[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Mon Jul 28 07:18:14 MDT 2014
I have never even played with apparmor. I do my Debian installs using a
net CD and doing the expert 64bit install. I disable recommended and
suggested packages and install only exactly what I need, so I do not
have apparmor or selinux. Good thought though. I also tried disabling
the firewall on a test PC and still no go. This has NEVER happened
before so I am lost.
So where else should I look? The system in question is a domain member
server, can resolve users and groups, and can set ACLs with user and
groups from AD. It is simply denying access to group members of said shares.
On 07/28/2014 05:02 AM, Rowland Penny wrote:
> On 27/07/14 16:28, Ryan Ashley wrote:
>> I understand and I should have stated more clearly that I have been
>> going through those results for over a week now. Nothing seems to
>> help. Funny thing is that creating a second virtual file-server and
>> using share authentication works fine. Yet another reason I am
>> leaning towards group issues. If the file-server is share-level the
>> Windows 7 boxes are happy. As soon as it goes AD and uses AD groups,
>> they stop working. I have not tried user-level security yet. Then
>> again I may have user-level and share-level confused. It has been a
>> long week. I will keep searching but so far nothing I have found and
>> tried works.
>>
>> Is there a way to get an actual reason for the denial? If it flat-out
>> told me a reason I could troubleshoot. Right now I am just shooting
>> in random directions hoping to hit something since all I get is
>> "Access Denied". Is it possible to see is S4 is denying the
>> connection via a log or something, or if Windows 7 is being
>> stupid... again?
>>
>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>> That solution is for Windows 8. That also is not our issue. The
>>>> WIndows 7 Pro 64bit workstations see the server and shares, and
>>>> they map the shares according to group policy, but then everybody
>>>> gets access denied, despite being in the domain groups for which
>>>> the shares were created. Funny thing is that if I logon as domain
>>>> admin, I get to access the shares. Due to this, I fully believe the
>>>> S4 server is ignoring or not accounting for group membership. The
>>>> "reachfp" account is the domain admin. This is also the default
>>>> owner of files on the shares. The group "administration" contains
>>>> many members and does not grant access, despite the group being
>>>> granted full control. This lead e into believing I am still dealing
>>>> with a permissions issue and not another issue. If it was the other
>>>> issue, I would assume domain admin could not see the share or
>>>> access it. Is that about right?
>>>>
>>>> On 7/27/2014 4:56 AM, Rowland Penny wrote:
>>>>> On 26/07/14 22:20, Ryan Ashley wrote:
>>>>>> Alright, I just read the responses. I have two pickup trucks and
>>>>>> one is older and acting up, so I have been working on it. On to
>>>>>> the responses! Also, I sent this once by accident to Rowland.
>>>>>> Still not used to having to change the reply field to the list.
>>>>>> My apologies.
>>>>>>
>>>>>> Yes I set g+s and u+s via chmod. This was great in Samba 3, but I
>>>>>> can undo it if needed. I believe 700028 is "SYSTEM". The
>>>>>> directories and files are owned by "administration", "domain
>>>>>> admins", and "SYSTEM". Same for the other share, except "fbc"
>>>>>> instead of "administration". And I used the linked article as a
>>>>>> guide for setting up these shares, so it has been used up. I only
>>>>>> set the sticky bits after it wasn't working. I was trying to get
>>>>>> it working and wanted a standard user and group. Either way, that
>>>>>> was the guide I used before posting to this list.
>>>>>>
>>>>>> On 7/26/2014 5:36 AM, Rowland Penny wrote:
>>>>>>> On 26/07/14 10:04, steve wrote:
>>>>>>>> On Sat, 2014-07-26 at 09:10 +0100, Rowland Penny wrote:
>>>>>>>>> On 26/07/14 03:07, Ryan Ashley wrote:
>>>>>>>>>> As per suggestion, I deleted the TDB files after a reboot, then
>>>>>>>>>> brought up nmbd, smbd, and winbindd. All TDB files were
>>>>>>>>>> regenerated
>>>>>>>>>> but the problem persists. I can resolve AD groups with
>>>>>>>>>> wbinfo, but
>>>>>>>>>> share access appears to only be granted to the owner. I need
>>>>>>>>>> this
>>>>>>>>>> fixed ASAP. I am out of ideas now.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>>>>>>>>>>> I'll reply to you offline also, as these comments are fairly
>>>>>>>>>>> insignificant.
>>>>>>>>>>>
>>>>>>>>>>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>>>>>>>>>>> You are correct. I forgot to change it. Chalk it up to being
>>>>>>>>>>>> exhausted when I did this. I will make the change now.
>>>>>>>>>>>> Could this
>>>>>>>>>>>> cause my issues though?
>>>>>>>>>>> In a word, yes. It appears to be essential.
>>>>>>>>>>>
>>>>>>>>>>> To answer the question in your list email, if you should
>>>>>>>>>>> have any
>>>>>>>>>>> further problems, the cache tdb's may have to be
>>>>>>>>>>> regenerated. There
>>>>>>>>>>> are probably some SAMDOM entries in the default backend, but
>>>>>>>>>>> this may
>>>>>>>>>>> never be an issue since the domain doesn't exist. Beyond
>>>>>>>>>>> that, I
>>>>>>>>>>> can't offer any specific advice because I don't have the
>>>>>>>>>>> ability to
>>>>>>>>>>> use the ad backend here. We have no Samba DC's nor Windows
>>>>>>>>>>> DC's with
>>>>>>>>>>> SFU installed.
>>>>>>>>>>>
>>>>>>>>>>> Good luck,
>>>>>>>>>>> Dale
>>>>>>>>>>>
>>>>>>>>>>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>>>>>>>>>>> Ryan,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Assuming this is a verbatim copy of your config, should
>>>>>>>>>>>>> not "idmap
>>>>>>>>>>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Dale
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>>>>>>>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>>>>>>>>>>> print-server. I just setup my first member-server
>>>>>>>>>>>>>> designed solely
>>>>>>>>>>>>>> to host file shares, and have hit an issue. Group policy is
>>>>>>>>>>>>>> mapping it correctly for the users in the group, but
>>>>>>>>>>>>>> those users
>>>>>>>>>>>>>> are getting an access denied message from their Windows 7
>>>>>>>>>>>>>> Pro
>>>>>>>>>>>>>> 64bit clients when accessing the share. I have configured
>>>>>>>>>>>>>> ACLs and
>>>>>>>>>>>>>> the box resolves users and groups. Everything works,
>>>>>>>>>>>>>> except for
>>>>>>>>>>>>>> the shares. Below I attached all of the information I
>>>>>>>>>>>>>> believe to
>>>>>>>>>>>>>> be useful. Ask if you need more, and thank you for your
>>>>>>>>>>>>>> help!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> smb.conf:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> netbios name = FS01
>>>>>>>>>>>>>> workgroup = TRUEVINE
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>>>>>>>> encrypt passwords = yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>>> idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config SAMDOM:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>> winbind trusted domains only = no
>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>>>>> auth methods = winbind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [install$]
>>>>>>>>>>>>>> path = /home/shared/install
>>>>>>>>>>>>>> comment = "Software installation files"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [staff$]
>>>>>>>>>>>>>> path = /home/shared/staff
>>>>>>>>>>>>>> comment = "Staff file share"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [fbc$]
>>>>>>>>>>>>>> path = /home/shared/fbc
>>>>>>>>>>>>>> comment = "Family Bible College file share"
>>>>>>>>>>>>>> read only = no
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ACL List:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>> # group: administration
>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>> group:administration:rwx
>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>>>>>> # file: home/shared/fbc/
>>>>>>>>>>>>>> # owner: reachfp
>>>>>>>>>>>>>> # group: fbc
>>>>>>>>>>>>>> # flags: ss-
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> user:reachfp:rwx
>>>>>>>>>>>>>> group::rwx
>>>>>>>>>>>>>> group:fbc:rwx
>>>>>>>>>>>>>> group:domain\040admins:rwx
>>>>>>>>>>>>>> group:70028:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::rwx
>>>>>>>>>>>>>> default:user::rwx
>>>>>>>>>>>>>> default:user:reachfp:rwx
>>>>>>>>>>>>>> default:group::---
>>>>>>>>>>>>>> default:group:fbc:rwx
>>>>>>>>>>>>>> default:group:domain\040admins:rwx
>>>>>>>>>>>>>> default:group:70028:rwx
>>>>>>>>>>>>>> default:mask::rwx
>>>>>>>>>>>>>> default:other::---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> NSSwitch:
>>>>>>>>>>>>>> ======
>>>>>>>>>>>>>> # /etc/nsswitch.conf
>>>>>>>>>>>>>> #
>>>>>>>>>>>>>> # Example configuration of GNU Name Service Switch
>>>>>>>>>>>>>> functionality.
>>>>>>>>>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>>>>>>>>>> installed, try:
>>>>>>>>>>>>>> # `info libc "Name Service Switch"' for information about
>>>>>>>>>>>>>> this file.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> hosts: files dns
>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> FS Permissions:
>>>>>>>>>>>>>> ==========
>>>>>>>>>>>>>> root at fs01:~# l /home/shared
>>>>>>>>>>>>>> total 40
>>>>>>>>>>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>>>>>>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14
>>>>>>>>>>>>>> install
>>>>>>>>>>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>>>>>>>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30
>>>>>>>>>>>>>> staff
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As you can see, I even tried changing the directory
>>>>>>>>>>>>>> permissions to
>>>>>>>>>>>>>> 777 and still no go. The users in the "administration"
>>>>>>>>>>>>>> group are
>>>>>>>>>>>>>> getting the drive mapped but are being denied access to
>>>>>>>>>>>>>> it. Same
>>>>>>>>>>>>>> for FBC. I have worked on this for days now and cannot get
>>>>>>>>>>>>>> anywhere. What should I try next?
>>>>>>>>> You seem to have 'flags' set on the directories, as I have
>>>>>>>>> never seen
>>>>>>>>> this before I read the manpage and found this means that all
>>>>>>>>> files in
>>>>>>>>> the directory will be owned by whoever owns the directory. I
>>>>>>>>> do not know
>>>>>>>>> how you set the 'flags' but I suggest you find out how to
>>>>>>>>> remove them, I
>>>>>>>>> think that this will cure your problem.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> Hi
>>>>>>>> @Rowland
>>>>>>>> chmod u-s <folder>
>>>>>>>> and
>>>>>>>> chmod g-s <folder>
>>>>>>>
>>>>>>> Hi, I actually knew that ;-) I was trying to get the OP to read
>>>>>>> up on getfacl a bit more.
>>>>>>>>
>>>>>>>> I think that's OK, but I've suggested removing everything and
>>>>>>>> starting
>>>>>>>> with only the sticky bit on group:
>>>>>>>> chmod g+s
>>>>>>>> in combination with the group rw acl. That is all we are using
>>>>>>>> here for
>>>>>>>> our group access share. What we are not seeing here are the
>>>>>>>> xacls, but
>>>>>>>> the OP is doing it on the samba side. The group rw maps fine in
>>>>>>>> windows.
>>>>>>>> It also looks as though windows has had its say too as there is a
>>>>>>>> builtin acl set too.
>>>>>>>> Cheers,
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I would also suggest that the OP has a read here:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, after a bit more thought, I decided that as everything seems
>>>>> to be correct it is probably a windows problem. A quick internet
>>>>> search turned this up:
>>>>>
>>>>> http://www.eightforums.com/network-sharing/18056-w2k3-server-can-access-windows-8-windows-8-computer-cant-see-w2k-server.html#post177162
>>>>>
>>>>>
>>>>> Have a look, I think that it may fix your problems.
>>>>>
>>>>> Rowland
>>>>
>>> You are missing the point, I probably could have chosen a better
>>> target but I only spent about 30secs on the search:
>>>
>>> windows 7 64 bit access denied samba
>>>
>>> This returns About 116,000 results, here's another one:
>>>
>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>
>>>
>>> Try looking into this before dismissing it out of hand and insisting
>>> that samba is the problem.
>>>
>>> Rowland
>>
> OK, after more thought and re-reading your posts, a thought has popped
> into my head, apparmor, do you have this running on the server ?
> I have been caught out by this a few times, not being allowed to do
> things that I thought I should be able to do, or packages not running
> correctly because they were not allowed access, in every case it was
> apparmor. As I could never get apparmor to play ball with me (I
> thought that I had found all rights that needed modding and then
> another one would pop its head up and what is in the logs bares no
> resemblance to what you need to put in the conf file), I now disable
> apparmor straight after installing a new system.
>
> Rowland
>
More information about the samba
mailing list