admins:rwx
>>>>>>>> group:70028:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::rwx
>>>>>>>> default:user::rwx
>>>>>>>> default:user:reachfp:rwx
>>>>>>>> default:group::---
>>>>>>>> default:group:fbc:rwx
>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>> default:group:70028:rwx
>>>>>>>> default:mask::rwx
>>>>>>>> default:other::---
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NSSwitch:
>>>>>>>> ======
>>>>>>>> # /etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>> installed, try:
>>>>>>>> # `info libc "Name Service Switch"' for information about this
>>>>>>>> file.
>>>>>>>>
>>>>>>>> passwd: compat winbind
>>>>>>>> group: compat winbind
>>>>>>>> shadow: compat
>>>>>>>>
>>>>>>>> hosts: files dns
>>>>>>>> networks: files
>>>>>>>>
>>>>>>>> protocols: db files
>>>>>>>> services: db files
>>>>>>>> ethers: db files
>>>>>>>> rpc: db files
>>>>>>>>
>>>>>>>> netgroup: nis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> FS Permissions:
>>>>>>>> ==========
>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>> total 40
>>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00
>>>>>>>> lost+found
>>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> As you can see, I even tried changing the directory permissions to
>>>>>>>> 777 and still no go. The users in the "administration" group are
>>>>>>>> getting the drive mapped but are being denied access to it. Same
>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>> anywhere. What should I try next?
>>> You seem to have 'flags' set on the directories, as I have never seen
>>> this before I read the manpage and found this means that all files in
>>> the directory will be owned by whoever owns the directory. I do not
>>> know
>>> how you set the 'flags' but I suggest you find out how to remove
>>> them, I
>>> think that this will cure your problem.
>>>
>>> Rowland
>>>
>> Hi
>> @Rowland
>> chmod u-s <folder>
>> and
>> chmod g-s <folder>
>
> Hi, I actually knew that ;-) I was trying to get the OP to read up on
> getfacl a bit more.
>>
>> I think that's OK, but I've suggested removing everything and starting
>> with only the sticky bit on group:
>> chmod g+s
>> in combination with the group rw acl. That is all we are using here for
>> our group access share. What we are not seeing here are the xacls, but
>> the OP is doing it on the samba side. The group rw maps fine in windows.
>> It also looks as though windows has had its say too as there is a
>> builtin acl set too.
>> Cheers,
>> Steve
>>
>>
>>
> I would also suggest that the OP has a read here:
>
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
>
> Rowland
>
More information about the samba
mailing list