[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
Rowland Penny
rpenny at samba.org
Thu May 9 19:48:20 UTC 2019
On Thu, 9 May 2019 15:17:07 -0400
Paul Griffith <paulg at eecs.yorku.ca> wrote:
> Hello Rowland,
>
> I went back and re-read the following links and with the changes
> listed below I resolved most of my problems.
>
> But I still can't figure out why getent doesn't return anything for
> the domain. If I use /etc/password it works as expected.
>
> - getent domain fails
> getent passwd ONEEXAMPLECA\\paulg
It should work:
rowland at devstation:~$ getent passwd SAMDOM\\rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> From log.winbindd log file, nothing is returned.
>
> [2019/05/09 14:45:18.165098, 3, pid=14653, effective(0, 0), real(0,
> 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
> getpwnam ONEEXAMPLECA\paulg
>
> Any suggestions to tackle the getent domain issue?
>
> What errors could show up if we have the same user names in the local
> /etc/passwd file as in the domain?
You cannot have a user called 'paulg' in /etc/passwd and in AD, if you
do, then the user in /etc/passwd will be used and the user in AD will
be ignored.
>
>
> --- Changes made ---
>
> I removed SSSD and related packages.
>
> 1 - Since we compile Samba from source, I linked the compiled library
> libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't
> work. I had to use strace to confirm that getent was looking for
> libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)
>
> 2 - verify nsswitch.conf
> grep -i winbind /etc/nsswitch.conf
> passwd: files winbind
> group: files winbind
>
> 3 - verify /etc/krb5.conf
>
> # Configuration snippets may be placed in this directory as well
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = AD.ONE.EXAMPLE.CA
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = true
> proxiable = true
> ignore_k5login = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
> 4 - Using the command 'samba-tool user edit paulg' I added the UNIX
> ID/GID to uidNumber and gidNumber in AD.
>
> 5 - Updated file server conf as per previous e-mails and links above
>
> [global]
> security = ADS
> workgroup = ONEEXAMPLECA
> realm = AD.ONE.EXAMPLE.CA
> hostname lookups = yes
This has nothing to do with your problem, but you really shouldn't have
the line above, you should rely on dns.
> preferred master = no
> domain master = no
>
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
>
> # idmap config for the ONEEXAMPLECA domain
> # range should match UNIX ID in AD
> idmap config ONEEXAMPLECA : backend = ad
> idmap config ONEEXAMPLECA : schema_mode = rfc2307
> idmap config ONEEXAMPLECA : range = 1000-999999
> idmap config ONEEXAMPLECA : unix_nss_info = yes
>
> # Renew the kerberos tickets
> winbind refresh tickets = yes
>
> # Enable offline logins
> winbind offline logon = yes
>
> # User uid/Gid from AD. (rfc2307)
> winbind nss info = rfc2307
The line above has been replaced by the 'idmap config' line
Rowland
More information about the samba
mailing list