[Samba] Domain Member Server: Domain Users cannot access shares

Rowland Penny rpenny at samba.org
Sun Sep 25 08:50:38 UTC 2016 

On Sun, 25 Sep 2016 00:49:25 -0400
Jason Secord via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> From the top down, I'm going to try and cover every step involved in
> the wiki and give you as much info as I can in the hope that we can
> get this issue resolved, or at least determine that there is nothing
> wrong with my config and that the underlying array has to be the weak
> point, even if none of us know why.
> 
> *Step 1: Filesystem support*
> 
> We need the filesystem to support "user and system xattr name spaces"
> and have ACL and XATTR support.  Per the wiki ext4 "uses all the
> required options by default" so editing the entry in fstab is not
> required.  My kernel must also have "CONFIG_EXT4_FS_SECURITY=y" and
> "CONFIG_EXT4_FS_POSIX_ACL=y" enabled.
> 
> *The RAID array's filesystem:*
> /dev/md0: UUID="593d0107-cea3-42f5-a451-8b548a1df6f0" TYPE="*ext4*"
> 
> *The RAID array's fstab entry:*
> /dev/md0 /mnt/md0 ext4 defaults 0 0
> 
> *My kernel config:*
> ~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_SECURITY
> *CONFIG_EXT4_FS_SECURITY=y*
> ~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_POSIX_ACL
> *CONFIG_EXT4_FS_POSIX_ACL=y*
> 
> *Step 2: Test the filesystem*
> 
> *Make sure the package "attr" is installed:*
> attr is already the newest version (1:2.4.47-2).
> 
> *Test xattr support **(all commands executed on the /dev/md0
> filesystem)**:*
> 
> *Run the following commands as root to test xattr support:*
> 
> root at phmsrv01:/mnt/md0# touch test.txt
> root at phmsrv01:/mnt/md0# setfattr -n user.test -v test test.txt
> root at phmsrv01:/mnt/md0# setfattr -n security.test -v test2 test.txt
> 
> *The commands returned the correct output:*
> 
> root at phmsrv01:/mnt/md0# getfattr -d test.txt
> # file: test.txt
> user.test="test"
> 
> root at phmsrv01:/mnt/md0# getfattr -n security.test -d test.txt
> # file: test.txt
> security.test="test2"
> 
> *Run the following commands as root to test extended ACL support:*
> 
> root at phmsrv01:/mnt/md0# touch test.txt
> root at phmsrv01:/mnt/md0# setfacl -m g:adm:rwx test.txt
> 
> *The commands returned the correct output:*
> 
> root at phmsrv01:/mnt/md0# getfacl test.txt
> # file: test.txt
> # owner: root
> # group: root
> user::rw-
> group::r--
> group:adm:rwx
> mask::rwx
> other::r--
> 
> 
> *Step 3: Check Samba ACL Support:*
> 
> smbd -b | grep HAVE_LIBACL
>    *HAVE_LIBACL*
> 
> *Step 4: As this is a Domain Member Server, check that extended ACL
> support exists in the smb.conf:*
> 
> itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep acl_xattr
>         vfs objects = acl_xattr
> itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "map acl inherit"
>         map acl inherit = yes
> itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "store dos
> attributes" store dos attributes = yes
> itwerks at phmsrv01:~$
> 
> *Step 4: Ensure admin accounts have SeDiskOperatorPrivilege assigned:*
> 
> itwerks at phmsrv01:~$ net rpc rights list accounts
> -U'PHM\administrator' -I phmadc01.phm.plymouthhistory.org
> 
> PHM\Administrator
> SeDiskOperatorPrivilege
> 
> PHM\itwerks
> SeDiskOperatorPrivilege
> 
> PHM\Domain Admins
> SeDiskOperatorPrivilege
> 
> 
> 
> Since I've already gone through the process of creating directories
> and we know that Domain Admins have Full Control I'm skipping those
> steps from the wiki.
> 
> Step 5: Create a Share:
> 
> I added the "Accounts" directory to my smb.conf again:
> 
> [RAID-Accounts]
>         comment = PHM Accounts Directory on RAID ARRAY
>         path = /mnt/md0/samba_shares/Accounts
>         read only = no
> 
> and the executed *sudo smbcontrol all reload-config*
> 
> *Step 6: Setup share permissions:*
> 
> I logged in to a Windows 7 workstation that is joined to the domain
> as user "itwerks", a member of the Domain Admins group with the
> SeDiskOperatorPrivilege set.  I opened the Computer Management
> snap-in and connected to PHMSRV01.
> 
> (NOTE: I've always experienced this, and it hasn't ever seemed to
> cause any harm so I've ignored it, but the first time I expand the
> "System Tools" tree, or any tree for that matter, when connected to a
> Samba machine using this snap-in, I receive an error that the RPC
> service is unavailable. After clearing the notification the snap-in
> proceeds to connect to the Samba machine and I am able to proceed
> without issue.  I have no idea why this happens.
> 
> I viewed the shares on PHMSRV01, right-clicked "RAID-Accounts", chose
> "Properties" and set Share Permissions.  "Everyone" is visible
> already and has Full Control (I have left that setting untouched).  I
> generally require only a couple individual users to be able to access
> a given share, and in a few exceptions all Domain Users are
> authorized to do so, but in this case for testing I have added
> "testuser" and given them Full Control.  I then saved the changes by
> clicking OK.
> 
> *Step 7: Set ACLs on the root of a share:*
> 
> I opened the "RAID-Accounts" Properties again, chose the "Security"
> tab, and added "testuser" with Full Control.  hit OK, OK again to
> save changes.
> 
> 
> I am fairly certain I executed the aforementioned steps properly, and
> that I followed the wiki meticulously while doing so.  If I am
> mistaken please do let me know where I went astray.
> 
> *TESTING 123:*
> 
> getfacl shows the updated ACLs and 'testuser' has rwx permissions for
> the share.
> 
> itwerks at phmsrv01:~$ sudo getfacl /mnt/md0/samba_shares/Accounts
> [sudo] password for itwerks:
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/md0/samba_shares/Accounts
> # owner: itwerks
> # group: domain\040admins
> user::rwx
> user:itwerks:rwx
> user:testuser:rwx
> group::rwx
> group:domain\040admins:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:itwerks:rwx
> default:user:testuser:rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::rwx
> 
> So, time to test from another workstation as 'testuser'...
> 
> I logged in to another workstation as 'testuser', a member of the
> Domain Users group.  In Windows Explorer I navigated to \\PHMSRV01
> and all shares are visible.  I double-click "RAID_Accounts", the
> share I've been working with above, and receive the following error:
> 
> *Windows cannot access \\phmsrv01\RAID-Accounts*
> 
> *You do not have permission to access \\phmsrv01\RAID-Accounts.
> Please contact your network administrator blah blah blah.*
> 
> If I copy this directory from the RAID array to the system drive,
> change the path in my smb.conf, and reload samba it will immediately
> be accessible.
> 
> Unless there's something obvious I'm overlooking, which I readily
> admit is entirely possible, or there's some hidden nuance only a true
> greybeard would immediately recognise, I'm at a complete loss as to
> what is causing this behaviour.
> 
> Please advise.
> 
> Kind and Gracious Regards,
> 
> JS
> 

This is very strange, getfacl is now showing testuser with rwx
permissions, so the user should be able to connect to the share.

I have been doing some work with ZFS and this has the facility to pass
ACLs through the RAID to the underlying filesystem, I wonder if you
need something similar ?

Rowland

More information about the samba mailing list