[Samba] Group Permissions Not Working

Banks, David (db2d) db2d at virginia.edu
Tue Apr 30 16:22:10 UTC 2019 

Test 1:
User User1 is a member of group Group1.
Group1 has R-X rights to the shared folder SITES.
When User1 connects to the server over SMB he sees SITES but when he tries to access it he gets access denied.
Logs for the attempt show “chdir (/srv/SITES) failed, reason: Permission denied”

Test 2:
The same user can connect to the server over SSH and access the folder according to the group permissions as expected.

Test 3:
The user is given specific permissions (via setfacl -m u:user1:r-x) or general permissions (via chmod o+rx).
User1 connects over SMB and has access to the share as expected.

I can’t figure out if this is a problem with my config or with samba. I question samba but I have this working just fine on an older server. I think SSSD is OK as it seems to be authenticating the user just fine.
Group1 definitely has R-X permissions to the folder.
User1 is definitely a member of Group1 as confirmed by command ‘groups User1’.


Current Server (not working):
Ubuntu 18.04.2
SSSD
Samba 4.7.6-Ubuntu

Older Server (working with same permissions):
Ubuntu 16.04.6
Winbind
Samba 4.3.11-Ubuntu



Current Server Config:
smb.conf
[global]
       security = ADS
       realm = DOMAIN.COM
       workgroup = DOMAIN
       kerberos method = secrets and keytab

       idmap config *:backend = tdb
       idmap config *:range = 1000-50000
       idmap config DOMAIN:backend = ad
       idmap config DOMAIN:range = 100000-500000
       idmap config DOMAIN:schema_mode = rfc2307bis
       idmap config DOMAIN:unix_nss_info = no
       idmap config DOMAIN:default = yes

       winbind enum users = yes
       winbind enum groups = yes
       winbind nested groups = true 
       winbind use default domain = yes
       winbind refresh tickets = yes

       template homedir = /home/%U
       template shell = /bin/bash
       client signing = yes
       client use spnego = yes
       client ipc min protocol = SMB2
       client ntlmv2 auth = yes
       encrypt passwords = true
       restrict anonymous = 2
       disable netbios = yes
       smb ports = 445
       unix extensions = no

       interfaces = lo bond0
       bind interfaces only = yes

       vfs objects = shadow_copy2 acl_xattr

       ### Previous Versions
       shadow:snapdir = .zfs/snapshot
       shadow:sort = desc
       shadow:format = %Y-%m-%d_%H:%M:%S_%Z
       shadow:localtime = yes

       ### NT ACLs
       acl_xattr:ignore system acls = yes
       acl_xattr:default acl style = windows

       ### ACLs
       nt acl support = yes
       acl group control = yes
       map acl inherit = Yes
       store dos attributes = yes

       ### ABE
       hide unreadable = yes
       access based share enum = true

       server string = %h server (Samba, Ubuntu)
       dns proxy = no

       #### Debugging/Accounting ####
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 1000
       panic action = /usr/share/samba/panic-action %d

       ####### Authentication #######
       server role = member server
       passdb backend = tdbsam
       obey pam restrictions = yes
       unix password sync = yes
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
       pam password change = yes
       map to guest = bad user

       ### Shares
       writable = yes
       read only = no
       usershare allow guests = no
       browseable = yes
       guest ok = no
       valid users = @“DOMAIN\Group1"
       admin users = @“DOMAIN\Admin”

       include = /etc/samba/smb.conf.%i


smb.conf.{SERVICE_IP}
[global]
	bind interfaces only = yes
	interfaces = lo {SERVICE_IP}

	log file = /var/log/samba/log.%i
	max log size = 1000

	keepalive = 60
	deadtime = 10

[ADMIN]
	comment = Administrative Share
	path = /srv/ADMIN_SHARES

	valid users = @“DOMAIN\Admin"

[SITES]
	comment = ASchool Website Folders
	path = /srv/SITES

	shadow:basedir = /srv/SITES
	wide links = yes

	valid users = @“DOMAIN\Group1”


sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.COM
debug_level = 0x3ff0
#debug_level = 1

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1

[pam]
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1

pam_id_timeout = 10


[domain/DOMAIN.COM]
id_provider = ad
access_provider = ad
debug_level = 0x3ff0
#debug_level = 1
ldap_id_mapping = true
#ldap_schema = rfc2307bis
#use_fully_qualified_names = True

override_homedir = /home/%u
default_shell = /bin/bash

krb5_keytab = /etc/krb5.keytab
krb5_realm =DOMAIN.COM

ldap_search_base = dc=domain,dc=com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

ad_hostname = Server.DOMAIN.COM
ad_domain = DOMAIN.COM

ldap_id_mapping = true
default_shell = /bin/bash

ldap_referrals = false

# 2019-03-30: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
#ignore_group_members = true
ldap_purge_cache_timeout = 0

krb5_auth_timeout = 15

# 2019-04-01: Old config
cache_credentials = True
ldap_schema = ad


Samba Server Logs:
[2019/04/30 11:28:20.929897,  3] ../source3/smbd/msdfs.c:1008(get_referred_path)
 get_referred_path: |SITES| in dfs path \Server.Domain.com\SITES is not a dfs root.
[2019/04/30 11:28:20.929958,  3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2019/04/30 11:28:20.935817,  3] ../lib/util/access.c:365(allow_access)
 Allowed connection from 172.25.190.227 (172.25.190.227)
[2019/04/30 11:28:20.935874,  3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
 string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.937229,  3] ../source3/smbd/service.c:595(make_connection_snum)
 Connect path is '/srv/SITES' for service [SITES]
[2019/04/30 11:28:20.937284,  3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
 string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.938495,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
 Initialising default vfs hooks
[2019/04/30 11:28:20.938545,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
 Initialising custom vfs hooks from [/[Default VFS]/]
[2019/04/30 11:28:20.938568,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
 Initialising custom vfs hooks from [acl_xattr]
[2019/04/30 11:28:20.938589,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
 Initialising custom vfs hooks from [shadow_copy2]
[2019/04/30 11:28:20.938621,  2] ../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
 connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service SITES
[2019/04/30 11:28:20.938675,  3] ../source3/modules/vfs_acl_xattr.c:269(connect_acl_xattr)
 connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes = yes' and all 'map ...' options to 'no'
[2019/04/30 11:28:20.938855,  3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
 string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.939990,  3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
 string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.941231,  2] ../source3/smbd/service.c:841(make_connection_snum)
 6ac25304c5d6d4 (ipv4:172.25.190.227:53406) connect to service SITES initially as user DOMAIN\User1 (uid={UID}, gid={GID}) (pid 16118)
[2019/04/30 11:28:21.505492,  3] ../source3/smbd/service.c:120(set_current_service)
 chdir (/srv/SITES) failed, reason: Permission denied
[2019/04/30 11:28:21.505548,  3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2491

More information about the samba mailing list