[Samba] Permission Denied

Rowland penny rpenny at samba.org
Tue Dec 8 16:15:15 UTC 2015


On 08/12/15 16:02, mathias dufresne wrote:
> On any Linux system where you want to be able to use AD users as system
> users you need to configure PAM. This because it is PAM which discuss with
> the tool you have chosen to retrieve users information from AD and then
> build system users with these information.

It may be better if you stop calling local Unix users 'system users', 
system users are something else, i.e. 'root' is a system user, as is 
'www-data'

>
> I think you also need to configure PAM for file servers connected to some
> domain (AD or NT4) for the underlaying system knows which user (system
> user, ie uid, gid, groups...) access to some shared file, to grant or
> refuse this access.

Yes, if you need to connect to a Unix machine, the Unix OS needs to know 
whoever is trying to connect.

> The short way to put it would be: to configure your system configure PAM,
> without PAM configured only applications are configured: kinit could work,
> net command too, wbinfo also... but not getent and so all application
> relying to system side won't work (example from your first post: "id"
> command rely on getent/PAM/nss/don't ask precisely and so won't work)
>
> This can't be completely true as frontier between system and application is
> more than fine (PAM is an app after all and a system could do what you want
> it does without PAM configured -> a Samba DC without PAM configured can be
> fully managed, just ACLs would lack beauty I expect).

PAM is just part of the system, in fact some systems don't use PAM, but 
the majority of Unix systems use it because it makes life easier.

Rowland

> 2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> You are right! I haven't configured PAM for winbind on the DCs, probably
>> because I don't need this.
>>
>> Any reasons why I should, if I manage my domain from Windows ADUC and
>> don't log-on to the DCs as Administrator locally?
>>
>> Ole
>>
>>
>>
>> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>>
>>> Ole,
>>>
>>> Did you configure PAM to use AD as a users source ? You need to have
>>> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
>>> configure nsswitch.conf. Then you will system users from AD (ie "getent
>>> passwd my-ad-account" would work).
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>>
>>> On 07/12/15 19:42, Ole Traupe wrote:
>>>> If I do this (rely on the user map file containing "!root =
>>>>>> BPN\Administrator BPN\administrator"), should I expect "id
>>>>>>> Administrator"
>>>>>>> to give anything?
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>> Only a Samba AD DC, you will not get anything from 'getent
>>>>>> Administrator' on a Unix domain member, but remember, with the user map
>>>>>> 'Administrator' becomes 'root' :-)
>>>>>>
>>>>>> Yes, and I can manage share permissions via ADUC due to the user
>>>>> mapping.
>>>>>
>>>>> But on the DCs I still get "No such user" (although I don't have any
>>>>> appearent problem).
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Have you changed anything on the DCs ? Are the winbind nss links in
>>>> place
>>>> ? (not sure if this makes any difference, but I always create them)
>>>>
>>>> if I run 'id Administrator', I get:
>>>>
>>>> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group
>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>>>
>>>> 'getent password Administrator' returns:
>>>>
>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list