[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 29 11:18:37 MDT 2014 

On 29/07/14 18:01, Ryan Ashley wrote:
> Yes, I see all domain users and groups, getent works with passwd and 
> with any domain group, and shows things as they should be. Every group 
> has a unique gid.

OK, then on paper everything is working as it should be, I cannot think 
of anything else to do, anybody else have any input ???

If nobody else has any input, it may be time to file a bug against samba.

Rowland

>
> On 07/29/2014 12:09 PM, Rowland Penny wrote:
>> On 29/07/14 16:52, Ryan Ashley wrote:
>>> I took it a step farther. I stopped the daemons, left the domain, 
>>> deleted everything in /var/lib/samba, uninstalled S4, rebooted, 
>>> pulled the latest stuff from 4-1-stable, configured and built it, 
>>> installed it, added the options you showed me to the configuration, 
>>> joined the domain, and verified everything. IDs are the same, the 
>>> keytab WAS created, but users still get access denied. So I am still 
>>> nowhere for my efforts. At least I have the keytab though.
>>>
>>> So what is next? I am not running iptables or anything yet, because 
>>> of the issues. Windows ACLs are there and are correct. The domain 
>>> admin is the only one who can access the shares.
>>
>> I take it that 'wbinfo -u' shows all domain users, 'wbinfo -g' shows 
>> all the domain groups, 'getent passwd' shows local and domain users, 
>> 'getent group Domain\ Users' shows the info for the Domain users 
>> group ('getent group' will not show any domain groups unless ALL 
>> domain groups have a gidNumber).
>>
>> Rowland
>>
>>>
>>> On 07/29/2014 11:40 AM, Rowland Penny wrote:
>>>> On 29/07/14 16:17, Ryan Ashley wrote:
>>>>> I just checked and I only have */etc/krb5.conf* in */etc*. No 
>>>>> keytab. I am pasting the provision information from my history as 
>>>>> root on the DC.
>>>>>
>>>>> samba-tool domain provision --use-rfc2307 --interactive
>>>>>
>>>>> I gave the domain the name "truevine.lan". I also noted that there 
>>>>> is no Kerberos keytab on the DC. I followed the guides to the 
>>>>> letter in both cases, and neither mention what you are telling me. 
>>>>> I am not disputing you, but if this stuff is required, it needs to 
>>>>> be in the guide/wiki. That is why I started asking questions. I 
>>>>> understand the guides and have been a Windows admin for years, but 
>>>>> doing it with Samba is still new, and I love it, though I must 
>>>>> learn a standard way to do this so it will always work.
>>>>
>>>> If you require the keytab on the Samba4 AD server (if you want to 
>>>> use sssd for instance) you have to export it with
>>>>
>>>> 'samba-tool domain exportkeytab /etc/krb5.keytab'
>>>>
>>>> This will put the keytab in /etc/krb5.keytab and you will then be 
>>>> able to list the keytab with ktutil.
>>>>
>>>> On a client or member server, the keytab should be created when you 
>>>> join the domain.
>>>>
>>>> This is the global part of the smb.conf on the laptop I am writing 
>>>> this on:
>>>>
>>>> [global]
>>>>         workgroup = EXAMPLE
>>>>         security = ADS
>>>>         realm = EXAMPLE.COM
>>>>         #client signing = yes
>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>         kerberos method = secrets and keytab
>>>>         server string = Samba 4 Client %h
>>>>         winbind enum users = yes
>>>>         winbind enum groups = yes
>>>>         winbind use default domain = yes
>>>>         winbind expand groups = 4
>>>>         winbind nss info = rfc2307
>>>>         winbind refresh tickets = Yes
>>>>         winbind offline logon = yes
>>>>         winbind normalize names = Yes
>>>>         idmap config * : backend = tdb
>>>>         idmap config * : range = 2000-9999
>>>>         idmap config EXAMPLE : backend  = ad
>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>>         printcap name = cups
>>>>         cups options = raw
>>>>         usershare allow guests = yes
>>>>         domain master = no
>>>>         local master = no
>>>>         preferred master = no
>>>>         os level = 20
>>>>         map to guest = bad user
>>>>         username map = /etc/samba/smbmap
>>>>         vfs objects = acl_xattr
>>>>         map acl inherit = Yes
>>>>         store dos attributes = Yes
>>>>
>>>> The laptop runs samba4 in classic mode with users and groups having 
>>>> uidNumber's & gidNumber's etc stored in AD, both ranges starting at 
>>>> 10000.
>>>>
>>>> With the above smb.conf and all samba daemons stopped, if you now run
>>>>
>>>> 'net ads join -U Administrator at EXAMPLE.COM'
>>>>
>>>> The machine should join the domain and /etc/krb5.keytab should be 
>>>> created.
>>>>
>>>> You can read this with ktutil
>>>>
>>>> sudo ktutil
>>>> ktutil:  rkt /etc/krb5.keytab
>>>> ktutil:  l
>>>> slot KVNO Principal
>>>> ---- ---- 
>>>> ---------------------------------------------------------------------
>>>>    1    5          host/thinkpad.example.com at EXAMPLE.COM
>>>>    2    5          host/thinkpad.example.com at EXAMPLE.COM
>>>>    3    5          host/thinkpad.example.com at EXAMPLE.COM
>>>>    4    5          host/thinkpad.example.com at EXAMPLE.COM
>>>>    5    5          host/thinkpad.example.com at EXAMPLE.COM
>>>>    6    5                   host/thinkpad at EXAMPLE.COM
>>>>    7    5                   host/thinkpad at EXAMPLE.COM
>>>>    8    5                   host/thinkpad at EXAMPLE.COM
>>>>    9    5                   host/thinkpad at EXAMPLE.COM
>>>>  10    5                   host/thinkpad at EXAMPLE.COM
>>>>  11    5                       THINKPAD$@EXAMPLE.COM
>>>>  12    5                       THINKPAD$@EXAMPLE.COM
>>>>  13    5                       THINKPAD$@EXAMPLE.COM
>>>>  14    5                       THINKPAD$@EXAMPLE.COM
>>>>  15    5                       THINKPAD$@EXAMPLE.COM
>>>> ktutil: q
>>>>
>>>> You should now restart the samba daemons.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>>>>>> On 29/07/14 15:33, Ryan Ashley wrote:
>>>>>>> I will checkout the module later. Working is my top priority as 
>>>>>>> you stated. However, you have me curious now. If this keytab is 
>>>>>>> created, where the heck is it created? I am looking for it in 
>>>>>>> /var/lib/samba, /etc, and other places. None of my member 
>>>>>>> servers have it and they all seem to work, minus this stubborn 
>>>>>>> one of course.
>>>>>>
>>>>>> If you set smb.conf up correctly and the run 'net ads join -U 
>>>>>> Administrator at EXAMPLE.COM' , you should find that 
>>>>>> /etc/krb5.keytab is created.
>>>>>>
>>>>>>>
>>>>>>> Also, I did a test earlier and wanted to share the results. This 
>>>>>>> thing keeps complaining about an idmap ad backend not being 
>>>>>>> found, and I honestly believe that is the issue, not Kerberos. I 
>>>>>>> am trying your suggestion because maybe this backend is stored 
>>>>>>> in Kerberos, who knows. Either way, I am being flooded with 
>>>>>>> errors about this "idmap backend ad" not being found.
>>>>>>
>>>>>> The 'idmap backend ad' is part of winbind, and as such, should be 
>>>>>> available. If I remember correctly you are using a S4 AD DC, can 
>>>>>> you remember how you provisioned it ?
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Anyway, I had already added winbind to nsswitch.conf for users 
>>>>>>> and groups, so I wanted to verify the same UID/GID was being 
>>>>>>> pulled. I wiped the winbind idmap tdb files and rebooted. Got 
>>>>>>> the same IDs after it rebooted and created the files again, so 
>>>>>>> no issue there. For example, the "Domain Users" group always has 
>>>>>>> an ID of 70001. That much is working. So what in the heck does 
>>>>>>> the missing backend do? Something is already mapping domain 
>>>>>>> users and groups to IDs, so I am scratching my head on this one.
>>>>>>
>>>>>> The 'idmap backend ad' is one that pulls all the user and group 
>>>>>> info from RFC2307 attributes on the AD server.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>>>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>>>>>> I understand the basics of Kerberos, but the reason that I am 
>>>>>>>>> asking is because I have dozens of S4 servers in production 
>>>>>>>>> environments and have never had to create the keytab you 
>>>>>>>>> mentioned. They all just worked.
>>>>>>>>
>>>>>>>> If, when you talk about S4 servers, you mean as an AD DC, then 
>>>>>>>> yes you do not require the keytab, but on a member server (or 
>>>>>>>> client) when you you join the domain with the net command, the 
>>>>>>>> keytab is created.
>>>>>>>>>
>>>>>>>>> Now, I do not mind modifying my pam settings as I have done on 
>>>>>>>>> loads of Linux workstations which are joined to an AD domain, 
>>>>>>>>> but how would I prevent the login of users? I have a home 
>>>>>>>>> directory and cannot remove it, so there is technically a 
>>>>>>>>> place for their home directories. In Windows I would simply 
>>>>>>>>> modify group policy to deny logon, but we both know Linux 
>>>>>>>>> knows nothing of a GPO. So without removing "/home", how would 
>>>>>>>>> I prevent login?
>>>>>>>>>
>>>>>>>>> My plan now is to modify pam first, then if needed, do the 
>>>>>>>>> keytab.
>>>>>>>>
>>>>>>>> I would do it the other way, get everything to work and then if 
>>>>>>>> need be, stop user login with PAM. If you install
>>>>>>>> the packages I suggested, PAM will do all the work for you 
>>>>>>>> initially. You could also investigate a PAM module called 
>>>>>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list