Web lists-archives.com

[Samba] Can not change the share permissions

Hello all;
In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not.
My samba4 AD DC version is compiled from sources: 

[root@gtmad ~]# samba -V
Version 4.5.5

The samba4 as domain member (files server) are installing from .rpm packages of CentOS7.

[root@gtmpve /]# uname --all
Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@gtmpve /]# smbd -V
Version 4.4.4

[root@gtmpve /]# nmbd -V
Version 4.4.4

[root@gtmpve /]# winbindd -V
Version 4.4.4

The problem is that I can not share directory using Windows or POSIX ACLs.
Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content.

Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory:

chmod -R 770 /samba/bibliografia/
chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/

I test and I guest is Ok:

[root@gtmpve /]# getfacl --access /samba/bibliografia
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: samba/bibliografia
# owner: ATGTM00\134administrator
# group: ATGTM00\134domain\040admins

I check if everything is in place for winbind and if it is working fine: 

[root@gtmpve /]# smbd -b | grep LIBDIR
LIBDIR: /usr/lib64 

[root@gtmpve /]# find / -type f -name pam_winbind.so

[root@gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/
ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist)

[root@gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe

[root@gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe

[root@gtmpve lib64]# ldconfig --print-cache 
339 bibliotecas se encontraron en la caché `/etc/ld.so.cache'
libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2
libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so

[root@gtmpve /]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root@gtmpve /]# wbinfo -u (No the complete list to reduce the email)

[root@gtmpve /]# wbinfo -g
ATGTM00\domain controllers
ATGTM00\domain admins
ATGTM00\domain users

I make a lot of test and checks. Here the results:

[root@gtmpve /]# net ads info
LDAP server:
LDAP server name: gtmad.gtm.onat.gob.cu
Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU
LDAP port: 389
Server time: vie, 31 mar 2017 11:04:12 CDT
KDC server:
Server time offset: 0
Last machine account password change: lun, 27 mar 2017 17:09:04 CDT

[root@gtmpve /]# getent passwd (Not the complete list to reduce the long of email)
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root@gtmpve /]# getent group
ATGTM00\domain admins:x:20512:
ATGTM00\domain users:x:20513:

[root@gtmpve /]# getent passwd 'ATGTM00\administrator'

[root@gtmpve /]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root@gtmpve /]# id 'ATGTM00\rommel'
uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users)

[root@gtmpve /]# id 'ATGTM00\Administrator'
uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

Here is where I see some problem. "Could not connect to server" I suppouse that must be that is the IP addreess of samba4 AD DC.

[root@gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
Could not connect to server
Connection failed: NT_STATUS_ACCESS_DENIED

[root@gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator"
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...'
Could not connect to server
Connection failed: NT_STATUS_ACCESS_DENIED

Some of my configurations:

[root@gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind)
passwd: files winbind
group: files winbind

The samba4 configuration:

[root@gtmpve samba]# cat /etc/samba/smb.conf
netbios name = gtmpve
security = ADS
workgroup = ATGTM00

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-99999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

path = /samba/bibliografia/
read only = no
printable = no
writeable = yes
browseable = yes

Kerberos configuration:

[root@gtmpve samba]# cat /etc/krb5.conf
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

Others configurations:

[root@gtmpve samba]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 gtmpve.gtm.onat.gob.cu gtmpve

[root@gtmpve samba]# cat /etc/hostname

[root@gtmpve samba]# cat /etc/resolv.conf 
# Generated by NetworkManager
search gtm.onat.gob.cu

Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server.

Rommel Rodriguez Toirac
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba