Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




On Thu, 9 May 2019 15:17:07 -0400
Paul Griffith <paulg@xxxxxxxxxxxxx> wrote:


> Hello Rowland,
> 
> I went back and re-read the following links  and with the changes
> listed below I resolved most of my problems.
> 
> But I still can't figure out why getent doesn't return anything for
> the domain.  If I use /etc/password it works as expected.
> 
> - getent domain fails
> getent passwd ONEEXAMPLECA\\paulg

It should work:
rowland@devstation:~$ getent passwd SAMDOM\\rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

>  From log.winbindd log file, nothing is returned.
> 
> [2019/05/09 14:45:18.165098,  3, pid=14653, effective(0, 0), real(0,
> 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
>    getpwnam ONEEXAMPLECA\paulg
> 
> Any suggestions to tackle the getent domain issue?
> 
> What errors could show up if we have the same user names in the local 
> /etc/passwd file as in the domain?

You cannot have a user called 'paulg' in /etc/passwd and in AD, if you
do, then the user in /etc/passwd will be used and the user in AD will
be ignored.

> 
> 
> --- Changes made ---
> 
>   I removed SSSD and related packages.
> 
> 1 - Since we compile Samba from source, I linked the compiled library 
> libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't
> work. I had to use strace to confirm that getent was looking for 
> libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)
> 
> 2 - verify nsswitch.conf
>   grep -i winbind /etc/nsswitch.conf
> passwd:     files winbind
> group:      files winbind
> 
> 3 - verify /etc/krb5.conf
> 
> # Configuration snippets may be placed in this directory as well
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>   default_realm = AD.ONE.EXAMPLE.CA
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>   forwardable = true
>   proxiable = true
>   ignore_k5login = true
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
> 
> 4 - Using the command  'samba-tool user edit paulg' I added the UNIX 
> ID/GID to uidNumber and gidNumber in AD.
> 
> 5 - Updated file server conf as per previous e-mails and links above
> 
> [global]
> security = ADS
> workgroup = ONEEXAMPLECA
> realm = AD.ONE.EXAMPLE.CA
> hostname lookups = yes

This has nothing to do with your problem, but you really shouldn't have
the line above, you should rely on dns.

> preferred master = no
> domain master = no
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> 
> # idmap config for the ONEEXAMPLECA domain
> # range should match UNIX ID in AD
> idmap config ONEEXAMPLECA : backend = ad
> idmap config ONEEXAMPLECA : schema_mode = rfc2307
> idmap config ONEEXAMPLECA : range = 1000-999999
> idmap config ONEEXAMPLECA : unix_nss_info = yes
> 
> # Renew the kerberos tickets
> winbind refresh tickets = yes
> 
> # Enable offline logins
> winbind offline logon = yes
> 
> # User uid/Gid from AD. (rfc2307)
> winbind nss info = rfc2307

The line above has been replaced by the 'idmap config' line
 
Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba