Web lists-archives.com

[Samba] Can not change the share permissions




Hello all;
In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not.
My samba4 AD DC version is compiled from sources: 

[root@gtmad ~]# samba -V
Version 4.5.5

The samba4 as domain member (files server) are installing from .rpm packages of CentOS7.

[root@gtmpve /]# uname --all
Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@gtmpve /]# smbd -V
Version 4.4.4

[root@gtmpve /]# nmbd -V
Version 4.4.4

[root@gtmpve /]# winbindd -V
Version 4.4.4

The problem is that I can not share directory using Windows or POSIX ACLs.
Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content.

Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory:

chmod -R 770 /samba/bibliografia/
chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/

I test and I guest is Ok:

[root@gtmpve /]# getfacl --access /samba/bibliografia
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: samba/bibliografia
# owner: ATGTM00\134administrator
# group: ATGTM00\134domain\040admins
user::rwx
group::rwx
other::---

I check if everything is in place for winbind and if it is working fine: 

[root@gtmpve /]# smbd -b | grep LIBDIR
LIBDIR: /usr/lib64 

[root@gtmpve /]# find / -type f -name pam_winbind.so
/usr/lib64/security/pam_winbind.so

[root@gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/
ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist)

[root@gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe

[root@gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe


[root@gtmpve lib64]# ldconfig --print-cache 
339 bibliotecas se encontraron en la caché `/etc/ld.so.cache'
libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2
libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so

[root@gtmpve /]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root@gtmpve /]# wbinfo -u (No the complete list to reduce the email)
ATGTM00\rommel
ATGTM00\administrator

[root@gtmpve /]# wbinfo -g
ATGTM00\informatica
ATGTM00\domain controllers
ATGTM00\economia
ATGTM00\domain admins
ATGTM00\domain users

I make a lot of test and checks. Here the results:

[root@gtmpve /]# net ads info
LDAP server: 192.168.41.17
LDAP server name: gtmad.gtm.onat.gob.cu
Realm: GTM.ONAT.GOB.CU
Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU
LDAP port: 389
Server time: vie, 31 mar 2017 11:04:12 CDT
KDC server: 192.168.41.17
Server time offset: 0
Last machine account password change: lun, 27 mar 2017 17:09:04 CDT

[root@gtmpve /]# getent passwd (Not the complete list to reduce the long of email)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root@gtmpve /]# getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
nfsnobody:x:65534:
ntp:x:38:
wbpriv:x:88:
saslauth:x:76:
ATGTM00\informatica:x:21142:
ATGTM00\economia:x:21162:
ATGTM00\domain admins:x:20512:
ATGTM00\domain users:x:20513:


[root@gtmpve /]# getent passwd 'ATGTM00\administrator'
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root@gtmpve /]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root@gtmpve /]# id 'ATGTM00\rommel'
uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users)

[root@gtmpve /]# id 'ATGTM00\Administrator'
uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

Here is where I see some problem. "Could not connect to server 127.0.0.1" I suppouse that must be 192.168.41.17 that is the IP addreess of samba4 AD DC.

[root@gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

[root@gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator"
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...'
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED


Some of my configurations:

[root@gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind)
#
passwd: files winbind
group: files winbind


The samba4 configuration:

[root@gtmpve samba]# cat /etc/samba/smb.conf
[global]
netbios name = gtmpve
security = ADS
workgroup = ATGTM00
realm = GTM.ONAT.GOB.CU

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-99999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

[bibliografia]
path = /samba/bibliografia/
read only = no
printable = no
writeable = yes
browseable = yes

Kerberos configuration:

[root@gtmpve samba]# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

Others configurations:

[root@gtmpve samba]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve

[root@gtmpve samba]# cat /etc/hostname
gtmpve.gtm.onat.gob.cu

[root@gtmpve samba]# cat /etc/resolv.conf 
# Generated by NetworkManager
search gtm.onat.gob.cu
nameserver 192.168.41.17
nameserver 192.168.41.12

Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server.

Rommel Rodriguez Toirac
rommelrt@xxxxxxxx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba