[Samba] Shares stopped working for groups
Nick Howitt
nick at howitts.co.uk
Fri Jul 17 18:57:25 UTC 2020
Hi,
I have a ClearOS 7.8 system which is running
samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a week
ago (probably not relevant). A couple of days ago all the group shares
failed. I discovered that if I switched them to the built-in group
"allusers" the share worked fine. It fails for any user-defined group
but it used to work. Samba is running as a PDC and the configs,
including one share are:
[root at server ~]# testparm -s
Load smb config files from /etc/samba/smb.conf
NOTE: Service profiles is flagged unavailable.
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_PDC
# Global parameters
[global]
add machine script = /usr/sbin/samba-add-machine "%u"
domain logons = Yes
domain master = Yes
guest account = guest
interfaces = lo enp8s0f0
ldap admin dn = cn=manager,ou=Internal,dc=sha,dc=lan
ldap connection timeout = 8
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap ssl = no
ldap suffix = dc=sha,dc=lan
ldap user suffix = ou=Users,ou=Accounts
log file = /var/log/samba/%L-%m
logon drive = H:
logon home = \\%L\%U
logon path =
logon script = logon.cmd
max log size = 0
ntlm auth = ntlmv1-permitted
passdb backend = ldapsam:ldap://127.0.0.1
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
passwd chat timeout = 10
passwd program = /usr/sbin/userpasswd %u
preferred master = Yes
printcap name = /etc/printcap
security = USER
server string = ClearOS Server
template homedir = /home/%U
template shell = /sbin/nologin
unix password sync = Yes
username map = /etc/samba/smbusers
utmp = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 1
winbind separator = +
winbind use default domain = Yes
wins support = Yes
workgroup = SHA
idmap config * : ldap_user_dn =
cn=manager,ou=Internal,dc=sha,dc=lan
idmap config * : ldap_base_dn = ou=Idmap,dc=sha,dc=lan
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : range = 20000000-29999999
idmap config * : backend = ldap
include = /etc/samba/flexshare.conf
[test]
comment = test
create mask = 0664
directory mask = 0775
path = /var/flexshare/shares/test
read only = No
valid users = @%D\admin @admin
veto files = /.flexshare*/
If I try using smbclient I get:
[root at server shares]# smbclient //localhost/test -c 'ls' -U clearcenter
Enter SHA\clearcenter's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
If I change the valid users to the "allusers" group and change the
folder permissions, it works fine.
I get:
[root at server ~]# wbinfo --group-info='staff'
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group staff
[root at server ~]# wbinfo --group-info='allusers'
allusers:x:63000:flexshare,clearcenter,zschladen,fferri,myantzi,echarron,kjohnson,printer,debacker,mmcleod,dseydoux,shiggins,email-archive,guest
[root at server shares]# net groupmap list
allusers (S-1-5-21-1661951805-1908507638-2940817366-63000) -> allusers
Guests (S-1-5-32-546) -> guests
dropbox_plugin (S-1-5-21-1661951805-1908507638-2940817366-60000) ->
dropbox_plugin
imap_plugin (S-1-5-21-1661951805-1908507638-2940817366-60001) ->
imap_plugin
openvpn_plugin (S-1-5-21-1661951805-1908507638-2940817366-60002) ->
openvpn_plugin
print_server_plugin
(S-1-5-21-1661951805-1908507638-2940817366-60003) -> print_server_plugin
smtp_plugin (S-1-5-21-1661951805-1908507638-2940817366-60004) ->
smtp_plugin
user_certificates_plugin
(S-1-5-21-1661951805-1908507638-2940817366-60005) ->
user_certificates_plugin
Domain Admins (S-1-5-21-1661951805-1908507638-2940817366-512) ->
domain_admins
Domain Users (S-1-5-21-1661951805-1908507638-2940817366-513) ->
domain_users
Domain Guests (S-1-5-21-1661951805-1908507638-2940817366-514) ->
domain_guests
Domain Computers (S-1-5-21-1661951805-1908507638-2940817366-515) ->
domain_computers
Administrators (S-1-5-32-544) -> administrators
Users (S-1-5-32-545) -> users
Power Users (S-1-5-32-547) -> power_users
Account Operators (S-1-5-32-548) -> account_operators
Server Operators (S-1-5-32-549) -> server_operators
Print Operators (S-1-5-32-550) -> print_operators
Backup Operators (S-1-5-32-551) -> backup_operators
executive (S-1-5-21-1661951805-1908507638-2940817366-60006) -> executive
staff (S-1-5-21-1661951805-1908507638-2940817366-60007) -> staff
visitors (S-1-5-21-1661951805-1908507638-2940817366-60008) -> visitors
admin (S-1-5-21-1661951805-1908507638-2940817366-60009) -> admin
One of the Samba logs goes:
[2020/07/16 05:29:48.583319, 1]
../../source3/smbd/service.c:359(create_connection_session_info)
create_connection_session_info: user 'clearcenter' (from session
setup) not permitted to access this share (test)
I notice the messages log gives:
Jul 16 04:34:28 server winbindd[21471]: [2020/07/16
04:34:28.069299, 0]
../../source3/winbindd/idmap_ldap.c:85(get_credentials)
Jul 16 04:34:28 server winbindd[21471]: get_credentials: Unable to
fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in *
I have tried clearing the winbindd_cache.tdb and gencache.tdb but am
wary of clearing anything else without instruction.
Please can you help me?
Thanks,
Nick
More information about the samba
mailing list