samba - Sep 2017 - user cannot access shares on new ad-dc

Hi,

I just installed a new AD-DC as described in the wiki.
Administrator can log on and see the two default-shares.
Then I used ADUC from RSAT to create an OU and a user.
User can see the shares (and can map them to a drive letter),
but is denied to look inside.
Same for another share which I added.
Even when administrator grants permission to everybody.

I read more wiki, which made me to add a group,
and use the Unix-Tab to give the group and the user an UID.
Then rebootet both server and client, but still no success.

What else is missing?

I know that using the DC as fileserver is not recommended,
but at least netlogon and sysvol should work.

Klaus


Client: Win7
Server: Ubuntu 14.04 server
Samba : 4.6.8 compiled from source (./configure; make; make install)


Both run in VirtualBox.
First ethernet adapter is NAT to outside world,
second adapter is hostonly.
Samba is told to use only the second one.


provision command:

samba-tool domain provision --use-rfc2307 --interactive \
--option="interfaces=lo eth1" --option="bind interfaces
only=yes"


/etc/resolv.conf:

nameserver 192.168.56.42
search company.de


/etc/hosts:

127.0.0.1       localhost  localhost.localdomain
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.1   adminpc
192.168.56.42  dc1 dc1.ad.company.de


smb.conf:

# Global parameters
[global]
      bind interfaces only = Yes
      interfaces = lo eth1
      netbios name = DC1
      realm = AD.COMPANY.DE
      workgroup = COMPANY
      dns forwarder = 195.50.140.114
      server role = active directory domain controller
      idmap_ldb:use rfc2307 = yes
      comment 
[netlogon]
      path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
      read only = No

[sysvol]
      path = /usr/local/samba/var/locks/sysvol
      read only = No

[test]
      path = /srv/samba/test
      read only = No


-- 
Message sent from a mobile device, please excuse brevity and typos

On Fri, 29 Sep 2017 11:32:16 +0200
Klaus Hartnegg via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I just installed a new AD-DC as described in the wiki.
> Administrator can log on and see the two default-shares.
> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter),
> but is denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.
> 
> I read more wiki, which made me to add a group,
> and use the Unix-Tab to give the group and the user an UID.
> Then rebootet both server and client, but still no success.
> 
> What else is missing?
> 
> I know that using the DC as fileserver is not recommended,
> but at least netlogon and sysvol should work.
> 
> Klaus
> 
> 
> Client: Win7
> Server: Ubuntu 14.04 server
> Samba : 4.6.8 compiled from source (./configure; make; make install)
> 
> 
> Both run in VirtualBox.
> First ethernet adapter is NAT to outside world,
> second adapter is hostonly.
> Samba is told to use only the second one.
> 
> 
> provision command:
> 
> samba-tool domain provision --use-rfc2307 --interactive \
> --option="interfaces=lo eth1" --option="bind interfaces
only=yes"
> 
> 
> /etc/resolv.conf:
> 
> nameserver 192.168.56.42
> search company.de
> 
> 
> /etc/hosts:
> 
> 127.0.0.1       localhost  localhost.localdomain
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 192.168.56.1   adminpc
> 192.168.56.42  dc1 dc1.ad.company.de
> 
> 
> smb.conf:
> 
> # Global parameters
> [global]
>       bind interfaces only = Yes
>       interfaces = lo eth1
>       netbios name = DC1
>       realm = AD.COMPANY.DE
>       workgroup = COMPANY
>       dns forwarder = 195.50.140.114
>       server role = active directory domain controller
>       idmap_ldb:use rfc2307 = yes
>       comment > 
> [netlogon]
>       path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
>       read only = No
> 
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No
> 
> [test]
>       path = /srv/samba/test
>       read only = No
> 
> 
Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?

Rowland

And I suggest, in you /etc/hosts:
Change this part. 
192.168.56.1   adminpc.ad.company.de adminpc
192.168.56.42  dc1.ad.company.de dc1

And
/etc/resolv.conf 
search ad.company.de company.de
nameserver 192.168.56.42

The pc used, is domain joined? 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Klaus Hartnegg via samba
> Verzonden: vrijdag 29 september 2017 11:32
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] user cannot access shares on new ad-dc
> 
> Hi,
> 
> I just installed a new AD-DC as described in the wiki.
> Administrator can log on and see the two default-shares.
> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter), 
> but is denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.
> 
> I read more wiki, which made me to add a group, and use the 
> Unix-Tab to give the group and the user an UID.
> Then rebootet both server and client, but still no success.
> 
> What else is missing?
> 
> I know that using the DC as fileserver is not recommended, 
> but at least netlogon and sysvol should work.
> 
> Klaus
> 
> 
> Client: Win7
> Server: Ubuntu 14.04 server
> Samba : 4.6.8 compiled from source (./configure; make; make install)
> 
> 
> Both run in VirtualBox.
> First ethernet adapter is NAT to outside world, second 
> adapter is hostonly.
> Samba is told to use only the second one.
> 
> 
> provision command:
> 
> samba-tool domain provision --use-rfc2307 --interactive \ 
> --option="interfaces=lo eth1" --option="bind interfaces
only=yes"
> 
> 
> /etc/resolv.conf:
> 
> nameserver 192.168.56.42
> search company.de
> 
> 
> /etc/hosts:
> 
> 127.0.0.1       localhost  localhost.localdomain
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 192.168.56.1   adminpc
> 192.168.56.42  dc1 dc1.ad.company.de
> 
> 
> smb.conf:
> 
> # Global parameters
> [global]
>       bind interfaces only = Yes
>       interfaces = lo eth1
>       netbios name = DC1
>       realm = AD.COMPANY.DE
>       workgroup = COMPANY
>       dns forwarder = 195.50.140.114
>       server role = active directory domain controller
>       idmap_ldb:use rfc2307 = yes
>       comment > 
> [netlogon]
>       path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
>       read only = No
> 
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No
> 
> [test]
>       path = /srv/samba/test
>       read only = No
> 
> 
> --
> Message sent from a mobile device, please excuse brevity and typos
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

> On 29.09.2017 11:44 Rowland Penny wrote:
> Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?
Yes, I had modified two lines in /etc/nsswitch.conf:
 passwd:         files winbind
 group:          files winbind

No, I had not seen a pointer to libnss, but now did
 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
 ln -s /lib/i386-linux-gnu/libnss_winbind.so.2
/lib/i386-linux-gnu/libnss_winbind.so
 ldconfig

The wiki page Authenticating_Domain_Users_Using_PAM tell to
NOT configure PAM on a DC.

I tried "net cache flush"

These tests succeed:
 wbinfo --ping-dc
 getent passwd COMPANY\\user
 getent group "COMPANY\\Domain Users"


The output of “getfacl sysvol” looks strange:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

I tried "samba-tool ntacl sysvolreset".
This added a few lines to the output of getfacl:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Users still cannot see the contents of any share.

What else could be missing?

Klaus

On 29.09.2017 11:49 L.P.H. van Belle wrote:
> And I suggest, in you /etc/hosts:
> Change this part.
> 192.168.56.1   adminpc.ad.company.de adminpc
> 192.168.56.42  dc1.ad.company.de dc1
I changed theorder of fqn and alias in second line, but it did not make 
a difference.

adminpc is not used during this test, so this line should be irrelevant.
> /etc/resolv.conf
> search ad.company.de company.de
> nameserver 192.168.56.42
So far I always used the full name to access the server, so this cannot 
be the reason. And it would not explain why it works for Administrator.
> The pc used, is domain joined?
yes


Klaus

Hello,

Is it normal that "Computer Management" cannot configure shared 
directories of a Samba4 AD-DC? Is this only possible on member servers? 
It can connect to the DC, but when I click on shares it tells that 
either the server does not support "virtual disk service" (translated 
from German), or a firewall blocks the connection. There is no firewall 
between these machines in my test environment. I started Computer 
Management as domain-admin on domain-joined Win7.

Is it normal that non-admin users (on Win7) get permission denied if 
they want to look inside of \\dc.ad.domain\sysvol or netlogon? They can 
look inside these directories on Windows servers, but not on my newly 
provisioned AD-DC test server.

They cannot even access a test-share when I make them owner of it with 
chown.

The wiki page
    Configuring_Winbindd_on_a_Samba_AD_DC
instructs to append "winbind" behind "files" in the lines
"passwd" and
"group". But my nsswitch.conf (ubuntu 14) had "compat"
there, not
"files". Should I replace "compat" with "files",
or append "winbind"
behind "compat"?

The command "pam-auth-update" does not produce any output. How can I 
check if it has done anything?
I can do
   chown "domain\\user" file
and then that domain-user is shown in
   ls -la file
Does that mean that everything works?

I get the impression that winbindd and PAM are needed mostly (only?) if 
users want to log on to the DC with ssh. The page about winbindd 
describes howto set up templates for shell and homedir. The page about 
PAM talks about "SSH authentication". I just want to access shares! 
Reading the wiki I cannot determine what precisely are the required 
steps to access shares on a DC.

Klaus

Samba version? 
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Klaus Hartnegg via samba
> Verzonden: dinsdag 10 oktober 2017 12:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> 
> Hello,
> 
> Is it normal that "Computer Management" cannot configure 
> shared directories of a Samba4 AD-DC? Is this only possible 
> on member servers? 
No, did you set the SePrivileges. 
> It can connect to the DC, but when I click on shares it tells 
> that either the server does not support "virtual disk 
> service" (translated from German), or a firewall blocks the 
> connection. There is no firewall between these machines in my 
> test environment. I started Computer Management as 
> domain-admin on domain-joined Win7.
Go shares, configure there.
> 
> Is it normal that non-admin users (on Win7) get permission 
> denied if they want to look inside of \\dc.ad.domain\sysvol 
> or netlogon? They can look inside these directories on 
> Windows servers, but not on my newly provisioned AD-DC test server.
Yes/No, the non-admin users, its a domain users then No, not normal. 
Not a domain users, yes thats normal. 

When prompted for a username user DOM\user or username at REALM
> 
> They cannot even access a test-share when I make them owner 
> of it with chown.
> 
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the
lines
> "passwd" and "group". But my nsswitch.conf (ubuntu 14)
had
> "compat" there, not "files". Should I replace
"compat" with
> "files", or append "winbind" 
> behind "compat"?
No compat winbind is correct. ( dont set winbind compat )
( debian/ubuntu use compat ) 

> 
> The command "pam-auth-update" does not produce any output. 
> How can I check if it has done anything?
> I can do
>    chown "domain\\user" file
I suggest use getfacl and setfacl 
Since only want windows acces, dont use posix acl, stay with windows ACL. 
> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
Yes, that looks good. 
> 
> I get the impression that winbindd and PAM are needed mostly 
> (only?) if users want to log on to the DC with ssh.
Yes, correct. 
> The page 
> about winbindd describes howto set up templates for shell and 
> homedir. The page about PAM talks about "SSH authentication". 
> I just want to access shares! 
> Reading the wiki I cannot determine what precisely are the 
> required steps to access shares on a DC.
https://github.com/thctlo/samba4/tree/master/howtos 
Start at the top. Tested on debian strech, but i dont see 
for ubuntu 14.04 and 16.04 any problems, the steps are almost the same. 
( you might need to change some package name ) 
If you notice a different, make a comment and i'll adapt it. 

Review the file : stretch-base-2.0-samba-minimal-ad.txt
That setup resulted for me in to be able to access a share ( as domain admin ) 

\\ip
\\ip\
\\ip\share
\\hostname
\\hostname\
\\hostname\share
\\FQDN
\\FQDN\
\\FQDN\share. 

Or same as normal (domain) user and when promted i enter a regular
domain\username or username at REALM
And im also able to access the server. 

So review you setup base on this one.


Greetz, 

Louis
>

On Tue, 10 Oct 2017 12:09:28 +0200
Klaus Hartnegg via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> Is it normal that "Computer Management" cannot configure shared 
> directories of a Samba4 AD-DC? Is this only possible on member
> servers? It can connect to the DC, but when I click on shares it
> tells that either the server does not support "virtual disk
> service" (translated from German), or a firewall blocks the
> connection. There is no firewall between these machines in my test
> environment. I started Computer Management as domain-admin on
> domain-joined Win7.
> 
> Is it normal that non-admin users (on Win7) get permission denied if 
> they want to look inside of \\dc.ad.domain\sysvol or netlogon? They
> can look inside these directories on Windows servers, but not on my
> newly provisioned AD-DC test server.
> 
> They cannot even access a test-share when I make them owner of it
> with chown.
> 
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the
lines "passwd"
> and "group". But my nsswitch.conf (ubuntu 14) had
"compat" there, not
> "files". Should I replace "compat" with
"files", or append "winbind"
> behind "compat"?
> 
> The command "pam-auth-update" does not produce any output. How
can I
> check if it has done anything?
> I can do
>    chown "domain\\user" file
> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
> 
> I get the impression that winbindd and PAM are needed mostly (only?)
> if users want to log on to the DC with ssh. The page about winbindd 
> describes howto set up templates for shell and homedir. The page
> about PAM talks about "SSH authentication". I just want to access
> shares! Reading the wiki I cannot determine what precisely are the
> required steps to access shares on a DC.
> 
> Klaus
> 
OK, this could get a bit long :-)

As standard, a Samba AD DC is only used for authentication i.e. a user
called 'fred' is trying to connect to the domain, so do we know him ?

If you want to use a Samba AD DC for anything else, then you need to
make the user 'fred' known to the underlying Unix OS, you do this by
creating the libnss_winbind links, either manually or by installing
distro packages, on Ubuntu these will probably be 'libpam-winbind
libpam-krb5 libnss-winbind'
You will also need to check that the passwd & group lines
in /etc/nsswitch.conf have 'winbind' at the end. You may find that the
lines have 'compat' instead of 'files', they are interchangeable
as far
Samba is concerned, but see 'man nsswitch.conf' for more info.

Once everything is set up correctly on the DC, 'getent passwd fred' or
'getent group fredgroup' should produce output, if there is no output,
there is either something wrong, or the user (or group) doesn't exist.

There are a lot of webpages out there that tell you to use 'wbinfo' to
check if users or groups exist, this will only tell you that they
exist in AD, it will not tell you if Unix knows who they are.

Rowland