[Samba] Domain Member Server: Domain Users cannot access shares
Jason Secord
it at plymouthhistory.org
Sun Sep 25 04:49:25 UTC 2016
Hi Rowland,
>From the top down, I'm going to try and cover every step involved in the
wiki and give you as much info as I can in the hope that we can get this
issue resolved, or at least determine that there is nothing wrong with my
config and that the underlying array has to be the weak point, even if none
of us know why.
*Step 1: Filesystem support*
We need the filesystem to support "user and system xattr name spaces" and
have ACL and XATTR support. Per the wiki ext4 "uses all the required
options by default" so editing the entry in fstab is not required. My
kernel must also have "CONFIG_EXT4_FS_SECURITY=y" and
"CONFIG_EXT4_FS_POSIX_ACL=y" enabled.
*The RAID array's filesystem:*
/dev/md0: UUID="593d0107-cea3-42f5-a451-8b548a1df6f0" TYPE="*ext4*"
*The RAID array's fstab entry:*
/dev/md0 /mnt/md0 ext4 defaults 0 0
*My kernel config:*
~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_SECURITY
*CONFIG_EXT4_FS_SECURITY=y*
~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_POSIX_ACL
*CONFIG_EXT4_FS_POSIX_ACL=y*
*Step 2: Test the filesystem*
*Make sure the package "attr" is installed:*
attr is already the newest version (1:2.4.47-2).
*Test xattr support **(all commands executed on the /dev/md0 filesystem)**:*
*Run the following commands as root to test xattr support:*
root at phmsrv01:/mnt/md0# touch test.txt
root at phmsrv01:/mnt/md0# setfattr -n user.test -v test test.txt
root at phmsrv01:/mnt/md0# setfattr -n security.test -v test2 test.txt
*The commands returned the correct output:*
root at phmsrv01:/mnt/md0# getfattr -d test.txt
# file: test.txt
user.test="test"
root at phmsrv01:/mnt/md0# getfattr -n security.test -d test.txt
# file: test.txt
security.test="test2"
*Run the following commands as root to test extended ACL support:*
root at phmsrv01:/mnt/md0# touch test.txt
root at phmsrv01:/mnt/md0# setfacl -m g:adm:rwx test.txt
*The commands returned the correct output:*
root at phmsrv01:/mnt/md0# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--
*Step 3: Check Samba ACL Support:*
smbd -b | grep HAVE_LIBACL
*HAVE_LIBACL*
*Step 4: As this is a Domain Member Server, check that extended ACL support
exists in the smb.conf:*
itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep acl_xattr
vfs objects = acl_xattr
itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "map acl inherit"
map acl inherit = yes
itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "store dos attributes"
store dos attributes = yes
itwerks at phmsrv01:~$
*Step 4: Ensure admin accounts have SeDiskOperatorPrivilege assigned:*
itwerks at phmsrv01:~$ net rpc rights list accounts -U'PHM\administrator' -I
phmadc01.phm.plymouthhistory.org
PHM\Administrator
SeDiskOperatorPrivilege
PHM\itwerks
SeDiskOperatorPrivilege
PHM\Domain Admins
SeDiskOperatorPrivilege
Since I've already gone through the process of creating directories and we
know that Domain Admins have Full Control I'm skipping those steps from the
wiki.
Step 5: Create a Share:
I added the "Accounts" directory to my smb.conf again:
[RAID-Accounts]
comment = PHM Accounts Directory on RAID ARRAY
path = /mnt/md0/samba_shares/Accounts
read only = no
and the executed *sudo smbcontrol all reload-config*
*Step 6: Setup share permissions:*
I logged in to a Windows 7 workstation that is joined to the domain as user
"itwerks", a member of the Domain Admins group with the
SeDiskOperatorPrivilege set. I opened the Computer Management snap-in and
connected to PHMSRV01.
(NOTE: I've always experienced this, and it hasn't ever seemed to cause any
harm so I've ignored it, but the first time I expand the "System Tools"
tree, or any tree for that matter, when connected to a Samba machine using
this snap-in, I receive an error that the RPC service is unavailable.
After clearing the notification the snap-in proceeds to connect to the
Samba machine and I am able to proceed without issue. I have no idea why
this happens.
I viewed the shares on PHMSRV01, right-clicked "RAID-Accounts", chose
"Properties" and set Share Permissions. "Everyone" is visible already and
has Full Control (I have left that setting untouched). I generally require
only a couple individual users to be able to access a given share, and in a
few exceptions all Domain Users are authorized to do so, but in this case
for testing I have added "testuser" and given them Full Control. I then
saved the changes by clicking OK.
*Step 7: Set ACLs on the root of a share:*
I opened the "RAID-Accounts" Properties again, chose the "Security" tab,
and added "testuser" with Full Control. hit OK, OK again to save changes.
I am fairly certain I executed the aforementioned steps properly, and that
I followed the wiki meticulously while doing so. If I am mistaken please
do let me know where I went astray.
*TESTING 123:*
getfacl shows the updated ACLs and 'testuser' has rwx permissions for the
share.
itwerks at phmsrv01:~$ sudo getfacl /mnt/md0/samba_shares/Accounts
[sudo] password for itwerks:
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
user:itwerks:rwx
user:testuser:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:itwerks:rwx
default:user:testuser:rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx
So, time to test from another workstation as 'testuser'...
I logged in to another workstation as 'testuser', a member of the Domain
Users group. In Windows Explorer I navigated to \\PHMSRV01 and all shares
are visible. I double-click "RAID_Accounts", the share I've been working
with above, and receive the following error:
*Windows cannot access \\phmsrv01\RAID-Accounts*
*You do not have permission to access \\phmsrv01\RAID-Accounts. Please
contact your network administrator blah blah blah.*
If I copy this directory from the RAID array to the system drive, change
the path in my smb.conf, and reload samba it will immediately be accessible.
Unless there's something obvious I'm overlooking, which I readily admit is
entirely possible, or there's some hidden nuance only a true greybeard
would immediately recognise, I'm at a complete loss as to what is causing
this behaviour.
Please advise.
Kind and Gracious Regards,
JS
On Fri, Sep 23, 2016 at 4:03 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 23 Sep 2016 03:30:10 -0400
> Jason Secord via samba <samba at lists.samba.org> wrote:
>
> > Mediawiki is throwing an error at this moment but I followed that
> > page when I set up the shares and triple checked everything when I
> > last reset ACLs.
> >
> > JS
>
> I have asked somebody to look into the wiki problem, wait until it
> comes back again and then have another look.
> The problem from my perpective is that I don't fully understand just
> who is supposed to have access to the share. At the moment, only
> 'itwerks' and 'Domain Admins' are shown by getfacl, I would expect some
> other user or group to be mentioned.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list