[Samba] Can not change the share permissions

Rommel Rodriguez Toirac rommelrt at nauta.cu
Thu Apr 6 13:47:37 UTC 2017

Hello all;
In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not.
My samba4 AD DC version is compiled from sources: 

[root at gtmad ~]# samba -V
Version 4.5.5

The samba4 as domain member (files server) are installing from .rpm packages of CentOS7.

[root at gtmpve /]# uname --all
Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root at gtmpve /]# smbd -V
Version 4.4.4

[root at gtmpve /]# nmbd -V
Version 4.4.4

[root at gtmpve /]# winbindd -V
Version 4.4.4

The problem is that I can not share directory using Windows or POSIX ACLs.
Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content.

Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory:

chmod -R 770 /samba/bibliografia/
chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/

I test and I guest is Ok:

[root at gtmpve /]# getfacl --access /samba/bibliografia
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: samba/bibliografia
# owner: ATGTM00\134administrator
# group: ATGTM00\134domain\040admins

I check if everything is in place for winbind and if it is working fine: 

[root at gtmpve /]# smbd -b | grep LIBDIR
LIBDIR: /usr/lib64 

[root at gtmpve /]# find / -type f -name pam_winbind.so

[root at gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/
ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist)

[root at gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe

[root at gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe

[root at gtmpve lib64]# ldconfig --print-cache 
339 bibliotecas se encontraron en la caché `/etc/ld.so.cache'
libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2
libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so

[root at gtmpve /]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root at gtmpve /]# wbinfo -u (No the complete list to reduce the email)

[root at gtmpve /]# wbinfo -g
ATGTM00\domain controllers
ATGTM00\domain admins
ATGTM00\domain users

I make a lot of test and checks. Here the results:

[root at gtmpve /]# net ads info
LDAP server:
LDAP server name: gtmad.gtm.onat.gob.cu
Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU
LDAP port: 389
Server time: vie, 31 mar 2017 11:04:12 CDT
KDC server:
Server time offset: 0
Last machine account password change: lun, 27 mar 2017 17:09:04 CDT

[root at gtmpve /]# getent passwd (Not the complete list to reduce the long of email)
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root at gtmpve /]# getent group
ATGTM00\domain admins:x:20512:
ATGTM00\domain users:x:20513:

[root at gtmpve /]# getent passwd 'ATGTM00\administrator'

[root at gtmpve /]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root at gtmpve /]# id 'ATGTM00\rommel'
uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users)

[root at gtmpve /]# id 'ATGTM00\Administrator'
uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

Here is where I see some problem. "Could not connect to server" I suppouse that must be that is the IP addreess of samba4 AD DC.

[root at gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
Could not connect to server
Connection failed: NT_STATUS_ACCESS_DENIED

[root at gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator"
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...'
Could not connect to server
Connection failed: NT_STATUS_ACCESS_DENIED

Some of my configurations:

[root at gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind)
passwd: files winbind
group: files winbind

The samba4 configuration:

[root at gtmpve samba]# cat /etc/samba/smb.conf
netbios name = gtmpve
security = ADS
workgroup = ATGTM00

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-99999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

path = /samba/bibliografia/
read only = no
printable = no
writeable = yes
browseable = yes

Kerberos configuration:

[root at gtmpve samba]# cat /etc/krb5.conf
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

Others configurations:

[root at gtmpve samba]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 gtmpve.gtm.onat.gob.cu gtmpve

[root at gtmpve samba]# cat /etc/hostname

[root at gtmpve samba]# cat /etc/resolv.conf 
# Generated by NetworkManager
search gtm.onat.gob.cu

Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server.

Rommel Rodriguez Toirac
rommelrt at nauta.cu

More information about the samba mailing list