Cybulski, Adam M
2017-Jun-20 20:21 UTC
[Samba] Samba and AD based home shares are visible but not accessible
I've set up a CentOS system in my predominantly windows environment. Getting it to authenticate users with ssh based on AD user groups using KRB5 and SSSD was comparatively easy, but I am not able to share files from it. I followed the guide here to get as far as I did: https://www.centos.org/forums/viewtopic.php?t=52872 When I browse to the server using \\<serverIP<file://%3cserverIP>> I am presented with the folder USERAID at Univ.school.edu<mailto:USERAID at Univ.school.edu> which corresponds to the account I am logged into the windows computer with. However, when I try to open it, I am told I do not have permission. I tried to create a non home folder, that all members of the AD group would be able to have access to, but I seem to be experiencing the same result. Here is my smb.conf file, sanitized, but with as much information intact as I could manage. I have been at this all day battling it out with suggestions from google and previous posts in this mailing list with no success. # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = <simplified domain name> realm = univ.school.edu netbios name = hostname password server = * server string = Samba Server Version %v security =ADS log file = /var/log/samba/log.%m max log size = 5000 load printers = No idmap config * : backend = tdb log level = 4 local master = no domain master = no preferred master = no wins support = no wins proxy = no dns proxy = yes name resolve order = wins bcast host lmhosts #username map script = /bin/echo #============================ Share Definitions ============================= [homes] comment = Home Directories browseable = no writable = yes valid users = UserAID at univ.school.edu, @"linuxprojectgroup at univ.school.edu" read only = no [share] comment = share path = /share browseable = yes writable = yes valid users = @"linuxprojectgroup at univ.school.edu"
Rowland Penny
2017-Jun-20 20:58 UTC
[Samba] Samba and AD based home shares are visible but not accessible
On Tue, 20 Jun 2017 20:21:14 +0000 "Cybulski, Adam M via samba" <samba at lists.samba.org> wrote:> I've set up a CentOS system in my predominantly windows environment. > Getting it to authenticate users with ssh based on AD user groups > using KRB5 and SSSD was comparatively easy, but I am not able to > share files from it. > > I followed the guide here to get as far as I did: > https://www.centos.org/forums/viewtopic.php?t=52872 > > When I browse to the server using \\<serverIP<file://%3cserverIP>> I > am presented with the folder > USERAID at Univ.school.edu<mailto:USERAID at Univ.school.edu> which > corresponds to the account I am logged into the windows computer > with. However, when I try to open it, I am told I do not have > permission. I tried to create a non home folder, that all members of > the AD group would be able to have access to, but I seem to be > experiencing the same result. > > Here is my smb.conf file, sanitized, but with as much information > intact as I could manage. I have been at this all day battling it out > with suggestions from google and previous posts in this mailing list > with no success. > > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > workgroup = <simplified domain name> > realm = univ.school.edu > netbios name = hostname > password server = * > server string = Samba Server Version %v > security =ADS > log file = /var/log/samba/log.%m > max log size = 5000 > load printers = No > idmap config * : backend = tdb > log level = 4 > local master = no > domain master = no > preferred master = no > wins support = no > wins proxy = no > dns proxy = yes > name resolve order = wins bcast host lmhosts > #username map script = /bin/echo > > #============================ Share Definitions > =============================> > [homes] > comment = Home Directories > browseable = no > writable = yes > valid users = UserAID at univ.school.edu, > @"linuxprojectgroup at univ.school.edu" read only = no > > [share] > comment = share > path = /share > browseable = yes > writable = yes > valid users = @"linuxprojectgroup at univ.school.edu"Hi, do you want it to work, or do you want to use sssd ? If the later, then I suggest you contact the sssd-users mailing list, you are not using Samba for authentication. If you do want it to work, then Samba recommends using winbind, see here for how to set up a Unix domain member: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Rowland Penny
2017-Jul-11 17:43 UTC
[Samba] Samba and AD based home shares are visible but not accessible
On Tue, 11 Jul 2017 17:20:05 +0000 "Cybulski, Adam M" <acybulski at albany.edu> wrote:> That’s a very discouraging answer. I'm really struggling to get the > hang of this server, and doing a lot of reading and research, I'm > using SSSD because it seemed to be the best method for allowing an AD > group log in privileges on the machine, it's recommended by Red Hat, > and it's what came packaged with my distro.Yes, red-hat promote sssd, because it is their package. I don't actually think it is the best method for authentication on a Samba machine. Are you also aware that sssd uses a version of a winbind lib ? So why not go the whole way and use winbind, this will get you a fully supported by Samba set up.> It took me three weeks > to make it work for authenticating users, and now I'm being told it > won't work if I also want to share a folder? These things should not > be this difficult to integrate.You should have asked here earlier, I can guarantee that you would have had a working system (with winbind) well inside your three weeks.> > Someone else has pointed out to me that the issue most likely lies in > configuring ACL's, as I can connect to the system and see the shares, > but do not have permissions to open them. I've added the needed lines > to my SMB.conf, mapped an admin account to root, and added interfaces > = lo eth0 so it will look on the loop back, but when I try to add > anyone with > > >sudo net rpc rights grant 'domain\linuxproject' > >SeDiskOperatorPrivilege -U domain\admin I constantly get: > > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > I really hope you can give me some more advice beyond, throw out > everything and start over with winbind.The only user you should map to 'root' is 'Administrator'. Does your OS know your user, i.e. does 'getent passwd admin' return anything ? If you want to use winbind, then I am prepared to try and help you get it working, if you insist on using sssd, then I repeat, sssd is not supported by Samba, it is not a Samba product, so you will have to seek help through the sssd-users mailing list. Rowland
Rowland Penny
2017-Jul-11 20:23 UTC
[Samba] Samba and AD based home shares are visible but not accessible
On Tue, 11 Jul 2017 20:03:33 +0000 "Cybulski, Adam M" <acybulski at albany.edu> wrote:> Thanks Roland, I'm giving it a go with winbind. Do I have to remove > SSSD and drop off the domain to make it work?I would do both.> I've tried following > the steps to join as a member server, but it's not gone that > smoothly. I may try from the beginning with a second server.What steps are you following ? Have you read the Samba wiki ? https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > One of the things I've been struggling with is knowing when > instructions want me to replace something with my environments > settings and when it needs to be typed as written.Yes, it can sometimes be confusing ;-) If you follow the Samba wiki and don't understand something, please ask, the only dumb question is the one you do not ask. It is also a two way street, if you don't understand something, chances are that others don't understand it either, so we need to make it clearer on the wiki.> > Getent passwd admin does not return anything, but I don't know why it > would, I have no account named Admin, neither on the Linux box, nor > in my domain. Why would I map an account that doesn't exist? >I asked because you posted this: sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege -U domain\admin I constantly get: This clearly shows a user called 'admin' Rowland
Stefan G. Weichinger
2017-Jul-11 21:26 UTC
[Samba] Samba and AD based home shares are visible but not accessible
Am 2017-07-11 um 22:23 schrieb Rowland Penny via samba:> Yes, it can sometimes be confusing ;-) > If you follow the Samba wiki and don't understand something, please > ask, the only dumb question is the one you do not ask. It is also a two > way street, if you don't understand something, chances are that others > don't understand it either, so we need to make it clearer on the wiki.I fully agree to that and like the approach: if someone understands something (maybe because he built it) it is hard or impossible for him to consider that someone might not understand ("something so obvious"). This is a fundamental problem with software and its documentation. And IMO user feedback (constructive, polite, ...) is as relevant in the whole open source software model as the part of the developer work. a quote from twitter earlier today: "Incorrect documentation is often worse than no documentation." - Bertrand Meyer ;-) To be explicit: I don't call samba-docs incorrect.