[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

Reinhard Nißl reinhard.nissl at fee.de
Fri Mar 20 07:35:50 MDT 2015

Hi Rowland,

Am 20.03.2015 um 12:45 schrieb Rowland Penny:

> Try replacing the global part of your smb.conf with this:
> [global]
>       netbios name = PLATON
>       workgroup = FEE
>       security = ADS
>       realm = FEE.DE
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
>       server string = Web- und Internet-Mail-Server
>       interfaces =
>       bind interfaces only = Yes
>       username map = /etc/samba/smbusers
>       name resolve order = wins hosts
>       os level = 0
>       local master = No
>       wins server =
>       guest ok = Yes
>       hide dot files = No
>       idmap config *:backend = tdb
>       idmap config *:range = 2000-9999
>       idmap config FEE:backend = rid
>       idmap config FEE:range = 10000-20000
>       winbind cache time = 10
>       template shell = /bin/false
>       template homedir = /tmp
>       winbind use default domain = yes
>       winbind enum users = yes
>       winbind enum groups = yes
>       winbind expand groups = 1
>       winbind trusted domains only = no
>       winbind refresh tickets = Yes
>       deadtime = 1
>       load printers = no
>       printing = bsd
> Remove all the 'valid users' etc from the shares and use ACLs instead ,
> either from windows or with setfacl on the member server, see:
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

ACLs -- actually, I was about to add   nt acl support = no   to get back 
the behaviour of the gone *security* config entries (at least I was told 
on #samba that this setting would prevent changing the "rights" of 
existing files, as the former *security* entries did).

Maybe I need to explain the purpose of the samba installation on this 
server. It's not meant to be a sophisticated windows file server, it 
acts as mail and web server.

winbind is used to authenticate and authorize mail and web users via 
pam, and the file server is only used to upload webpages (web share) or 
access some files regarding mail, e. g. via the spamlog share.

There are only a couple of users which are allowed to do that and as you 
can see for the web share, certain rights and groups must be enforced to 
suit the webserver.

Sure, if ACLs would have been used and been properly configured for the 
whole filesystem, then I would accept your suggestion immediately, but 
for now, I still hassle to go that way.

I see the problem in this line of smbd's log, as mentioned in the 
initial email:

> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) failed

> platon:~ # wbinfo -s S-1-5-21-2807186310-4085009417-2666197100-1000
> PLATON\root 1

This only happens when smbusers contains the mapping to root.

In my opinion, it should use the SID for unix user root. Let's see:

> platon:~ # wbinfo -n root
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name root

> platon:~ # wbinfo -U 0
> S-1-5-21-4224351836-719640785-1152632845-1000

> platon:~ # wbinfo -s S-1-5-21-4224351836-719640785-1152632845-1000
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-21-4224351836-719640785-1152632845-1000

I cannot tell whether it is expected that two of the three commands fail.

So for now, I'd like to make as few changes as possible to get that user 
mapping working again.

It seems I haven't mentioned yet, if I disable that mapping in smbusers, 
I can access the shares as long as they grant access to an unmapped 
domain user (for example share FactWork, as I (fee\reinhard.ni) am a 
member of group fee\g_tb3).

Reinhard Nißl, TB3, -198

More information about the samba mailing list