Bug 10767 - Samba denies access to all domain users
Summary: Samba denies access to all domain users
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.11
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-12 17:45 UTC by Ryan Ashley
Modified: 2018-05-07 11:36 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Ashley 2014-08-12 17:45:15 UTC
I have been attempting to fix an issue with Samba that prevents every domain user except the domain admin from accessing shares. Shares are normally configured with full access for the domain admins group and a group for users for that share. For example, a share with documents for general staff will be automatically mapped for anybody in the global security group "staff". The drives map for these people, but when they click on the drive they get "Access is denied" despite being in the "staff" group and that group having full access to the share.

I received some help on the mailing list and have figured out that I left out "--with-shared-modules=idmap_ad" and have since rebuilt with that option and now get the uidNumber and gidNumber for my domain users and groups, but they are still denied access to all shares and even printers. Below is the configuration and diagnostics from my file-server. Note that ID 70006 in the shares below resolves to "SYSTEM" in Windows. All of the workstations are Windows 7 Professional 64bit.

root@fs01:~# cat /etc/samba/smb.conf
[global]
  netbios name = FS01
  workgroup = TRUEVINE
  security = ADS
  realm = TRUEVINE.LAN
  encrypt passwords = true
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config TRUEVINE:backend = ad
  idmap config TRUEVINE:schema_mode = rfc2307
  idmap config TRUEVINE:range = 10001-40000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

  ntlm auth = no
  lanman auth = no
  client ntlmv2 auth = yes

  domain master = no
  local master = no
  preferred master = no

  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

[install$]
  path = /home/shared/install
  comment = "Software installation files"
  read only = no
  guest ok = no

[staff$]
  path = /home/shared/staff
  comment = "Staff file share"
  read only = no
  guest ok = no

[fbc$]
  path = /home/shared/fbc
  comment = "Family Bible College file share"
  read only = no
  guest ok = no

root@fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: -s-
user::rwx
user:reachfp:rwx
group::rwx
group:fbc:rwx
group:70006:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:fbc:rwx
default:group:70006:rwx
default:mask::rwx
default:other::---

root@fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: staff
# flags: -s-
user::rwx
user:reachfp:rwx
group::rwx
group:staff:rwx
group:70006:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:reachfp:rwx
default:group::---
default:group:staff:rwx
default:group:70006:rwx
default:mask::rwx
default:other::---

root@fs01:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I am not going to show a dump of "getent passwd" or "getent group". Suffice to say, they work perfectly, but I do not want to edit out the names of every domain user. If I am required to, I will do this to prove that getent and id work correctly.

Configure command:
./configure --with-ads --with-shared-modules=idmap_ad --enable-fhs --prefix=/usr --localstatedir=/var --sysconfdir=/etc

The processes nmbd, smbd, and winbindd are running. If you need anything else, please let me know. This server has been down for almost a month and nothing allows access. I do not have iptables doing anything and there is no SELinux on this system. The OS is Debian Wheezy 7.6 64bit.
Comment 1 Ryan Ashley 2014-08-14 23:03:38 UTC
In further attempts to find a culprit, I copied a working smb.conf from a working member server in another domain and used it on the troubled server. I adjusted paths as I should and verified ACLs. It did not work. I then copied the smb.conf from the troubled server to a good one in another domain, adjust the share path, and it worked flawlessly. This tells me that the configuration is good, but something is still denying me access.

Also, I have since added the PAM settings on the member server wiki page. This only resulted in killing SSH connections, but did not fix the "Access is denied" issue. I even tried from my Linux laptop. Still no go.
Comment 2 Björn Jacke 2018-05-07 11:36:47 UTC
this does not look like a bug but like a configuration issue. We can't help with configation issues in bugzilla. You might try get get help  from the mailing list or from some company offering commercial samba support, see https://www.samba.org/samba/support/