samba - Mar 2015 - Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)

Hi Rowland,

Am 20.03.2015 um 10:33 schrieb Rowland Penny:
>>> ---8<---8<---8<---8<---8<---8<--- smb.conf
>>> ---8<---8<---8<---8<---8<---8<---
>>>
>>> # smb.conf is the main Samba configuration file. You find a full
>>> commented
>>> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE
if the
>>> # samba-doc package is installed.
>>> # Date: 2012-05-02
>>> [global]
>>>      workgroup = FEE
>>>      realm = FEE.DE
>>>      netbios name = PLATON
>>>      server string = Web- und Internet-Mail-Server
[further lines removed]
> I do not think that you are going to get any further help until you post
> your smb.conf
No I don't, that's why I had included it three mails earlier.

For your convinience:
smb.conf: http://pastebin.com/nyaRSv5F
smbusers: http://pastebin.com/hs4csQLu

Bye.
--
Reinhard Ni?l, TB3, -198

On 20/03/15 11:16, Reinhard Ni?l wrote:
> Hi Rowland,
>
> Am 20.03.2015 um 10:33 schrieb Rowland Penny:
>
>>>> ---8<---8<---8<---8<---8<---8<--- smb.conf
>>>> ---8<---8<---8<---8<---8<---8<---
>>>>
>>>> # smb.conf is the main Samba configuration file. You find a
full
>>>> commented
>>>> # version at
/usr/share/doc/packages/samba/examples/smb.conf.SUSE
>>>> if the
>>>> # samba-doc package is installed.
>>>> # Date: 2012-05-02
>>>> [global]
>>>>      workgroup = FEE
>>>>      realm = FEE.DE
>>>>      netbios name = PLATON
>>>>      server string = Web- und Internet-Mail-Server
>
> [further lines removed]
>
>> I do not think that you are going to get any further help until you
post
>> your smb.conf
>
> No I don't, that's why I had included it three mails earlier.
>
> For your convinience:
> smb.conf: http://pastebin.com/nyaRSv5F
> smbusers: http://pastebin.com/hs4csQLu
>
> Bye.
> -- 
> Reinhard Ni?l, TB3, -198
OK, as far as I can see, you didn't include your smb.conf, I think you 
added it via an attachment, this mailing list generally strips off 
attachments.

Try replacing the global part of your smb.conf with this:

[global]
     netbios name = PLATON
     workgroup = FEE
     security = ADS
     realm = FEE.DE
     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Web- und Internet-Mail-Server
     interfaces = 10.73.0.6/255.255.0.0
     bind interfaces only = Yes
     username map = /etc/samba/smbusers
     name resolve order = wins hosts
     os level = 0
     local master = No
     wins server = 10.73.0.7 10.73.0.21

     guest ok = Yes
     hide dot files = No

     idmap config *:backend = tdb
     idmap config *:range = 2000-9999
     idmap config FEE:backend = rid
     idmap config FEE:range = 10000-20000

     winbind cache time = 10
     template shell = /bin/false
     template homedir = /tmp

     winbind use default domain = yes
     winbind enum users = yes
     winbind enum groups = yes
     winbind expand groups = 1
     winbind trusted domains only = no
     winbind refresh tickets = Yes

     deadtime = 1
     load printers = no
     printing = bsd

Remove all the 'valid users' etc from the shares and use ACLs instead , 
either from windows or with setfacl on the member server, see:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

Rowland

Hi Rowland,

Am 20.03.2015 um 12:45 schrieb Rowland Penny:
> Try replacing the global part of your smb.conf with this:
>
> [global]
>       netbios name = PLATON
>       workgroup = FEE
>       security = ADS
>       realm = FEE.DE
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
>       server string = Web- und Internet-Mail-Server
>       interfaces = 10.73.0.6/255.255.0.0
>       bind interfaces only = Yes
>       username map = /etc/samba/smbusers
>       name resolve order = wins hosts
>       os level = 0
>       local master = No
>       wins server = 10.73.0.7 10.73.0.21
>
>       guest ok = Yes
>       hide dot files = No
>
>       idmap config *:backend = tdb
>       idmap config *:range = 2000-9999
>       idmap config FEE:backend = rid
>       idmap config FEE:range = 10000-20000
>
>       winbind cache time = 10
>       template shell = /bin/false
>       template homedir = /tmp
>
>       winbind use default domain = yes
>       winbind enum users = yes
>       winbind enum groups = yes
>       winbind expand groups = 1
>       winbind trusted domains only = no
>       winbind refresh tickets = Yes
>
>       deadtime = 1
>       load printers = no
>       printing = bsd
>
> Remove all the 'valid users' etc from the shares and use ACLs
instead ,
> either from windows or with setfacl on the member server, see:
>
>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
ACLs -- actually, I was about to add   nt acl support = no   to get back 
the behaviour of the gone *security* config entries (at least I was told 
on #samba that this setting would prevent changing the "rights" of 
existing files, as the former *security* entries did).

Maybe I need to explain the purpose of the samba installation on this 
server. It's not meant to be a sophisticated windows file server, it 
acts as mail and web server.

winbind is used to authenticate and authorize mail and web users via 
pam, and the file server is only used to upload webpages (web share) or 
access some files regarding mail, e. g. via the spamlog share.

There are only a couple of users which are allowed to do that and as you 
can see for the web share, certain rights and groups must be enforced to 
suit the webserver.

Sure, if ACLs would have been used and been properly configured for the 
whole filesystem, then I would accept your suggestion immediately, but 
for now, I still hassle to go that way.

I see the problem in this line of smbd's log, as mentioned in the 
initial email:
> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938)
failed
> platon:~ # wbinfo -s S-1-5-21-2807186310-4085009417-2666197100-1000
> PLATON\root 1
This only happens when smbusers contains the mapping to root.

In my opinion, it should use the SID for unix user root. Let's see:
> platon:~ # wbinfo -n root
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name root
> platon:~ # wbinfo -U 0
> S-1-5-21-4224351836-719640785-1152632845-1000
> platon:~ # wbinfo -s S-1-5-21-4224351836-719640785-1152632845-1000
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-21-4224351836-719640785-1152632845-1000
I cannot tell whether it is expected that two of the three commands fail.

So for now, I'd like to make as few changes as possible to get that user 
mapping working again.

It seems I haven't mentioned yet, if I disable that mapping in smbusers, 
I can access the shares as long as they grant access to an unmapped 
domain user (for example share FactWork, as I (fee\reinhard.ni) am a 
member of group fee\g_tb3).

Bye.
--
Reinhard Ni?l, TB3, -198