[Samba] Domain Member Server: Domain Users cannot access shares
Jason Secord
it at plymouthhistory.org
Tue Sep 20 20:30:36 UTC 2016
Hello to the Samba devs and mailing list subscribers,
I've run into a bit of trouble getting a new domain member server setup.
I've got three Ubuntu 14.04 64 bit VMs running the latest stable build of
Samba built from source acting as Domain Controllers. I've got a fourth
physical machine running Ubuntu 16.04 64 bit running the canonical
distribution samba (Version 4.3.9-Ubuntu) that I've configured as a Domain
Member Server providing file sharing for the domain. Shared directories
are stored on a RAID 1 array formatted ext4. Currently I can see and
access all shares using any account that is a member of the Domain Admins
group, and can alter Share Permissions and ACLs via the Security tab via
the Computer Management snap-in running on a Windows 7 workstation that is
joined to the domain. I've reset all ACLs and executed chmod g=rwx /mnt
and chgrp "DOMAIN\Domain Admins" /mnt and granted "Everyone" and "Domain
Users" Full Access in both the Share PErmissions and Security tabs. Any
attempt to view shares on the domain member server when logged in as a user
who is a member of the "Domain Users" group fails, I am prompted to enter
credentials, I do so and the are rejected. Domain Admins can both view all
shares and access their contents without a problem.
My smb.conf:
# Global parameters
[global]
workgroup = PHM
realm = PHM.PLYMOUTHHISTORY.ORG
netbios name = phmsrv01
security = ads
printing = CUPS
printcap name = /dev/null
encrypt passwords = yes
bind interfaces only = yes
interfaces = lo eno2
log file = /var/log/samba/samba.%m.log
log level = 2
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain PRIA
idmap config PHM:backend = ad
idmap config PHM:schema_mode = rfc2307
idmap config PHM:range = 10000-9999999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
# Enable extended ACL support
https://wiki.samba.org/index.php/Shares_wi
th_Windows_ACLs
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[home]
path = /mnt/md0/samba_shares/home
read only = no
admin users = @"PHM\Domain Admins"
[Profiles]
path = /mnt/md0/samba_shares/Profiles
read only = no
admin users = @"PHM\Domain Admins"
[Accounts]
comment = PHM Accounts
path = /mnt/md0/samba_shares/Accounts
admin users = @"PHM\Domain Admins"
read only = no
valid users = @"PHM\Domain Users"
[Director-sec]
comment = Director-Sec Share
path = /mnt/md0/samba_shares/Director_sec
admin users = @"PHM\Domain Admins"
read only = no
[Director-ek]
comment = Director-ek Share
path = /mnt/md0/samba_shares/Director-ek
admin users = @"PHM\Domain Admins"
read only = no
[Edu_data]
comment = Edu-data Share
path = /mnt/md0/samba_shares/Edu_data
admin users = @"PHM\Domain Admins"
read only = no
[PlymouthData]
comment = PlymouthData Share
path = /mnt/md0/samba_shares/PlymouthData
admin users = @"PHM\Domain Admins"
read only = no
[PP4]
comment = PP4 Share
path = /mnt/md0/samba_shares/pp4
admin users = @"PHM\Domain Admins"
read only = no
[PP5]
comment = PP5 Share
path = /mnt/md0/samba_shares/PP5
admin users = @"PHM\Domain Admins"
read only = no
[Primary]
comment = Primary Share
path = /mnt/md0/samba_shares/Primary
admin users = @"PHM\Domain Admins"
read only = no
[secdata]
comment = secdata share
path = /mnt/md0/samba_shares/secdata
admin users = @"PHM\Domain Admins"
read only = no
[STORE]
comment = Store Share
path = /mnt/md0/samba_shares/STORE
admin users = @"PHM\Domain Admins"
read only = no
[Vol_data]
comment = Vol_data Share
path = /mnt/md0/samba_shares/Vol_data
admin users = @"PHM\Domain Admins"
read only = no
[samba_backups]
comment = PHM Samba AD Backups
path = /mnt/md0/samba_shares/samba_backups
admin users = @"PHM\Domain Admins"
read only = no
[ITWERKS]
comment = ITWERKS Admin Share
path = /mnt/md0/samba_shares/ITWERKS
admin users = @"PHM\Domain Admins"
read only = no
[test]
path = /mnt/md0/samba_shares/test
read only = no
admin users = @"PHM\Domain Admins"
[test2]
path = /home/itwerks/testshare
read only = no
My /etc/krb5.conf:
[libdefaults]
default_realm = PHM.PLYMOUTHHISTORY.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
My /etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Results of getent group:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,itwerks
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:itwerks
floppy:x:25:
tape:x:26:
sudo:x:27:itwerks
audio:x:29:pulse
dip:x:30:itwerks
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:itwerks
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
netdev:x:109:
messagebus:x:110:
uuidd:x:111:
ssl-cert:x:112:
lpadmin:x:113:itwerks
lightdm:x:114:
nopasswdlogin:x:115:
whoopsie:x:116:
mlocate:x:117:
ssh:x:118:
avahi-autoipd:x:119:
avahi:x:120:
bluetooth:x:121:
scanner:x:122:saned
colord:x:123:
pulse:x:124:
pulse-access:x:125:
rtkit:x:126:
saned:x:127:
itwerks:x:1000:
sambashare:x:128:itwerks
vboxusers:x:129:itwerks
gdm:x:130:
geoclue:x:131:
ntp:x:132:
winbindd_priv:x:133:
postfix:x:134:
postdrop:x:135:
group policy creator owners:x:10004:
enterprise admins:x:10002:
domain admins:x:10000:
schema admins:x:10005:
domain users:x:10001:
dnsadmins:x:10003:
Results of getent passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management
daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech
Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
itwerks:x:1000:1000:itwerks,,,:/home/itwerks:/bin/bash
gdm:x:121:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
geoclue:x:122:131::/var/lib/geoclue:/bin/false
sshd:x:123:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:124:132::/home/ntp:/bin/false
postfix:x:125:134::/var/spool/postfix:/bin/false
ekerstens:*:10002:10001:Elizabeth Kerstens:/home/ekerstens:/bin/sh
mbeddoes:*:10010:10001:Madelyne Beddoes:/home/mbeddoes:/bin/sh
sbrindley:*:10006:10001:Sherrie Brindley:/home/sbrindley:/bin/sh
mthackston:*:10008:10001:Mary Thackston:/home/mthackston:/bin/sh
swilson:*:10009:10001:Shannon Wilson:/home/swilson:/bin/sh
administrator:*:10001:10001:Administrator:/home/Administrator:/bin/sh
hnielsen:*:10007:10001:Heidi Nielsen:/home/hnielsen:/bin/sh
jburroughs:*:10017:10001:Jim Burroughs:/home/jburroughs:/bin/sh
mmccann:*:10003:10001:Melody McCann:/home/mmccann:/bin/sh
lryder:*:10005:10001:Leslie Ryder:/home/lryder:/bin/sh
jburns:*:10004:10001:Janet Burns:/home/jburns:/bin/sh
research1:*:10014:10001:Research 1:/home/research1:/bin/sh
store:*:10015:10001:Store User:/home/store:/bin/sh
phmadmin:*:10016:10001:PHM Admin:/home/phmadmin:/bin/sh
intern1:*:10011:10001:Intern 1:/home/intern1:/bin/sh
intern2:*:10012:10001:Intern 2:/home/intern2:/bin/sh
intern3:*:10013:10001:Intern 3:/home/intern3:/bin/sh
itwerks:*:10000:10001:it werks:/home/itwerks:/bin/sh
Status of the smbd, nmbd, and winbind daemons:
● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:07 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16736 ExecStop=/etc/init.d/smbd stop (code=exited,
status=0/SUCCESS
Process: 16891 ExecStart=/etc/init.d/smbd start (code=exited,
status=0/SUCCE
CGroup: /system.slice/smbd.service
├─16908 /usr/sbin/smbd -D
├─16909 /usr/sbin/smbd -D
├─16911 /usr/sbin/smbd -D
└─17092 /usr/sbin/smbd -D
Sep 20 11:27:07 phmsrv01 systemd[1]: Starting LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16891]: * Starting SMB/CIFS daemon smbd
Sep 20 11:27:07 phmsrv01 smbd[16891]: ...done.
Sep 20 11:27:07 phmsrv01 systemd[1]: Started LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16908]: [2016/09/20 11:27:07.830678, 0]
../lib/
Sep 20 11:27:07 phmsrv01 smbd[16908]: STATUS=daemon 'smbd' finished
starting
● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd)
Loaded: loaded (/etc/init.d/nmbd; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:21 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16785 ExecStop=/etc/init.d/nmbd stop (code=exited,
status=0/SUCCESS
Process: 16944 ExecStart=/etc/init.d/nmbd start (code=exited,
status=0/SUCCE
CGroup: /system.slice/nmbd.service
└─16963 /usr/sbin/nmbd -D
Sep 20 11:27:21 phmsrv01 nmbd[16944]: ...done.
Sep 20 11:27:21 phmsrv01 systemd[1]: Started LSB: start Samba NetBIOS
nameserv
Sep 20 11:27:21 phmsrv01 nmbd[16963]: [2016/09/20 11:27:21.069255, 0]
../lib/
Sep 20 11:27:21 phmsrv01 nmbd[16963]: STATUS=daemon 'nmbd' finished
starting
Sep 20 11:27:44 phmsrv01 nmbd[16963]: [2016/09/20 11:27:44.518048, 0]
../sour
Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]: Samba name server PHMSRV01 is now a
lo
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
● winbind.service - LSB: start Winbind daemon
Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:29 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16840 ExecStop=/etc/init.d/winbind stop (code=exited,
status=0/SUCC
Process: 17024 ExecStart=/etc/init.d/winbind start (code=exited,
status=0/SU
CGroup: /system.slice/winbind.service
├─17043 /usr/sbin/winbindd
├─17044 /usr/sbin/winbindd
├─17054 /usr/sbin/winbindd
├─17093 /usr/sbin/winbindd
└─17218 /usr/sbin/winbindd
Sep 20 11:27:29 phmsrv01 systemd[1]: Starting LSB: start Winbind daemon...
Sep 20 11:27:29 phmsrv01 winbind[17024]: * Starting the Winbind daemon
winbin
Sep 20 11:27:29 phmsrv01 winbind[17024]: ...done.
Sep 20 11:27:29 phmsrv01 systemd[1]: Started LSB: start Winbind daemon.
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.606830, 0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]: initialize_winbindd_cache:
clearin
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.645601, 0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]: STATUS=daemon 'winbindd'
finished
ls -la of my main share directory:
ls -la /mnt/md0/samba_shares/
total 172
drwxrwxrwx+ 19 itwerks itwerks 4096 Sep 19 21:31 .
drwxrwx--- 11 itwerks itwerks 4096 Sep 18 14:14 ..
drwxrwxrwx+ 3 itwerks itwerks 36864 Sep 18 13:11 Accounts
drwxrwxrwx+ 30 itwerks itwerks 4096 Sep 18 13:14 Director-ek
drwxrwxrwx+ 47 itwerks itwerks 4096 Sep 18 13:14 Director_sec
drwxrwxrwx+ 2 itwerks itwerks 4096 Oct 29 2010 Edu_data
drwxrwxrwx+ 21 itwerks itwerks 4096 Sep 18 18:37 home
drwxrwxrwx+ 11 itwerks itwerks 4096 Sep 18 20:45 ITWERKS
drwxrwxrwx+ 62 itwerks itwerks 4096 Sep 18 13:39 PlymouthData
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 14:16 pp4
drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 13:58 PP5
drwxrwxrwx+ 5 itwerks itwerks 4096 Oct 29 2010 Primary
drwxrwxrwx+ 7 itwerks itwerks 4096 Sep 18 16:39 Profiles
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 02:19 samba_backups
drwxrwxrwx+ 51 itwerks itwerks 4096 Sep 18 14:16 secdata
drwxrwxrwx+ 17 itwerks itwerks 4096 Jul 29 2013 server01
drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 14:17 STORE
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 19 22:21 test
drwxrwxrwx+ 3 itwerks itwerks 4096 Nov 29 2013 Vol_data
I am at a loss as to what I'm doing wrong here, please advise. If further
information is needed I'm happy to provide it Thanks in advance for any
help, it is greatly appreciated.
Kind Regards,
JS
More information about the samba
mailing list