[Samba] Can not change the share permissions

Rommel Rodriguez Toirac rommelrt at nauta.cu
Thu Apr 6 13:47:37 UTC 2017


Hello all;
In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not.
My samba4 AD DC version is compiled from sources: 

[root at gtmad ~]# samba -V
Version 4.5.5

The samba4 as domain member (files server) are installing from .rpm packages of CentOS7.

[root at gtmpve /]# uname --all
Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root at gtmpve /]# smbd -V
Version 4.4.4

[root at gtmpve /]# nmbd -V
Version 4.4.4

[root at gtmpve /]# winbindd -V
Version 4.4.4

The problem is that I can not share directory using Windows or POSIX ACLs.
Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content.

Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory:

chmod -R 770 /samba/bibliografia/
chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/

I test and I guest is Ok:

[root at gtmpve /]# getfacl --access /samba/bibliografia
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: samba/bibliografia
# owner: ATGTM00\134administrator
# group: ATGTM00\134domain\040admins
user::rwx
group::rwx
other::---

I check if everything is in place for winbind and if it is working fine: 

[root at gtmpve /]# smbd -b | grep LIBDIR
LIBDIR: /usr/lib64 

[root at gtmpve /]# find / -type f -name pam_winbind.so
/usr/lib64/security/pam_winbind.so

[root at gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/
ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist)

[root at gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe

[root at gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe


[root at gtmpve lib64]# ldconfig --print-cache 
339 bibliotecas se encontraron en la caché `/etc/ld.so.cache'
libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2
libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so

[root at gtmpve /]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root at gtmpve /]# wbinfo -u (No the complete list to reduce the email)
ATGTM00\rommel
ATGTM00\administrator

[root at gtmpve /]# wbinfo -g
ATGTM00\informatica
ATGTM00\domain controllers
ATGTM00\economia
ATGTM00\domain admins
ATGTM00\domain users

I make a lot of test and checks. Here the results:

[root at gtmpve /]# net ads info
LDAP server: 192.168.41.17
LDAP server name: gtmad.gtm.onat.gob.cu
Realm: GTM.ONAT.GOB.CU
Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU
LDAP port: 389
Server time: vie, 31 mar 2017 11:04:12 CDT
KDC server: 192.168.41.17
Server time offset: 0
Last machine account password change: lun, 27 mar 2017 17:09:04 CDT

[root at gtmpve /]# getent passwd (Not the complete list to reduce the long of email)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root at gtmpve /]# getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
nfsnobody:x:65534:
ntp:x:38:
wbpriv:x:88:
saslauth:x:76:
ATGTM00\informatica:x:21142:
ATGTM00\economia:x:21162:
ATGTM00\domain admins:x:20512:
ATGTM00\domain users:x:20513:


[root at gtmpve /]# getent passwd 'ATGTM00\administrator'
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root at gtmpve /]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root at gtmpve /]# id 'ATGTM00\rommel'
uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users)

[root at gtmpve /]# id 'ATGTM00\Administrator'
uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

Here is where I see some problem. "Could not connect to server 127.0.0.1" I suppouse that must be 192.168.41.17 that is the IP addreess of samba4 AD DC.

[root at gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

[root at gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator"
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...'
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED


Some of my configurations:

[root at gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind)
#
passwd: files winbind
group: files winbind


The samba4 configuration:

[root at gtmpve samba]# cat /etc/samba/smb.conf
[global]
netbios name = gtmpve
security = ADS
workgroup = ATGTM00
realm = GTM.ONAT.GOB.CU

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-99999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

[bibliografia]
path = /samba/bibliografia/
read only = no
printable = no
writeable = yes
browseable = yes

Kerberos configuration:

[root at gtmpve samba]# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

Others configurations:

[root at gtmpve samba]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve

[root at gtmpve samba]# cat /etc/hostname
gtmpve.gtm.onat.gob.cu

[root at gtmpve samba]# cat /etc/resolv.conf 
# Generated by NetworkManager
search gtm.onat.gob.cu
nameserver 192.168.41.17
nameserver 192.168.41.12

Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server.

Rommel Rodriguez Toirac
rommelrt at nauta.cu


More information about the samba mailing list