samba - Dec 2017 - problems with share permissions

Hi

I had a few test shares  created and they were working fine. Users could 
read or write depending on the windows group that was defined on the 
share. I have since removed the test shares and created the file 
structure needed and setup the smb.conf file with the share names.  I 
have also setup the groups and assigned them to the respective 
directories.  Problem is the users can connect to the share but the get 
"access denied" and can not open the share directory.  I am at a loss
as
to where I went wrong, any help would be great.

small cut of the smb.conf definitions.  but the are all setup the same.

#
# defined shares for users
#

[acctcui]

         path = /cui/acct
         comment = Accounting data
         admin users = jlowry 'domain admins'
         valid users = jessica janet lynne
         read list = lynne janet jessica
         write list = lynne janet jessica
         writable = yes
         browsable = yes

[tradecui]

         path = /cui/trade
         comment = Trade Compliance data
         admin users = jlowry 'domain admins'
         valid users = sharon tom janet lynne
         read list = lynne janet sharon tom
         write list = lynne janet sharon tom
         writable = yes
         browsable = yes

[sales]
         path = /cui/admin/sales
         comment = Admin access for sales
         admin users = jlowry 'domain admins'
         valid users = tiana bob carol jessica janet lynne biet cynthia 
jill patty sharon wendy davidq
         read list = @salesread
         write list = @salesrw
         writable = yes
         browsable = yes


windows shares:

example of permissions

thanks,

-- 

---------------------------------------------------------------------------
Jerold Lowry
Principal Network/Systems Engineer
Engineering Design Team (EDT), Inc. a HEICO company
3423 NW John Olsen Pl
Hillsboro, Oregon 97124 (U.S.A.)
Phone: 503-690-1234 / 800-435-4320
Fax: 503-690-1243
Web: _www.edt.com <http://www.edt.com/>_

On Tue, 12 Dec 2017 13:31:30 -0800
Jerry Lowry via samba <samba at lists.samba.org> wrote:
> Hi
> 
> I had a few test shares  created and they were working fine. Users
> could read or write depending on the windows group that was defined
> on the share. I have since removed the test shares and created the
> file structure needed and setup the smb.conf file with the share
> names.  I have also setup the groups and assigned them to the
> respective directories.  Problem is the users can connect to the
> share but the get "access denied" and can not open the share
> directory.  I am at a loss as to where I went wrong, any help would
> be great.
> 
> small cut of the smb.conf definitions.  but the are all setup the
> same.
> 
> #
> # defined shares for users
> #
> 
> [acctcui]
> 
>          path = /cui/acct
>          comment = Accounting data
>          admin users = jlowry 'domain admins'
>          valid users = jessica janet lynne
>          read list = lynne janet jessica
>          write list = lynne janet jessica
>          writable = yes
>          browsable = yes
> 
> [tradecui]
> 
>          path = /cui/trade
>          comment = Trade Compliance data
>          admin users = jlowry 'domain admins'
>          valid users = sharon tom janet lynne
>          read list = lynne janet sharon tom
>          write list = lynne janet sharon tom
>          writable = yes
>          browsable = yes
> 
> [sales]
>          path = /cui/admin/sales
>          comment = Admin access for sales
>          admin users = jlowry 'domain admins'
>          valid users = tiana bob carol jessica janet lynne biet
> cynthia jill patty sharon wendy davidq
>          read list = @salesread
>          write list = @salesrw
>          writable = yes
>          browsable = yes
> 
> 
> windows shares:
> 
> example of permissions
> 
> thanks,
> 
I am sorry, but there isn't enough information provided:
What version of Samba ?
What is in the [global] portion of smb.conf

Rowland

Pictures do not load on the mailing list. If they're relevant, post them on
a site such as Imgur, and provide the link.

Can you also post the [global] section of your smb.conf file? Are you setup
using an Active Directory, a PDC, or a stand-alone?

I find it's much easier not specifying users in the smb.conf file, and
using Windows or Linux permissions to manage them.

On Tue, Dec 12, 2017 at 1:31 PM, Jerry Lowry via samba <
samba at lists.samba.org> wrote:
> Hi
>
> I had a few test shares  created and they were working fine. Users could
> read or write depending on the windows group that was defined on the share.
> I have since removed the test shares and created the file structure needed
> and setup the smb.conf file with the share names.  I have also setup the
> groups and assigned them to the respective directories.  Problem is the
> users can connect to the share but the get "access denied" and
can not open
> the share directory.  I am at a loss as to where I went wrong, any help
> would be great.
>
> small cut of the smb.conf definitions.  but the are all setup the same.
>
> #
> # defined shares for users
> #
>
> [acctcui]
>
>         path = /cui/acct
>         comment = Accounting data
>         admin users = jlowry 'domain admins'
>         valid users = jessica janet lynne
>         read list = lynne janet jessica
>         write list = lynne janet jessica
>         writable = yes
>         browsable = yes
>
> [tradecui]
>
>         path = /cui/trade
>         comment = Trade Compliance data
>         admin users = jlowry 'domain admins'
>         valid users = sharon tom janet lynne
>         read list = lynne janet sharon tom
>         write list = lynne janet sharon tom
>         writable = yes
>         browsable = yes
>
> [sales]
>         path = /cui/admin/sales
>         comment = Admin access for sales
>         admin users = jlowry 'domain admins'
>         valid users = tiana bob carol jessica janet lynne biet cynthia
> jill patty sharon wendy davidq
>         read list = @salesread
>         write list = @salesrw
>         writable = yes
>         browsable = yes
>
>
> windows shares:
>
> example of permissions
>
> thanks,
>
> --
>
> ------------------------------------------------------------
> ---------------
> Jerold Lowry
> Principal Network/Systems Engineer
> Engineering Design Team (EDT), Inc. a HEICO company
> 3423 NW John Olsen Pl
> Hillsboro, Oregon 97124 (U.S.A.)
> Phone: 503-690-1234 / 800-435-4320
> Fax: 503-690-1243
> Web: _www.edt.com <http://www.edt.com/>_
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 12 Dec 2017 14:01:03 -0800
Jerry Lowry <jlowry at edt.com> wrote:
> Sorry didn't scroll up far enough :)
> 
> samba version : 4.4.4-14.el7_3
> 
> also forgot that pictures don't transfer....it has been a tough week, 
> this is Friday right?
> 
> thanks
> 
> Here is the global section:
> 
> [global]
>          workgroup = Accounting
>          security = ADS
>          realm = Accounting.edt.local
>          log file = /var/log/samba/%m.log
>          log level = 1
>         # Default ID mapping configuration for local BUILTIN accounts
>         # and groups on a domain member. The default (*) domain:
>         # - must not overlap with any domain ID mapping configuration!
>         # - must use a read-write-enabled back end, such as tdb.
>         # - Adding just this is not enough
>         # - You must set a DOMAIN backend configuration, see below
>         idmap config * : backend = ad
>         idmap config * : range = 1000000-2000000
> #
This is wrong, you cannot use the 'ad' backend for the default domain,
it should be 'tdb'.
You should also have 'idmap config' lines for the 'ACCOUNTING'
domain,
can I suggest you go and read this wikipage again:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Just a thought, have you given your users a unique number inside the
'1000000-2000000' range and Domain Users a gidNumber inside the same
range, these attributes are not added automatically.

Rowland

After following Rowland's and Luke's instructions, you need to enter a
unix
attribute for each user and group.

- Default groups: domain admins and domain users
- Security groups: acctcui, tradecui, sales, etc.
- Normal Users like tiana, bob and carol must have a unix attribute too.
- Administrator does not need unix attribute.

In addition,try leaving the shares as follows,

[sales]
        path = /cui/admin/sales
        comment = Admin access for sales
        read only = no

and use windows ntfs permissions via Computer Management - RSAT Tools or
windows explorer.


On Tue, Dec 12, 2017 at 8:09 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 12 Dec 2017 14:01:03 -0800
> Jerry Lowry <jlowry at edt.com> wrote:
>
> > Sorry didn't scroll up far enough :)
> >
> > samba version : 4.4.4-14.el7_3
> >
> > also forgot that pictures don't transfer....it has been a tough
week,
> > this is Friday right?
> >
> > thanks
> >
> > Here is the global section:
> >
> > [global]
> >          workgroup = Accounting
> >          security = ADS
> >          realm = Accounting.edt.local
> >          log file = /var/log/samba/%m.log
> >          log level = 1
> >         # Default ID mapping configuration for local BUILTIN accounts
> >         # and groups on a domain member. The default (*) domain:
> >         # - must not overlap with any domain ID mapping configuration!
> >         # - must use a read-write-enabled back end, such as tdb.
> >         # - Adding just this is not enough
> >         # - You must set a DOMAIN backend configuration, see below
> >         idmap config * : backend = ad
> >         idmap config * : range = 1000000-2000000
> > #
>
> This is wrong, you cannot use the 'ad' backend for the default
domain,
> it should be 'tdb'.
> You should also have 'idmap config' lines for the
'ACCOUNTING' domain,
> can I suggest you go and read this wikipage again:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Just a thought, have you given your users a unique number inside the
> '1000000-2000000' range and Domain Users a gidNumber inside the
same
> range, these attributes are not added automatically.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

On Tue, 12 Dec 2017 14:18:24 -0800
Jerry Lowry <jlowry at edt.com> wrote:
> On a previous post I received this reply.
> 
> B) You totally missed this: '# - Adding just this is not enough'
when
> you cut and pasted it from the Samba wiki, you need to use the winbind
> 'rid' or 'ad' backend.
> 
> My backend had been set to 'tdb'.  I changed it to 'ad' as
you
> suggested and the users were able to access the shares.
> 
> this system is a file server, it is NOT a domain controller.
> 
> I will read your pointer.
> 
> thanks
> 
Jerry, please be honest here, you don't understand the wiki page I
pointed you to, do you ?

I have tried to make it as obvious as possible that you need to go to
another page for the DOMAIN setup, but it doesn't seem to be working,
not just for you, but others as well.

You must use 'tdb' for the '*' domain, but you also need
'idmap config'
lines for the 'Accounting' domain

If you don't want to add anything to AD, use the 'rid' backend, see
here:

https://wiki.samba.org/index.php/Idmap_config_rid

If you do want to add to AD and have the same IDs everywhere, use the
'ad' backend, see here:

https://wiki.samba.org/index.php/Idmap_config_ad

Rowland
> ---------------------------------------------------------------------------
> Jerold Lowry
> Principal Network/Systems Engineer
> Engineering Design Team (EDT), Inc. a HEICO company
> 3423 NW John Olsen Pl
> Hillsboro, Oregon 97124 (U.S.A.)
> Phone: 503-690-1234 / 800-435-4320
> Fax: 503-690-1243
> Web: _www.edt.com <http://www.edt.com/>_
> 
> 
> On 12/12/2017 2:09 PM, Rowland Penny via samba wrote:
> > On Tue, 12 Dec 2017 14:01:03 -0800
> > Jerry Lowry <jlowry at edt.com> wrote:
> >
> >> Sorry didn't scroll up far enough :)
> >>
> >> samba version : 4.4.4-14.el7_3
> >>
> >> also forgot that pictures don't transfer....it has been a
tough
> >> week, this is Friday right?
> >>
> >> thanks
> >>
> >> Here is the global section:
> >>
> >> [global]
> >>           workgroup = Accounting
> >>           security = ADS
> >>           realm = Accounting.edt.local
> >>           log file = /var/log/samba/%m.log
> >>           log level = 1
> >>          # Default ID mapping configuration for local BUILTIN
> >> accounts # and groups on a domain member. The default (*) domain:
> >>          # - must not overlap with any domain ID mapping
> >> configuration! # - must use a read-write-enabled back end, such as
> >> tdb. # - Adding just this is not enough
> >>          # - You must set a DOMAIN backend configuration, see
below
> >>          idmap config * : backend = ad
> >>          idmap config * : range = 1000000-2000000
> >> #
> > This is wrong, you cannot use the 'ad' backend for the default
> > domain, it should be 'tdb'.
> > You should also have 'idmap config' lines for the
'ACCOUNTING'
> > domain, can I suggest you go and read this wikipage again:
> >
> >
https://url.emailprotection.link/?a4H7AFc7q_vw3zlnkaZIenb4Cy2vfiz5ymNljCJltTIhZMpxcHixlZJzzZC2iUoV9esCNFjTEPhhyPl5MqJ5-YgvQsNby3NCGKY2xd1seGYzLifSreMbfxzK4Gzvd1Ebd
> >
> > Just a thought, have you given your users a unique number inside the
> > '1000000-2000000' range and Domain Users a gidNumber inside
the same
> > range, these attributes are not added automatically.
> >
> > Rowland
> >
>