[Samba] Domain Member Server: Domain Users cannot access shares

Jason Secord it at plymouthhistory.org
Thu Sep 22 23:23:05 UTC 2016 

*Another reply that was accidentally sent to the wrong address...*

I ran another test of a share on the raid array after making the changes
you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test as
outlined in the wiki and set the default group to domain admins.  I
executed setfacl commands g=rwx and chgrp domain admins, then added the
directory to my smb.conf and ran "smbcontrol all reload-config".  I then
logged in to a Windows box as administrator and set ACLs for my test domain
user account, allowing full control in both share permissions and the
security tabs, applied settings and closed the snap-in.

I then logged in to another machine as my test user and tried to access the
new share and still received access denied.

I'd be oh so happy if this thread ends and the raid controller isn't the
root cause of this issue, but my gut says it must be as shares that I
copied from the array to the system drive retained the ACLs I had set
previously and we're accessible without modification.  I just wish I could
find some indication that this is a known issue, my Google fu fails to
reveal any evidence supporting the theory.


Kind Regards,

JS

On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org>
wrote:

> Hi Rowland,
>
>
> *Apparently I accidentally replied directly to you instead of the list,
> this is from a couple days ago...*
>
> First off, thanks again for your help, your insight is invaluable.
>
> I have completed the changes you suggested:
>
> I've used ADUC to remove the NIS Domain and UID/GID number from the
> following Users/Groups:
>
>    - group policy creator owners
>    - enterprise admins
>    - schema admins
>    - dnsadmins
>    - Administrator
>
> I've added "username map = /etc/samba/user.map" to my smb.conf
>
> I've created /etc/samba/user.map
>
> ls -la /etc/samba/user.map
> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>
> cat /etc/samba/user.map
> !root = PHM\Administrator PHM\administrator Administrator administrator
>
> Here is the output of the getfacl command you requested I run:
>
> sudo getfacl /mnt/md0/samba_shares/Accounts
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/md0/samba_shares/Accounts
> # owner: itwerks
> # group: domain\040admins
> user::rwx
> group::rwx
> other::rwx
> default:user::rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::rwx
>
> Regards,
>
> JS
>
> On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at plymouthhistory.org>
> wrote:
>
>> I ran another test of a share on the raid array after making the changes
>> you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test as
>> outlined in the wiki and set the default group to domain admins.  I
>> executed setfacl commands g=rwx and chgrp domain admins, then added the
>> directory to my smb.conf and ran "smbcontrol all reload-config".  I then
>> logged in to a Windows box as administrator and set ACLs for my test domain
>> user account, allowing full control in both share permissions and the
>> security tabs, applied settings and closed the snap-in.
>>
>> I then logged in to another machine as my test user and tried to access
>> the new share and still received access denied.
>>
>> I'd be oh so happy if this thread ends and the raid controller isn't the
>> root cause of this issue, but my gut says it must be as shares that I
>> copied from the array to the system drive retained the ACLs I had set
>> previously and we're accessible without modification.  I just wish I could
>> find some indication that this is a known issue, my Google fu fails to
>> reveal any evidence supporting the theory.
>>
>> JS
>>
>> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at plymouthhistory.org> wrote:
>>
>>> Hi Rowland,
>>>
>>> First off, thanks again for your help, your insight is invaluable.
>>>
>>> I have completed the changes you suggested:
>>>
>>> I've used ADUC to remove the NIS Domain and UID/GID number from the
>>> following Users/Groups:
>>>
>>>    - group policy creator owners
>>>    - enterprise admins
>>>    - schema admins
>>>    - dnsadmins
>>>    - Administrator
>>>
>>> I've added "username map = /etc/samba/user.map" to my smb.conf
>>>
>>> I've created /etc/samba/user.map
>>>
>>> ls -la /etc/samba/user.map
>>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>>
>>> cat /etc/samba/user.map
>>> !root = PHM\Administrator PHM\administrator Administrator administrator
>>>
>>> Here is the output of the getfacl command you requested I run:
>>>
>>> sudo getfacl /mnt/md0/samba_shares/Accounts
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: mnt/md0/samba_shares/Accounts
>>> # owner: itwerks
>>> # group: domain\040admins
>>> user::rwx
>>> group::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:group::rwx
>>> default:group:domain\040admins:rwx
>>> default:mask::rwx
>>> default:other::rwx
>>>
>>> Regards,
>>>
>>> JS
>>>
>>>
>>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> On Wed, 21 Sep 2016 11:09:15 -0400
>>>> Jason Secord <it at plymouthhistory.org> wrote:
>>>>
>>>> > Hi Rowland,
>>>> >
>>>> > I've already removed all "admin users" and "valid users" entries from
>>>> > my smb.conf, they ended up there after hours of confusion trying to
>>>> > drill down to the root of the problem.
>>>> >
>>>> > To remove the aforementioned UID/GIDs, I can do that via the tab in
>>>> > ADUC, correct?  Is there a document best practices when applying UNIX
>>>> > attributes to accounts?
>>>>
>>>> You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
>>>>
>>>> >
>>>> > I haven't encountered any mention of creating a user.map in the
>>>> > documentation, nor have I ever created one in the past.  Is this
>>>> > something that is considered a best practice a well?  Can you point
>>>> > me to any documentation on user.maps?
>>>>
>>>> Not too sure about the documentation, There is some in 'man smb.conf',
>>>> but it is easier to describe it to you.
>>>>
>>>> On a Samba AD DC, Administrator gets mapped to root automatically, but
>>>> on a domain member it isn't. There are two schools of thought here,
>>>> one is to give Administrator a uidNumber, but I don't recommend this.
>>>> If you do give Administrator a uidNumber, it becomes just another
>>>> Unix user with just the same permissions as any other user and it
>>>> breaks the DC. The other option is to use a 'username map', this will
>>>> do what the DC does and maps Administrator to the root user.
>>>>
>>>> > I will make this adjustments
>>>> > tonight and update you along with the results of that getfacl command
>>>> > you requested.
>>>> >
>>>> > I have applied ACLs to all shares already.
>>>> >
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>

More information about the samba mailing list