[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Jul 29 11:01:55 MDT 2014 

Yes, I see all domain users and groups, getent works with passwd and 
with any domain group, and shows things as they should be. Every group 
has a unique gid.

On 07/29/2014 12:09 PM, Rowland Penny wrote:
> On 29/07/14 16:52, Ryan Ashley wrote:
>> I took it a step farther. I stopped the daemons, left the domain, 
>> deleted everything in /var/lib/samba, uninstalled S4, rebooted, 
>> pulled the latest stuff from 4-1-stable, configured and built it, 
>> installed it, added the options you showed me to the configuration, 
>> joined the domain, and verified everything. IDs are the same, the 
>> keytab WAS created, but users still get access denied. So I am still 
>> nowhere for my efforts. At least I have the keytab though.
>>
>> So what is next? I am not running iptables or anything yet, because 
>> of the issues. Windows ACLs are there and are correct. The domain 
>> admin is the only one who can access the shares.
>
> I take it that 'wbinfo -u' shows all domain users, 'wbinfo -g' shows 
> all the domain groups, 'getent passwd' shows local and domain users, 
> 'getent group Domain\ Users' shows the info for the Domain users group 
> ('getent group' will not show any domain groups unless ALL domain 
> groups have a gidNumber).
>
> Rowland
>
>>
>> On 07/29/2014 11:40 AM, Rowland Penny wrote:
>>> On 29/07/14 16:17, Ryan Ashley wrote:
>>>> I just checked and I only have */etc/krb5.conf* in */etc*. No 
>>>> keytab. I am pasting the provision information from my history as 
>>>> root on the DC.
>>>>
>>>> samba-tool domain provision --use-rfc2307 --interactive
>>>>
>>>> I gave the domain the name "truevine.lan". I also noted that there 
>>>> is no Kerberos keytab on the DC. I followed the guides to the 
>>>> letter in both cases, and neither mention what you are telling me. 
>>>> I am not disputing you, but if this stuff is required, it needs to 
>>>> be in the guide/wiki. That is why I started asking questions. I 
>>>> understand the guides and have been a Windows admin for years, but 
>>>> doing it with Samba is still new, and I love it, though I must 
>>>> learn a standard way to do this so it will always work.
>>>
>>> If you require the keytab on the Samba4 AD server (if you want to 
>>> use sssd for instance) you have to export it with
>>>
>>> 'samba-tool domain exportkeytab /etc/krb5.keytab'
>>>
>>> This will put the keytab in /etc/krb5.keytab and you will then be 
>>> able to list the keytab with ktutil.
>>>
>>> On a client or member server, the keytab should be created when you 
>>> join the domain.
>>>
>>> This is the global part of the smb.conf on the laptop I am writing 
>>> this on:
>>>
>>> [global]
>>>         workgroup = EXAMPLE
>>>         security = ADS
>>>         realm = EXAMPLE.COM
>>>         #client signing = yes
>>>         dedicated keytab file = /etc/krb5.keytab
>>>         kerberos method = secrets and keytab
>>>         server string = Samba 4 Client %h
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>>         winbind use default domain = yes
>>>         winbind expand groups = 4
>>>         winbind nss info = rfc2307
>>>         winbind refresh tickets = Yes
>>>         winbind offline logon = yes
>>>         winbind normalize names = Yes
>>>         idmap config * : backend = tdb
>>>         idmap config * : range = 2000-9999
>>>         idmap config EXAMPLE : backend  = ad
>>>         idmap config EXAMPLE : range = 10000-999999
>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>         printcap name = cups
>>>         cups options = raw
>>>         usershare allow guests = yes
>>>         domain master = no
>>>         local master = no
>>>         preferred master = no
>>>         os level = 20
>>>         map to guest = bad user
>>>         username map = /etc/samba/smbmap
>>>         vfs objects = acl_xattr
>>>         map acl inherit = Yes
>>>         store dos attributes = Yes
>>>
>>> The laptop runs samba4 in classic mode with users and groups having 
>>> uidNumber's & gidNumber's etc stored in AD, both ranges starting at 
>>> 10000.
>>>
>>> With the above smb.conf and all samba daemons stopped, if you now run
>>>
>>> 'net ads join -U Administrator at EXAMPLE.COM'
>>>
>>> The machine should join the domain and /etc/krb5.keytab should be 
>>> created.
>>>
>>> You can read this with ktutil
>>>
>>> sudo ktutil
>>> ktutil:  rkt /etc/krb5.keytab
>>> ktutil:  l
>>> slot KVNO Principal
>>> ---- ---- 
>>> ---------------------------------------------------------------------
>>>    1    5          host/thinkpad.example.com at EXAMPLE.COM
>>>    2    5          host/thinkpad.example.com at EXAMPLE.COM
>>>    3    5          host/thinkpad.example.com at EXAMPLE.COM
>>>    4    5          host/thinkpad.example.com at EXAMPLE.COM
>>>    5    5          host/thinkpad.example.com at EXAMPLE.COM
>>>    6    5                   host/thinkpad at EXAMPLE.COM
>>>    7    5                   host/thinkpad at EXAMPLE.COM
>>>    8    5                   host/thinkpad at EXAMPLE.COM
>>>    9    5                   host/thinkpad at EXAMPLE.COM
>>>  10    5                   host/thinkpad at EXAMPLE.COM
>>>  11    5                       THINKPAD$@EXAMPLE.COM
>>>  12    5                       THINKPAD$@EXAMPLE.COM
>>>  13    5                       THINKPAD$@EXAMPLE.COM
>>>  14    5                       THINKPAD$@EXAMPLE.COM
>>>  15    5                       THINKPAD$@EXAMPLE.COM
>>> ktutil: q
>>>
>>> You should now restart the samba daemons.
>>>
>>> Rowland
>>>
>>>>
>>>> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>>>>> On 29/07/14 15:33, Ryan Ashley wrote:
>>>>>> I will checkout the module later. Working is my top priority as 
>>>>>> you stated. However, you have me curious now. If this keytab is 
>>>>>> created, where the heck is it created? I am looking for it in 
>>>>>> /var/lib/samba, /etc, and other places. None of my member servers 
>>>>>> have it and they all seem to work, minus this stubborn one of 
>>>>>> course.
>>>>>
>>>>> If you set smb.conf up correctly and the run 'net ads join -U 
>>>>> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab 
>>>>> is created.
>>>>>
>>>>>>
>>>>>> Also, I did a test earlier and wanted to share the results. This 
>>>>>> thing keeps complaining about an idmap ad backend not being 
>>>>>> found, and I honestly believe that is the issue, not Kerberos. I 
>>>>>> am trying your suggestion because maybe this backend is stored in 
>>>>>> Kerberos, who knows. Either way, I am being flooded with errors 
>>>>>> about this "idmap backend ad" not being found.
>>>>>
>>>>> The 'idmap backend ad' is part of winbind, and as such, should be 
>>>>> available. If I remember correctly you are using a S4 AD DC, can 
>>>>> you remember how you provisioned it ?
>>>>>
>>>>>>
>>>>>>
>>>>>> Anyway, I had already added winbind to nsswitch.conf for users 
>>>>>> and groups, so I wanted to verify the same UID/GID was being 
>>>>>> pulled. I wiped the winbind idmap tdb files and rebooted. Got the 
>>>>>> same IDs after it rebooted and created the files again, so no 
>>>>>> issue there. For example, the "Domain Users" group always has an 
>>>>>> ID of 70001. That much is working. So what in the heck does the 
>>>>>> missing backend do? Something is already mapping domain users and 
>>>>>> groups to IDs, so I am scratching my head on this one.
>>>>>
>>>>> The 'idmap backend ad' is one that pulls all the user and group 
>>>>> info from RFC2307 attributes on the AD server.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>>>>> I understand the basics of Kerberos, but the reason that I am 
>>>>>>>> asking is because I have dozens of S4 servers in production 
>>>>>>>> environments and have never had to create the keytab you 
>>>>>>>> mentioned. They all just worked.
>>>>>>>
>>>>>>> If, when you talk about S4 servers, you mean as an AD DC, then 
>>>>>>> yes you do not require the keytab, but on a member server (or 
>>>>>>> client) when you you join the domain with the net command, the 
>>>>>>> keytab is created.
>>>>>>>>
>>>>>>>> Now, I do not mind modifying my pam settings as I have done on 
>>>>>>>> loads of Linux workstations which are joined to an AD domain, 
>>>>>>>> but how would I prevent the login of users? I have a home 
>>>>>>>> directory and cannot remove it, so there is technically a place 
>>>>>>>> for their home directories. In Windows I would simply modify 
>>>>>>>> group policy to deny logon, but we both know Linux knows 
>>>>>>>> nothing of a GPO. So without removing "/home", how would I 
>>>>>>>> prevent login?
>>>>>>>>
>>>>>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>>>>>>
>>>>>>> I would do it the other way, get everything to work and then if 
>>>>>>> need be, stop user login with PAM. If you install
>>>>>>> the packages I suggested, PAM will do all the work for you 
>>>>>>> initially. You could also investigate a PAM module called 
>>>>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list