samba - Dec 2021 - Administrator User Has no access to Remote File Server

On Mon, 2021-12-06 at 14:58 -0500, ralph strebbing via samba
wrote:
> Hi All,
> 
> I'm attempting to diagnose an issue brought to my attention. Right
> now, our setup consists of:
> 2 Domain Controllers (DC1, DC2), and 2 File Servers (Filesrv1,
> Filesrv2). I'm attempting to access the samba shares that utilize
> posix ACLs on Filesrv1 from both a windows and linux client. In both
> instances, it refuses the login and/or tells me permission denied.
> 
> On filesrv1, I've created and dictated a usermap file, and in that
> file is the following line:
> !root = DOMAIN\Administrator
> 
> [global]
>   workgroup = DOMAIN
>   security = ADS
>   realm = DOMAIN.COM
>   username map = /etc/samba/user.map
> 
>   log file = /var/log/samba/%m.log
>   log level = 1
> 
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
>   idmap config * : backend = tdb
>   idmap config * : range = 10000-17999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
>   idmap config DOMAIN : backend = ad
>   idmap config DOMAIN : schema_mode = rfc2307
>   idmap config DOMAIN : range = 900-5000
>   idmap config DOMAIN : unix_nss_info = yes
> 
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   inherit acls = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   follow symlinks = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   include = /etc/samba/shares.conf
> 
> A snippet of the specific share I'm testing with:
> 
>  [MIS]
>    path = /storage/netfiles/mis
>    browseable = no
>    writeable = yes
>    inherit acls = yes
>    inherit permissions = yes
>    #force user = root
>    #force group = domadmins
>    #valid users = root,administrator
> 
> The Force User, Group and Valid Users configs were moved from an old
> setup, but have been commented out since before I started here.
> I've refollowed the instructions here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> and on the POSIX ACL page, and for normal users it works just fine, I
> feel I'm missing something very stupid, but I'm at a loss since
most
> searches seem to return help articles and responses from 2014 and no
> later than 2017. Appreciate any help/advice!
Can we have a bit more info:
What OS's are you using ?
What versions of Samba are you using ?
Have you added any RFC2307 attributes to AD ?

Rowland

On Mon, Dec 6, 2021 at 3:11 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Can we have a bit more info:
> What OS's are you using ?
DC and File Server are both running Ubuntu 20.04.3
> What versions of Samba are you using ?
DC1: 4.13.14-Debian (Using Van-Belle's Repo)
Filesrv1: 4.13.14-Ubuntu (Using Standard Ubuntu Repo)
> Have you added any RFC2307 attributes to AD ?
Here is my SMB config from DC1:
# Global parameters
[global]
       dns forwarder = 10.60.4.31
       netbios name = DC1
       realm = DOMAIN.COM
       server role = active directory domain controller
       workgroup = DOMAIN
       idmap_ldb:use rfc2307 = yes

# Template settings for login shell and home directory
       template shell = /bin/bash
       template homedir = /home/%U

       winbind enum users = yes
       winbind enum groups = yes
       server services = -dns
[sysvol]
       path = /var/lib/samba/sysvol
       read only = No

[netlogon]
       path = /var/lib/samba/sysvol/domain.com/scripts
       read only = No

So yes, in both DC1, rfc2307 has been set to yes for the idmap_ldb,
and is being called in the idmap settings of filesrv1 (posted before).

Regards,
Ralph