[Samba] Domain Member Server: Domain Users cannot access shares
Jason Secord
it at plymouthhistory.org
Wed Sep 21 03:38:19 UTC 2016
So it seems that I have identified the source of all of my permissions
issues, though I'm unclear as to exactly why these problems have occurred
and would love an explanation if anyone can offer one.
I was using mdadm to create a RAID 1 array, formatting it ext4 and storing
all of the data that samba was serving on /dev/md0. The two drives that
make up the array are hosted by an LSI MegaRaid controller, though they are
not configured within it's interface. After carefully troubleshooting
every step in the process of setting share permissions and ACLs I decided
to create a test share on the system drive. I copied one of the problematic
directories from the raid array to my home folder and was immediately able
to access it as a Domain User... So something about the RAID array is
causing the failure. I've since moved all of the shared data to the system
drive and am moving on to other tasks but I'd really like to get it moved
back to the array.
What is going on here? The system drive is hosted by the same
controller... I've successfully used RAID arrays and mdadm to host shares
at other locations. I'd really love to understand what's going awry in
this setup.
Kind regards,
JS
On Sep 20, 2016 4:30 PM, "Jason Secord" <it at plymouthhistory.org> wrote:
> Hello to the Samba devs and mailing list subscribers,
>
> I've run into a bit of trouble getting a new domain member server setup.
>
> I've got three Ubuntu 14.04 64 bit VMs running the latest stable build of
> Samba built from source acting as Domain Controllers. I've got a fourth
> physical machine running Ubuntu 16.04 64 bit running the canonical
> distribution samba (Version 4.3.9-Ubuntu) that I've configured as a Domain
> Member Server providing file sharing for the domain. Shared directories
> are stored on a RAID 1 array formatted ext4. Currently I can see and
> access all shares using any account that is a member of the Domain Admins
> group, and can alter Share Permissions and ACLs via the Security tab via
> the Computer Management snap-in running on a Windows 7 workstation that is
> joined to the domain. I've reset all ACLs and executed chmod g=rwx /mnt
> and chgrp "DOMAIN\Domain Admins" /mnt and granted "Everyone" and "Domain
> Users" Full Access in both the Share PErmissions and Security tabs. Any
> attempt to view shares on the domain member server when logged in as a user
> who is a member of the "Domain Users" group fails, I am prompted to enter
> credentials, I do so and the are rejected. Domain Admins can both view all
> shares and access their contents without a problem.
>
> My smb.conf:
>
> # Global parameters
>
> [global]
>
> workgroup = PHM
> realm = PHM.PLYMOUTHHISTORY.ORG
> netbios name = phmsrv01
> security = ads
> printing = CUPS
> printcap name = /dev/null
> encrypt passwords = yes
> bind interfaces only = yes
> interfaces = lo eno2
>
>
> log file = /var/log/samba/samba.%m.log
> log level = 2
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> allow trusted domains = yes
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain PRIA
> idmap config PHM:backend = ad
> idmap config PHM:schema_mode = rfc2307
> idmap config PHM:range = 10000-9999999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
> # Enable extended ACL support https://wiki.samba.org/index.
> php/Shares_wi
> th_Windows_ACLs
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> [home]
> path = /mnt/md0/samba_shares/home
> read only = no
> admin users = @"PHM\Domain Admins"
>
> [Profiles]
> path = /mnt/md0/samba_shares/Profiles
> read only = no
> admin users = @"PHM\Domain Admins"
>
> [Accounts]
> comment = PHM Accounts
> path = /mnt/md0/samba_shares/Accounts
> admin users = @"PHM\Domain Admins"
> read only = no
> valid users = @"PHM\Domain Users"
>
> [Director-sec]
> comment = Director-Sec Share
> path = /mnt/md0/samba_shares/Director_sec
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Director-ek]
> comment = Director-ek Share
> path = /mnt/md0/samba_shares/Director-ek
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Edu_data]
> comment = Edu-data Share
> path = /mnt/md0/samba_shares/Edu_data
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PlymouthData]
> comment = PlymouthData Share
> path = /mnt/md0/samba_shares/PlymouthData
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PP4]
> comment = PP4 Share
> path = /mnt/md0/samba_shares/pp4
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PP5]
> comment = PP5 Share
> path = /mnt/md0/samba_shares/PP5
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Primary]
> comment = Primary Share
> path = /mnt/md0/samba_shares/Primary
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [secdata]
> comment = secdata share
> path = /mnt/md0/samba_shares/secdata
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [STORE]
> comment = Store Share
> path = /mnt/md0/samba_shares/STORE
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Vol_data]
> comment = Vol_data Share
> path = /mnt/md0/samba_shares/Vol_data
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [samba_backups]
> comment = PHM Samba AD Backups
> path = /mnt/md0/samba_shares/samba_backups
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [ITWERKS]
> comment = ITWERKS Admin Share
> path = /mnt/md0/samba_shares/ITWERKS
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [test]
> path = /mnt/md0/samba_shares/test
> read only = no
> admin users = @"PHM\Domain Admins"
>
> [test2]
> path = /home/itwerks/testshare
> read only = no
>
>
> My /etc/krb5.conf:
>
> [libdefaults]
> default_realm = PHM.PLYMOUTHHISTORY.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> My /etc/nsswitch.conf:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> Results of getent group:
>
> root:x:0:
> daemon:x:1:
> bin:x:2:
> sys:x:3:
> adm:x:4:syslog,itwerks
> tty:x:5:
> disk:x:6:
> lp:x:7:
> mail:x:8:
> news:x:9:
> uucp:x:10:
> man:x:12:
> proxy:x:13:
> kmem:x:15:
> dialout:x:20:
> fax:x:21:
> voice:x:22:
> cdrom:x:24:itwerks
> floppy:x:25:
> tape:x:26:
> sudo:x:27:itwerks
> audio:x:29:pulse
> dip:x:30:itwerks
> www-data:x:33:
> backup:x:34:
> operator:x:37:
> list:x:38:
> irc:x:39:
> src:x:40:
> gnats:x:41:
> shadow:x:42:
> utmp:x:43:
> video:x:44:
> sasl:x:45:
> plugdev:x:46:itwerks
> staff:x:50:
> games:x:60:
> users:x:100:
> nogroup:x:65534:
> systemd-journal:x:101:
> systemd-timesync:x:102:
> systemd-network:x:103:
> systemd-resolve:x:104:
> systemd-bus-proxy:x:105:
> input:x:106:
> crontab:x:107:
> syslog:x:108:
> netdev:x:109:
> messagebus:x:110:
> uuidd:x:111:
> ssl-cert:x:112:
> lpadmin:x:113:itwerks
> lightdm:x:114:
> nopasswdlogin:x:115:
> whoopsie:x:116:
> mlocate:x:117:
> ssh:x:118:
> avahi-autoipd:x:119:
> avahi:x:120:
> bluetooth:x:121:
> scanner:x:122:saned
> colord:x:123:
> pulse:x:124:
> pulse-access:x:125:
> rtkit:x:126:
> saned:x:127:
> itwerks:x:1000:
> sambashare:x:128:itwerks
> vboxusers:x:129:itwerks
> gdm:x:130:
> geoclue:x:131:
> ntp:x:132:
> winbindd_priv:x:133:
> postfix:x:134:
> postdrop:x:135:
> group policy creator owners:x:10004:
> enterprise admins:x:10002:
> domain admins:x:10000:
> schema admins:x:10005:
> domain users:x:10001:
> dnsadmins:x:10003:
>
> Results of getent passwd:
>
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/
> sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/
> systemd:/bin/false
> systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/
> netif:/bin/false
> systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/
> resolve:/bin/false
> systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
> syslog:x:104:108::/home/syslog:/bin/false
> _apt:x:105:65534::/nonexistent:/bin/false
> messagebus:x:106:110::/var/run/dbus:/bin/false
> uuidd:x:107:111::/run/uuidd:/bin/false
> lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
> whoopsie:x:109:116::/nonexistent:/bin/false
> avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-
> autoipd:/bin/false
> avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
> colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/
> bin/false
> speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-
> dispatcher:/bin/false
> hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
> kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
> pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
> rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
> saned:x:119:127::/var/lib/saned:/bin/false
> usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
> itwerks:x:1000:1000:itwerks,,,:/home/itwerks:/bin/bash
> gdm:x:121:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
> geoclue:x:122:131::/var/lib/geoclue:/bin/false
> sshd:x:123:65534::/var/run/sshd:/usr/sbin/nologin
> ntp:x:124:132::/home/ntp:/bin/false
> postfix:x:125:134::/var/spool/postfix:/bin/false
> ekerstens:*:10002:10001:Elizabeth Kerstens:/home/ekerstens:/bin/sh
> mbeddoes:*:10010:10001:Madelyne Beddoes:/home/mbeddoes:/bin/sh
> sbrindley:*:10006:10001:Sherrie Brindley:/home/sbrindley:/bin/sh
> mthackston:*:10008:10001:Mary Thackston:/home/mthackston:/bin/sh
> swilson:*:10009:10001:Shannon Wilson:/home/swilson:/bin/sh
> administrator:*:10001:10001:Administrator:/home/Administrator:/bin/sh
> hnielsen:*:10007:10001:Heidi Nielsen:/home/hnielsen:/bin/sh
> jburroughs:*:10017:10001:Jim Burroughs:/home/jburroughs:/bin/sh
> mmccann:*:10003:10001:Melody McCann:/home/mmccann:/bin/sh
> lryder:*:10005:10001:Leslie Ryder:/home/lryder:/bin/sh
> jburns:*:10004:10001:Janet Burns:/home/jburns:/bin/sh
> research1:*:10014:10001:Research 1:/home/research1:/bin/sh
> store:*:10015:10001:Store User:/home/store:/bin/sh
> phmadmin:*:10016:10001:PHM Admin:/home/phmadmin:/bin/sh
> intern1:*:10011:10001:Intern 1:/home/intern1:/bin/sh
> intern2:*:10012:10001:Intern 2:/home/intern2:/bin/sh
> intern3:*:10013:10001:Intern 3:/home/intern3:/bin/sh
> itwerks:*:10000:10001:it werks:/home/itwerks:/bin/sh
>
> Status of the smbd, nmbd, and winbind daemons:
>
> ● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
> Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
> Active: active (running) since Tue 2016-09-20 11:27:07 EDT; 4h 58min ago
> Docs: man:systemd-sysv-generator(8)
> Process: 16736 ExecStop=/etc/init.d/smbd stop (code=exited,
> status=0/SUCCESS
> Process: 16891 ExecStart=/etc/init.d/smbd start (code=exited,
> status=0/SUCCE
> CGroup: /system.slice/smbd.service
> ├─16908 /usr/sbin/smbd -D
> ├─16909 /usr/sbin/smbd -D
> ├─16911 /usr/sbin/smbd -D
> └─17092 /usr/sbin/smbd -D
>
> Sep 20 11:27:07 phmsrv01 systemd[1]: Starting LSB: start Samba SMB/CIFS
> daemon
> Sep 20 11:27:07 phmsrv01 smbd[16891]: * Starting SMB/CIFS daemon smbd
> Sep 20 11:27:07 phmsrv01 smbd[16891]: ...done.
> Sep 20 11:27:07 phmsrv01 systemd[1]: Started LSB: start Samba SMB/CIFS
> daemon
> Sep 20 11:27:07 phmsrv01 smbd[16908]: [2016/09/20 11:27:07.830678, 0]
> ../lib/
> Sep 20 11:27:07 phmsrv01 smbd[16908]: STATUS=daemon 'smbd' finished
> starting
>
>
> ● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd)
> Loaded: loaded (/etc/init.d/nmbd; bad; vendor preset: enabled)
> Active: active (running) since Tue 2016-09-20 11:27:21 EDT; 4h 58min ago
> Docs: man:systemd-sysv-generator(8)
> Process: 16785 ExecStop=/etc/init.d/nmbd stop (code=exited,
> status=0/SUCCESS
> Process: 16944 ExecStart=/etc/init.d/nmbd start (code=exited,
> status=0/SUCCE
> CGroup: /system.slice/nmbd.service
> └─16963 /usr/sbin/nmbd -D
>
> Sep 20 11:27:21 phmsrv01 nmbd[16944]: ...done.
> Sep 20 11:27:21 phmsrv01 systemd[1]: Started LSB: start Samba NetBIOS
> nameserv
> Sep 20 11:27:21 phmsrv01 nmbd[16963]: [2016/09/20 11:27:21.069255, 0]
> ../lib/
> Sep 20 11:27:21 phmsrv01 nmbd[16963]: STATUS=daemon 'nmbd' finished
> starting
> Sep 20 11:27:44 phmsrv01 nmbd[16963]: [2016/09/20 11:27:44.518048, 0]
> ../sour
> Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:
> Sep 20 11:27:44 phmsrv01 nmbd[16963]: Samba name server PHMSRV01 is now
> a lo
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:
> Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
>
>
> ● winbind.service - LSB: start Winbind daemon
> Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
> Active: active (running) since Tue 2016-09-20 11:27:29 EDT; 4h 58min ago
> Docs: man:systemd-sysv-generator(8)
> Process: 16840 ExecStop=/etc/init.d/winbind stop (code=exited,
> status=0/SUCC
> Process: 17024 ExecStart=/etc/init.d/winbind start (code=exited,
> status=0/SU
> CGroup: /system.slice/winbind.service
> ├─17043 /usr/sbin/winbindd
> ├─17044 /usr/sbin/winbindd
> ├─17054 /usr/sbin/winbindd
> ├─17093 /usr/sbin/winbindd
> └─17218 /usr/sbin/winbindd
>
> Sep 20 11:27:29 phmsrv01 systemd[1]: Starting LSB: start Winbind daemon...
> Sep 20 11:27:29 phmsrv01 winbind[17024]: * Starting the Winbind daemon
> winbin
> Sep 20 11:27:29 phmsrv01 winbind[17024]: ...done.
> Sep 20 11:27:29 phmsrv01 systemd[1]: Started LSB: start Winbind daemon.
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.606830, 0]
> ../
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: initialize_winbindd_cache:
> clearin
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.645601, 0]
> ../
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: STATUS=daemon 'winbindd'
> finished
>
>
> ls -la of my main share directory:
>
> ls -la /mnt/md0/samba_shares/
> total 172
> drwxrwxrwx+ 19 itwerks itwerks 4096 Sep 19 21:31 .
> drwxrwx--- 11 itwerks itwerks 4096 Sep 18 14:14 ..
> drwxrwxrwx+ 3 itwerks itwerks 36864 Sep 18 13:11 Accounts
> drwxrwxrwx+ 30 itwerks itwerks 4096 Sep 18 13:14 Director-ek
> drwxrwxrwx+ 47 itwerks itwerks 4096 Sep 18 13:14 Director_sec
> drwxrwxrwx+ 2 itwerks itwerks 4096 Oct 29 2010 Edu_data
> drwxrwxrwx+ 21 itwerks itwerks 4096 Sep 18 18:37 home
> drwxrwxrwx+ 11 itwerks itwerks 4096 Sep 18 20:45 ITWERKS
> drwxrwxrwx+ 62 itwerks itwerks 4096 Sep 18 13:39 PlymouthData
> drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 14:16 pp4
> drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 13:58 PP5
> drwxrwxrwx+ 5 itwerks itwerks 4096 Oct 29 2010 Primary
> drwxrwxrwx+ 7 itwerks itwerks 4096 Sep 18 16:39 Profiles
> drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 02:19 samba_backups
> drwxrwxrwx+ 51 itwerks itwerks 4096 Sep 18 14:16 secdata
> drwxrwxrwx+ 17 itwerks itwerks 4096 Jul 29 2013 server01
> drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 14:17 STORE
> drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 19 22:21 test
> drwxrwxrwx+ 3 itwerks itwerks 4096 Nov 29 2013 Vol_data
>
>
> I am at a loss as to what I'm doing wrong here, please advise. If further
> information is needed I'm happy to provide it Thanks in advance for any
> help, it is greatly appreciated.
>
> Kind Regards,
>
> JS
>
More information about the samba
mailing list