[Samba] User Permissions issue
Rowland Penny
rpenny at samba.org
Tue Jan 16 13:09:52 UTC 2018
On Tue, 16 Jan 2018 14:31:09 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:
> Hi Denis
>
> Thanks for your advise I will not use these wordings here.
>
> Please check the result below when I run the command on the DC-1 when
> DC-2 is off or on
> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
> INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> Processing section "[global]"
> doing parameter workgroup = IUMNET
> doing parameter realm = IUMNET.EDU.NA
> doing parameter netbios name = IUMDCDP01
> doing parameter server role = active directory domain controller
> doing parameter dns forwarder = 172.16.10.254
> doing parameter domain master = yes
> doing parameter preferred master = yes
> doing parameter password server = 172.16.10.5
> doing parameter allow dns updates = nonsecure and secure
> doing parameter ntlm auth = yes
> doing parameter client use spnego = no
> doing parameter client ldap sasl wrapping = sign
> doing parameter ldap server require strong auth = no
> doing parameter time server = Yes
> doing parameter template shell = /bin/bash
> doing parameter template homedir = /home/%U
> doing parameter full_audit:prefix = %u|%I|%m|%S
> doing parameter full_audit:failure = connect
> doing parameter full_audit:success = connect disconnect
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth0 ip=172.16.10.5 bcast=172.16.10.255
> netmask=255.255.255.0
> added interface eth2 ip=192.29.0.5 bcast=192.29.255.255
> netmask=255.255.0.0 Netbios name list:-
> my_netbios_names[0]="IUMDCDP01"
> Client started (version 4.6.12-SerNet-Ubuntu-14.precise).
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/cache/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'IUMNET.EDU.NA':
> "Default-First-Site-Name"
> no entry for IUMSVRAPP01#20 found.
> resolve_lmhosts: Attempting lmhosts lookup for name IUMSVRAPP01<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> No such file or directory
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. resolve_hosts: Attempting host lookup for name
> IUMSVRAPP01<0x20> namecache_store: storing 1 address for
> IUMSVRAPP01#20: 172.16.10.21 Connecting to 172.16.10.21 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_SNDBUF = 24040
> SO_RCVBUF = 87380
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>
> *Here is the smb.conf dump from DC-1:*
> # Global parameters
> [global]
> workgroup = IUMNET
> realm = IUMNET.EDU.NA
> netbios name = IUMDCDP01
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> domain master = yes
> preferred master = yes
> # server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
> password server = 172.16.10.5
> allow dns updates = nonsecure and secure
> # lanman auth = Yes
> # client lanman auth = Yes
> ntlm auth = yes
> client use spnego = no
> client ldap sasl wrapping = sign
> # ldap ssl ads = yes
> # ldap ssl = start tls
> ldap server require strong auth = no
> # wins server = iumnet.edu.na
> # wins support = Yes
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> # idmap config * : backend = tdb
> # idmap config *:range = 50000-1000000
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> # log level = 9 dns:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
> read only = No
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [softshare]
> path = /home/administrator/ad
> read only = No
>
>
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>
> smbclient -k //172.16.10.21/Pastel12 -d 9
> INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> auth_audit: 9
> auth_json_audit: 9
> kerberos: 9
> drs_repl: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> auth_audit: 9
> auth_json_audit: 9
> kerberos: 9
> drs_repl: 9
> Processing section "[global]"
> doing parameter netbios name = IUMSVRPDC
> doing parameter realm = IUMNET.EDU.NA
> doing parameter workgroup = IUMNET
> doing parameter server role = active directory domain controller
> doing parameter dns forwarder = 172.16.10.254
> doing parameter allow dns updates = nonsecure and secure
> doing parameter ntlm auth = yes
> doing parameter ldap server require strong auth = no
> doing parameter time server = Yes
> doing parameter template shell = /bin/bash
> doing parameter template homedir = /home/%U
> doing parameter full_audit:prefix = %u|%I|%m|%S
> doing parameter full_audit:failure = connect
> doing parameter full_audit:success = connect disconnect
> doing parameter tls enabled = yes
> doing parameter tls keyfile = tls/key.pem
> doing parameter tls certfile = tls/cert.pem
> doing parameter tls cafile = tls/ca.pem
> doing parameter log level = 9 dns:0
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface ens18 ip=172.16.100.5 bcast=172.16.100.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="IUMSVRPDC"
> Client started (version 4.7.4-SerNet-Ubuntu-6.trusty).
> Connecting to 172.16.10.21 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 372480
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> negotiated dialect[SMB2_02] against server[172.16.10.21]
> got OID=1.2.840.48018.1.2.2
> Kerberos auth with 'administrator at IUMNET.EDU.NA' (IUMNET\root) to
> access '172.16.10.21' not possible
> SPNEGO login failed: {Access Denied} A process has requested access
> to an object but has not been granted those access rights.
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> *Here is the smb.conf dump from DC-2:*
>
> # Global parameters
> [global]
> netbios name = IUMSVRPDC
> realm = IUMNET.EDU.NA
> workgroup = IUMNET
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> # server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
> allow dns updates = nonsecure and secure
> ntlm auth = yes
> ldap server require strong auth = no
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> # idmap config * : backend = tdb
> # idmap config *:range = 50000-1000000
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> tls enabled = yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> log level = 9 dns:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
> read only = No
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
I would make some changes to your smb.conf files:
On DC-1, I would remove these lines:
domain master = yes
preferred master = yes
password server = 172.16.10.5
client use spnego = no
client ldap sasl wrapping = sign
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = connect disconnect
They are either default settings, shouldn't be used, or in the case of
the 'full_audit' lines, they will do nothing because you haven't set
'vfs objects = full_audit'
On DC-2 I would remove the 'full_audit' lines for the same reason as
DC-1
I would change (on both DCs) 'allow dns updates = nonsecure and secure'
to 'allow dns updates = nonsecure'
Rowland
More information about the samba
mailing list