Jason Secord
2016-Sep-22 23:23 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
*Another reply that was accidentally sent to the wrong address...* I ran another test of a share on the raid array after making the changes you suggested Rowland. I reset the ACLs on /mnt/md0/samba_shares/test as outlined in the wiki and set the default group to domain admins. I executed setfacl commands g=rwx and chgrp domain admins, then added the directory to my smb.conf and ran "smbcontrol all reload-config". I then logged in to a Windows box as administrator and set ACLs for my test domain user account, allowing full control in both share permissions and the security tabs, applied settings and closed the snap-in. I then logged in to another machine as my test user and tried to access the new share and still received access denied. I'd be oh so happy if this thread ends and the raid controller isn't the root cause of this issue, but my gut says it must be as shares that I copied from the array to the system drive retained the ACLs I had set previously and we're accessible without modification. I just wish I could find some indication that this is a known issue, my Google fu fails to reveal any evidence supporting the theory. Kind Regards, JS On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org> wrote:> Hi Rowland, > > > *Apparently I accidentally replied directly to you instead of the list, > this is from a couple days ago...* > > First off, thanks again for your help, your insight is invaluable. > > I have completed the changes you suggested: > > I've used ADUC to remove the NIS Domain and UID/GID number from the > following Users/Groups: > > - group policy creator owners > - enterprise admins > - schema admins > - dnsadmins > - Administrator > > I've added "username map = /etc/samba/user.map" to my smb.conf > > I've created /etc/samba/user.map > > ls -la /etc/samba/user.map > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map > > cat /etc/samba/user.map > !root = PHM\Administrator PHM\administrator Administrator administrator > > Here is the output of the getfacl command you requested I run: > > sudo getfacl /mnt/md0/samba_shares/Accounts > getfacl: Removing leading '/' from absolute path names > # file: mnt/md0/samba_shares/Accounts > # owner: itwerks > # group: domain\040admins > user::rwx > group::rwx > other::rwx > default:user::rwx > default:group::rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::rwx > > Regards, > > JS > > On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at plymouthhistory.org> > wrote: > >> I ran another test of a share on the raid array after making the changes >> you suggested Rowland. I reset the ACLs on /mnt/md0/samba_shares/test as >> outlined in the wiki and set the default group to domain admins. I >> executed setfacl commands g=rwx and chgrp domain admins, then added the >> directory to my smb.conf and ran "smbcontrol all reload-config". I then >> logged in to a Windows box as administrator and set ACLs for my test domain >> user account, allowing full control in both share permissions and the >> security tabs, applied settings and closed the snap-in. >> >> I then logged in to another machine as my test user and tried to access >> the new share and still received access denied. >> >> I'd be oh so happy if this thread ends and the raid controller isn't the >> root cause of this issue, but my gut says it must be as shares that I >> copied from the array to the system drive retained the ACLs I had set >> previously and we're accessible without modification. I just wish I could >> find some indication that this is a known issue, my Google fu fails to >> reveal any evidence supporting the theory. >> >> JS >> >> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at plymouthhistory.org> wrote: >> >>> Hi Rowland, >>> >>> First off, thanks again for your help, your insight is invaluable. >>> >>> I have completed the changes you suggested: >>> >>> I've used ADUC to remove the NIS Domain and UID/GID number from the >>> following Users/Groups: >>> >>> - group policy creator owners >>> - enterprise admins >>> - schema admins >>> - dnsadmins >>> - Administrator >>> >>> I've added "username map = /etc/samba/user.map" to my smb.conf >>> >>> I've created /etc/samba/user.map >>> >>> ls -la /etc/samba/user.map >>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map >>> >>> cat /etc/samba/user.map >>> !root = PHM\Administrator PHM\administrator Administrator administrator >>> >>> Here is the output of the getfacl command you requested I run: >>> >>> sudo getfacl /mnt/md0/samba_shares/Accounts >>> getfacl: Removing leading '/' from absolute path names >>> # file: mnt/md0/samba_shares/Accounts >>> # owner: itwerks >>> # group: domain\040admins >>> user::rwx >>> group::rwx >>> other::rwx >>> default:user::rwx >>> default:group::rwx >>> default:group:domain\040admins:rwx >>> default:mask::rwx >>> default:other::rwx >>> >>> Regards, >>> >>> JS >>> >>> >>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba < >>> samba at lists.samba.org> wrote: >>> >>>> On Wed, 21 Sep 2016 11:09:15 -0400 >>>> Jason Secord <it at plymouthhistory.org> wrote: >>>> >>>> > Hi Rowland, >>>> > >>>> > I've already removed all "admin users" and "valid users" entries from >>>> > my smb.conf, they ended up there after hours of confusion trying to >>>> > drill down to the root of the problem. >>>> > >>>> > To remove the aforementioned UID/GIDs, I can do that via the tab in >>>> > ADUC, correct? Is there a document best practices when applying UNIX >>>> > attributes to accounts? >>>> >>>> You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit. >>>> >>>> > >>>> > I haven't encountered any mention of creating a user.map in the >>>> > documentation, nor have I ever created one in the past. Is this >>>> > something that is considered a best practice a well? Can you point >>>> > me to any documentation on user.maps? >>>> >>>> Not too sure about the documentation, There is some in 'man smb.conf', >>>> but it is easier to describe it to you. >>>> >>>> On a Samba AD DC, Administrator gets mapped to root automatically, but >>>> on a domain member it isn't. There are two schools of thought here, >>>> one is to give Administrator a uidNumber, but I don't recommend this. >>>> If you do give Administrator a uidNumber, it becomes just another >>>> Unix user with just the same permissions as any other user and it >>>> breaks the DC. The other option is to use a 'username map', this will >>>> do what the DC does and maps Administrator to the root user. >>>> >>>> > I will make this adjustments >>>> > tonight and update you along with the results of that getfacl command >>>> > you requested. >>>> > >>>> > I have applied ACLs to all shares already. >>>> > >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >
Rowland Penny
2016-Sep-23 06:47 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
On Thu, 22 Sep 2016 19:23:05 -0400 Jason Secord via samba <samba at lists.samba.org> wrote:> *Another reply that was accidentally sent to the wrong address...* > > I ran another test of a share on the raid array after making the > changes you suggested Rowland. I reset the ACLs > on /mnt/md0/samba_shares/test as outlined in the wiki and set the > default group to domain admins. I executed setfacl commands g=rwx > and chgrp domain admins, then added the directory to my smb.conf and > ran "smbcontrol all reload-config". I then logged in to a Windows > box as administrator and set ACLs for my test domain user account, > allowing full control in both share permissions and the security > tabs, applied settings and closed the snap-in. > > I then logged in to another machine as my test user and tried to > access the new share and still received access denied. > > I'd be oh so happy if this thread ends and the raid controller isn't > the root cause of this issue, but my gut says it must be as shares > that I copied from the array to the system drive retained the ACLs I > had set previously and we're accessible without modification. I just > wish I could find some indication that this is a known issue, my > Google fu fails to reveal any evidence supporting the theory. > > > Kind Regards, > > JS > > On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org> > wrote: > > > Hi Rowland, > > > > > > *Apparently I accidentally replied directly to you instead of the > > list, this is from a couple days ago...* > > > > First off, thanks again for your help, your insight is invaluable. > > > > I have completed the changes you suggested: > > > > I've used ADUC to remove the NIS Domain and UID/GID number from the > > following Users/Groups: > > > > - group policy creator owners > > - enterprise admins > > - schema admins > > - dnsadmins > > - Administrator > > > > I've added "username map = /etc/samba/user.map" to my smb.conf > > > > I've created /etc/samba/user.map > > > > ls -la /etc/samba/user.map > > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map > > > > cat /etc/samba/user.map > > !root = PHM\Administrator PHM\administrator Administrator > > administrator > > > > Here is the output of the getfacl command you requested I run: > > > > sudo getfacl /mnt/md0/samba_shares/Accounts > > getfacl: Removing leading '/' from absolute path names > > # file: mnt/md0/samba_shares/Accounts > > # owner: itwerks > > # group: domain\040admins > > user::rwx > > group::rwx > > other::rwx > > default:user::rwx > > default:group::rwx > > default:group:domain\040admins:rwx > > default:mask::rwx > > default:other::rwx > >If you look at the result of the 'getfacl' command, you can see that the share belongs to itwerks:Domain Admins, they both have 'rwx' permissions and 'others' is supposed to also get 'rwx' permissions, but I don't think it is working this way. Can I suggest you read this wiki page: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs Rowland
Jason Secord
2016-Sep-23 07:30 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
Mediawiki is throwing an error at this moment but I followed that page when I set up the shares and triple checked everything when I last reset ACLs. JS On Sep 23, 2016 2:51 AM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Thu, 22 Sep 2016 19:23:05 -0400 > Jason Secord via samba <samba at lists.samba.org> wrote: > > > *Another reply that was accidentally sent to the wrong address...* > > > > I ran another test of a share on the raid array after making the > > changes you suggested Rowland. I reset the ACLs > > on /mnt/md0/samba_shares/test as outlined in the wiki and set the > > default group to domain admins. I executed setfacl commands g=rwx > > and chgrp domain admins, then added the directory to my smb.conf and > > ran "smbcontrol all reload-config". I then logged in to a Windows > > box as administrator and set ACLs for my test domain user account, > > allowing full control in both share permissions and the security > > tabs, applied settings and closed the snap-in. > > > > I then logged in to another machine as my test user and tried to > > access the new share and still received access denied. > > > > I'd be oh so happy if this thread ends and the raid controller isn't > > the root cause of this issue, but my gut says it must be as shares > > that I copied from the array to the system drive retained the ACLs I > > had set previously and we're accessible without modification. I just > > wish I could find some indication that this is a known issue, my > > Google fu fails to reveal any evidence supporting the theory. > > > > > > Kind Regards, > > > > JS > > > > On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org> > > wrote: > > > > > Hi Rowland, > > > > > > > > > *Apparently I accidentally replied directly to you instead of the > > > list, this is from a couple days ago...* > > > > > > First off, thanks again for your help, your insight is invaluable. > > > > > > I have completed the changes you suggested: > > > > > > I've used ADUC to remove the NIS Domain and UID/GID number from the > > > following Users/Groups: > > > > > > - group policy creator owners > > > - enterprise admins > > > - schema admins > > > - dnsadmins > > > - Administrator > > > > > > I've added "username map = /etc/samba/user.map" to my smb.conf > > > > > > I've created /etc/samba/user.map > > > > > > ls -la /etc/samba/user.map > > > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map > > > > > > cat /etc/samba/user.map > > > !root = PHM\Administrator PHM\administrator Administrator > > > administrator > > > > > > Here is the output of the getfacl command you requested I run: > > > > > > sudo getfacl /mnt/md0/samba_shares/Accounts > > > getfacl: Removing leading '/' from absolute path names > > > # file: mnt/md0/samba_shares/Accounts > > > # owner: itwerks > > > # group: domain\040admins > > > user::rwx > > > group::rwx > > > other::rwx > > > default:user::rwx > > > default:group::rwx > > > default:group:domain\040admins:rwx > > > default:mask::rwx > > > default:other::rwx > > > > > If you look at the result of the 'getfacl' command, you can see that > the share belongs to itwerks:Domain Admins, they both have 'rwx' > permissions and 'others' is supposed to also get 'rwx' permissions, but > I don't think it is working this way. Can I suggest you read this wiki > page: > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Domain Member Server: Domain Users cannot access shares
- Domain Member Server: Domain Users cannot access shares
- Domain Member Server: Domain Users cannot access shares
- Domain Member Server: Domain Users cannot access shares
- Domain Member Server: Domain Users cannot access shares