samba - Mar 2015 - Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

Hi,

please have a look into the attached smb.conf. The only changes since 3.6.3 are
commenting out all *security* settings and adding

            winbind expand groups = 1

The attached smbusers hasn't been changed yet.

When I try to access share \\platon\root<file:///\\platon\root> as
fee\administrator I get the following:

platon:~ # smbclient -c dir -W fee -U administrator%secret //platon/root
Domain=[FEE] OS=[Unix] Server=[Samba 4.1.17-5.1-3375-SUSE-oS13.2-x86_64]
tree connect failed: NT_STATUS_ACCESS_DENIED
platon:~ #

Sure, the secret is correct. Running the same command on a backup of the virtual
machine (renamed to platon-alt) before the upgrade works.

Running   smbd -F -S -d 2   shows the following in its output:

SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) failed
Failed to map kerberos pac to server info (NT_STATUS_NO_MEMORY)
Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED

Using wbinfo to translate the mentioned SID reveals, that smbusers seems be
honored in some way:

platon:~ # wbinfo -s S-1-5-21-2807186310-4085009417-2666197100-1000
PLATON\root 1
platon:~ #

But I'm stuck at this point, because I don't know what samba 4.x
expects. At least there is no user with ID 10938 on this system.

Any help appreciated, thanks in advance.

Bye.
--
Reinhard Ni?l, TB3, -198

Hello Reinhard,

Am 19.03.2015 um 14:35 schrieb Nissl Reinhard:
> When I try to access share \\platon\root<file:///\\platon\root> as
fee\administrator I get the following:
> 
> platon:~ # smbclient -c dir -W fee -U administrator%secret //platon/root
> Domain=[FEE] OS=[Unix] Server=[Samba 4.1.17-5.1-3375-SUSE-oS13.2-x86_64]
> tree connect failed: NT_STATUS_ACCESS_DENIED
> platon:~ #

We need some information about your environment to help:
- smb.conf (global + share configuration)
- PDC/DC/Member
- If member: in an AD or NT4 domain
- Does samba have it's databases (secrets.tdb and LOCK|STATE|CACHEDIR)
in the same places like it was on the old installation? Or are the
databases copied to the right, expected location?
- etc.


Regards,
Marc

Hi Marc,

Am 19.03.2015 um 22:53 schrieb Marc Muehlfeld:
> Am 19.03.2015 um 14:35 schrieb Nissl Reinhard:
>> When I try to access share \\platon\root<file:///\\platon\root>
as fee\administrator I get the following:
>>
>> platon:~ # smbclient -c dir -W fee -U administrator%secret
//platon/root
>> Domain=[FEE] OS=[Unix] Server=[Samba
4.1.17-5.1-3375-SUSE-oS13.2-x86_64]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>> platon:~ #
>
> We need some information about your environment to help:
> - smb.conf (global + share configuration)
see below, was already part of my other email.
> - PDC/DC/Member
Member
> - If member: in an AD or NT4 domain
AD
> - Does samba have it's databases (secrets.tdb and LOCK|STATE|CACHEDIR)
> in the same places like it was on the old installation? Or are the
> databases copied to the right, expected location?
I hadn't configured anything special on the old system. Cannot tell what 
openSUSE actually changed during the update.

At least   find / -name secrets.tdb   found that file here:
/etc/samba/secrets.tdb
> - etc.
cannot supply that kind of information ;-)

Thanks in advance.

Bye.
--
Reinhard Ni?l, TB3, -198
> ---8<---8<---8<---8<---8<---8<--- smbusers
---8<---8<---8<---8<---8<---8<---
>
> # This file allows you to map usernames from the clients to the server.
> # Unix_name = SMB_name1 SMB_name2 ...
> #
> # See section 'username map' in the manual page of smb.conf for
more
> # information.
> #
> # This file is _not_ included in the default configuration as it makes the
> # usage of an user named administrator impossible.
>
> #root = administrator
> #;nobody = guest pcguest smbguest
>
> !root =
fee\backup,fee\administrator,fee\markus.ni,fee\chris.we,fee\rainer.sc,fee\juergen.ju
>
> ---8<---8<---8<---8<---8<---8<--- smb.conf
---8<---8<---8<---8<---8<---8<---
>
> # smb.conf is the main Samba configuration file. You find a full commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> # Date: 2012-05-02
> [global]
> 	workgroup = FEE
> 	realm = FEE.DE
> 	netbios name = PLATON
> 	server string = Web- und Internet-Mail-Server
> 	interfaces = 10.73.0.6/255.255.0.0
> 	bind interfaces only = Yes
> #	security = DOMAIN
> 	security = ADS
> 	encrypt passwords = Yes
> 	passdb backend = tdbsam
> 	password server = feesv1 svar1
> 	username map = /etc/samba/smbusers
> 	name resolve order = wins hosts
> #	read size = 65535
> #	character set = ISO8859-1
> 	os level = 0
> 	local master = No
> 	wins server = 10.73.0.7 10.73.0.21
>
> 	guest ok = Yes
> 	hide dot files = No
>
> #	winbind separator = +
> 	winbind cache time = 10
> 	template shell = /bin/false
> 	template homedir = /tmp
> 	winbind uid = 10000-20000
> 	winbind gid = 10000-20000
> 	winbind use default domain = yes
> #	winbind nested groups = yes
> #	auth methods = winbind
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	winbind expand groups = 1
> 	deadtime = 1
>
> 	load printers = no
> 	printing = bsd
>
> [web]
> 	comment = Web-Konfiguration
> 	path = /data/web
> 	valid users =
@webadmin,fee\gabi,fee\franz.la,fee\hans,fee\eva.gi,fee\robert.lo,fee\peter.me,fee\chris.sch,fee\jeremy.pr
> 	write list =
@webadmin,fee\gabi,fee\franz.la,fee\hans,fee\eva.gi,fee\robert.lo,fee\peter.me,fee\chris.sch,fee\jeremy.pr
>
> 	force group = webadmin
> 	create mask = 0664
> #	security mask = 0664
> 	force create mode = 0664
> #	force security mode = 0664
> 	directory mask = 0775
> #	directory security mask = 0775
> 	force directory mode = 0775
> #	force directory security mode = 0775
>
> 	writeable = Yes
> 	guest ok = No
>
> [webTest]
> 	comment = Web-Konfiguration
> 	path = /data/web/webTest
> 	valid users = @webadmin,fee\gabi,fee\franz.la,fee\hans,fee\johann.fl
> 	write list = @webadmin,fee\gabi,fee\franz.la,fee\hans,fee\johann.fl
>
> 	force group = webadmin
> 	create mask = 0664
> #	security mask = 0664
> 	force create mode = 0664
> #	force security mode = 0664
> 	directory mask = 0775
> #	directory security mask = 0775
> 	force directory mode = 0775
> #	force directory security mode = 0775
>
> 	writeable = Yes
> 	guest ok = No
>
> [FactWork]
> 	comment = FactWork-Downloadportal
> 	path = /web/Fee/download/factwork
> 	valid users = @webadmin,fee\gabi, at
fee\g_tb3,fee\administrator,fee\svtb3$
> 	write list = @webadmin,fee\gabi, at fee\g_tb3,fee\administrator
>
> 	force group = webadmin
> 	create mask = 0664
> #	security mask = 0664
> 	force create mode = 0664
> #	force security mode = 0664
> 	directory mask = 0775
> #	directory security mask = 0775
> 	force directory mode = 0775
> #	force directory security mode = 0775
>
> 	writeable = Yes
> 	guest ok = No
>
> [root]
> 	comment = Root-Verzeichnis
> 	path = /
> 	valid users = root
> 	write list = root
> 	writeable = Yes
> 	guest ok = No
>
> [sms]
> 	comment = sms-Mailverzeichnis
> 	path = /var/spool/mail
> 	valid users = root
> 	write list = root
> 	writeable = Yes
> 	guest ok = No
>
> [spamMail]
> 	comment = Spam Mail
> 	path = /data/spamMail
> 	valid users = root,webadmin
> 	write list = root,webadmin
> 	
> 	force user = root
> 	force group = root
> 	create mask = 0600
> #	security mask = 0600
> 	force create mode = 0600
> #	force security mode = 0600
> 	directory mask = 0755
> #	directory security mask = 0755
> 	force directory mode = 0755
> #	force directory security mode = 0755
>
> 	writeable = No
> 	guest ok = No
>
> 	root preexec = /root/bin/updateSpamMail
> 	
> [spamlog]
> 	comment = spamlog
> 	path = /var/spool/mail
> 	valid users = root
> 	write list = root
> 	
> 	force user = root
> 	force group = root
> 	create mask = 0600
> #	security mask = 0600
> 	force create mode = 0600
> #	force security mode = 0600
> 	directory mask = 0755
> #	directory security mask = 0755
> 	force directory mode = 0755
> #	force directory security mode = 0755
>
> 	writeable = Yes
> 	guest ok = No
>
> [mqueue]
> 	comment = Mail-Queue
> 	path = /var/spool/mqueue
> 	valid users = root,webadmin
> 	write list = root,webadmin
> 	
> 	force user = root
> 	force group = root
> 	create mask = 0600
> #	security mask = 0600
> 	force create mode = 0600
> #	force security mode = 0600
> 	directory mask = 0755
> #	directory security mask = 0755
> 	force directory mode = 0755
> #	force directory security mode = 0755
>
> 	writeable = Yes
> 	guest ok = No
>
>
>