Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




On 5/6/19 11:59 AM, Rowland Penny via samba wrote:
On Mon, 6 May 2019 10:33:27 -0400
Paul Griffith <paulg@xxxxxxxxxxxxx> wrote:

On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
On Fri, 3 May 2019 15:36:59 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
Hai Paul,

Look at this: user=paulg,uid=2381
(from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)

Now, look at this :
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999
What do you notice here. ( the hint is 2381:1000 ) and i would
expect to see 10000:10000 or higher. Do you see what i mean? Your
UID/GID is a local users one, not AD-DC users.

Your ranges are out of sync now, and that your denied is completly
correct.
Good catch Louis, those numbers are even outside the '*' domain, so
must be a local Unix user and group and how many times do I have to
say this:

You cannot have local Unix users and groups in /etc/passwd
& /etc/group and expect them to work on a Samba Unix domain.

If the ID numbers are in AD, then the only reason would be if this
is a classicupgraded domain (which I personally hate) and if so, the
ranges in smb.conf will need altering to match.

Rowland
Louis and Rowland,

Thank you both for your suggestions. Why only the mail directory, why
wouldn't I get a permission error on the other directories?

This is a classic upgraded domain. In this situation, what would be
ideal..?

1 ) Configure the local builtin accounts?

idmap config *   :  range = 100-999
No, set this above the 'ONEEXAMPLECA' domain

2) Configure the Domain accounts?

idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 1000-999999
if your lowest Unix ID in AD is 1000 and your highest is less than
999999, then yes, but use the 'ad' backend instead.

If you don't care about the ID's (in which case, why did you run the
classicupgrade ?), the range can be anything you like, if you use
the 'rid' backend.

Rowland

Suggestions and links always welcomed :)

Paul

Hello Rowland,

I went back and re-read the following links  and with the changes listed below I resolved most of my problems.

[0] - https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[1] - https://wiki.samba.org/index.php/Libnss_winbind_Links
[2] - https://wiki.samba.org/index.php/Idmap_config_ad
[3] - https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt [4] - https://forums.freebsd.org/threads/samba-ad-getent-passwd-doesnt-return-domain-users.62554/


But I still can't figure out why getent doesn't return anything for the domain.  If I use /etc/password it works as expected.

- getent domain fails
getent passwd ONEEXAMPLECA\\paulg
#

From strace I see it opens the winbindd pipe and talks to the winbind process.

lstat("/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
30477 lstat("/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
30477 socket(AF_LOCAL, SOCK_STREAM, 0)  = 3
30477 fcntl(3, F_GETFL)                 = 0x2 (flags O_RDWR)
30477 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
30477 fcntl(3, F_GETFD)                 = 0
30477 fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
30477 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/winbindd/pipe"}, 110) = 0

From log.winbindd log file, nothing is returned.

[2019/05/09 14:45:18.165098,  3, pid=14653, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
  getpwnam ONEEXAMPLECA\paulg

Any suggestions to tackle the getent domain issue?

What errors could show up if we have the same user names in the local /etc/passwd file as in the domain?


--- Changes made ---

 I removed SSSD and related packages.

1 - Since we compile Samba from source, I linked the compiled library libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't work. I had to use strace to confirm that getent was looking for libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)

2 - verify nsswitch.conf
 grep -i winbind /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind

3 - verify /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.ONE.EXAMPLE.CA
 dns_lookup_realm = false
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 ignore_k5login = true
 ticket_lifetime = 24h
 renew_lifetime = 7d

4 - Using the command  'samba-tool user edit paulg' I added the UNIX ID/GID to uidNumber and gidNumber in AD.

5 - Updated file server conf as per previous e-mails and links above

[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
hostname lookups = yes

preferred master = no
domain master = no


# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999

# idmap config for the ONEEXAMPLECA domain
# range should match UNIX ID in AD
idmap config ONEEXAMPLECA : backend = ad
idmap config ONEEXAMPLECA : schema_mode = rfc2307
idmap config ONEEXAMPLECA : range = 1000-999999
idmap config ONEEXAMPLECA : unix_nss_info = yes

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes

# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users  = no
winbind enum groups = no

# disable usershares creating, when set empty no error log messages.
usershare path =

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

Thank you,
Paul

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba