Rommel Rodriguez Toirac
2017-Apr-06 13:47 UTC
[Samba] Can not change the share permissions
Hello all; In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not. My samba4 AD DC version is compiled from sources: [root at gtmad ~]# samba -V Version 4.5.5 The samba4 as domain member (files server) are installing from .rpm packages of CentOS7. [root at gtmpve /]# uname --all Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root at gtmpve /]# smbd -V Version 4.4.4 [root at gtmpve /]# nmbd -V Version 4.4.4 [root at gtmpve /]# winbindd -V Version 4.4.4 The problem is that I can not share directory using Windows or POSIX ACLs. Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content. Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory: chmod -R 770 /samba/bibliografia/ chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/ I test and I guest is Ok: [root at gtmpve /]# getfacl --access /samba/bibliografia getfacl: Eliminando '/' inicial en nombres de ruta absolutos # file: samba/bibliografia # owner: ATGTM00\134administrator # group: ATGTM00\134domain\040admins user::rwx group::rwx other::--- I check if everything is in place for winbind and if it is working fine: [root at gtmpve /]# smbd -b | grep LIBDIR LIBDIR: /usr/lib64 [root at gtmpve /]# find / -type f -name pam_winbind.so /usr/lib64/security/pam_winbind.so [root at gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/ ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist) [root at gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/ ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe [root at gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe [root at gtmpve lib64]# ldconfig --print-cache 339 bibliotecas se encontraron en la caché `/etc/ld.so.cache' libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2 libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so [root at gtmpve /]# wbinfo --ping-dc checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded [root at gtmpve /]# wbinfo -u (No the complete list to reduce the email) ATGTM00\rommel ATGTM00\administrator [root at gtmpve /]# wbinfo -g ATGTM00\informatica ATGTM00\domain controllers ATGTM00\economia ATGTM00\domain admins ATGTM00\domain users I make a lot of test and checks. Here the results: [root at gtmpve /]# net ads info LDAP server: 192.168.41.17 LDAP server name: gtmad.gtm.onat.gob.cu Realm: GTM.ONAT.GOB.CU Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU LDAP port: 389 Server time: vie, 31 mar 2017 11:04:12 CDT KDC server: 192.168.41.17 Server time offset: 0 Last machine account password change: lun, 27 mar 2017 17:09:04 CDT [root at gtmpve /]# getent passwd (Not the complete list to reduce the long of email) root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash [root at gtmpve /]# getent group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: nfsnobody:x:65534: ntp:x:38: wbpriv:x:88: saslauth:x:76: ATGTM00\informatica:x:21142: ATGTM00\economia:x:21162: ATGTM00\domain admins:x:20512: ATGTM00\domain users:x:20513: [root at gtmpve /]# getent passwd 'ATGTM00\administrator' ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash [root at gtmpve /]# getent passwd 'ATGTM00\rommel' ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash [root at gtmpve /]# id 'ATGTM00\rommel' uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users) [root at gtmpve /]# id 'ATGTM00\Administrator' uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators) Here is where I see some problem. "Could not connect to server 127.0.0.1" I suppouse that must be 192.168.41.17 that is the IP addreess of samba4 AD DC. [root at gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator' Enter ATGM00\administrator's password: Bad SMB2 signature for message [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........ Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_ACCESS_DENIED [root at gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator" Enter ATGM00\administrator's password: Bad SMB2 signature for message [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...' Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_ACCESS_DENIED Some of my configurations: [root at gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind) # passwd: files winbind group: files winbind The samba4 configuration: [root at gtmpve samba]# cat /etc/samba/smb.conf [global] netbios name = gtmpve security = ADS workgroup = ATGTM00 realm = GTM.ONAT.GOB.CU log file = /var/log/samba/%m.log log level = 10 idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config ATGTM00:backend = rid idmap config ATGTM00:range = 10000-99999 winbind nss info = template winbind enum groups = yes winbind enum users = yes template shell = /bin/bash template homedir = /home/%U vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes create mask = 0666 directory mask = 0777 dos filemode = yes acl allow execute always = yes guest account = nobody map to guest = Bad User server string = Servidor de archivos #2 server role = member server local master = no domain master = no preferred master = no load printers = no printcap name = /dev/null disable spoolss = yes [bibliografia] path = /samba/bibliografia/ read only = no printable = no writeable = yes browseable = yes Kerberos configuration: [root at gtmpve samba]# cat /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = GTM.ONAT.GOB.CU Others configurations: [root at gtmpve samba]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve [root at gtmpve samba]# cat /etc/hostname gtmpve.gtm.onat.gob.cu [root at gtmpve samba]# cat /etc/resolv.conf # Generated by NetworkManager search gtm.onat.gob.cu nameserver 192.168.41.17 nameserver 192.168.41.12 Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server. Rommel Rodriguez Toirac rommelrt at nauta.cu
Hi Rommel, Am 06.04.2017 um 15:47 schrieb Rommel Rodriguez Toirac via samba:> The problem is that I can not share directory using Windows> or POSIX ACLs. Trying with Windows ACL: I use the Windows 7 > RSAT. I use the Computer Management and the option Share > Folders. There I changes the folder permission using the > Share Permission tab with no problem, but when I > try with the Security tab never let me, because of > Not access, permission denied. From the network, I can > see the share, but can not access to it or the content. Can you please verify that your setup matches everything described in our guides: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> Here is where I see some problem. "Could not connect to server 127.0.0.1"> I suppouse that must be 192.168.41.17 that is the IP addreess > of samba4 AD DC. Privileges are stored on each host locally. Therefore you set it on your file server and not on the DC.> [root at gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator' > Enter ATGM00\administrator's password: > Bad SMB2 signature for message > [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........ > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_ACCESS_DENIEDHave a look at this thread: https://lists.samba.org/archive/samba/2015-September/194284.html There was a solution for the "Bad SMB2 signature for message" error at the end of the thread. Regards, Marc
Rommel Rodriguez Toirac
2017-Apr-06 19:19 UTC
[Samba] Can not change the share permissions
El 6 de abril de 2017 12:37:35 GMT-04:00, Marc Muehlfeld via samba <samba at lists.samba.org> escribió:>Hi Rommel, > >Am 06.04.2017 um 15:47 schrieb Rommel Rodriguez Toirac via samba: >> The problem is that I can not share directory using Windows > > or POSIX ACLs. Trying with Windows ACL: I use the Windows 7 > > RSAT. I use the Computer Management and the option Share > > Folders. There I changes the folder permission using the > > Share Permission tab with no problem, but when I > > try with the Security tab never let me, because of > > Not access, permission denied. From the network, I can > > see the share, but can not access to it or the content. > >Can you please verify that your setup matches everything described in >our guides: >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > >> Here is where I see some problem. "Could not connect to server >127.0.0.1" > > I suppouse that must be 192.168.41.17 that is the IP addreess > > of samba4 AD DC. > >Privileges are stored on each host locally. Therefore you set it on >your >file server and not on the DC. > > > >> [root at gtmpve ~]# net rpc rights list privileges >SeDiskOperatorPrivilege -U 'ATGM00\administrator' >> Enter ATGM00\administrator's password: >> Bad SMB2 signature for message >> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ >........ >> [0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E >........ >> Could not connect to server 127.0.0.1 >> Connection failed: NT_STATUS_ACCESS_DENIED > >Have a look at this thread: >https://lists.samba.org/archive/samba/2015-September/194284.html >There was a solution for the "Bad SMB2 signature for message" error at >the end of the thread. > > > >Regards, >MarcI follow your guides to configure the Domain member server and the file server. In this message I send the result of some checks that you propouse in this guide plus other that I read in some messages of the list. Refered to smb2 error I used the solution propupoused, "server signing" with all option (default, mandatory, disabled and auto) and always the same answer. Rommel Rodriguez Toirac rommelrt at nauta.cu