Reinhard Nißl
2015-Mar-20 13:35 UTC
[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
Hi Rowland, Am 20.03.2015 um 12:45 schrieb Rowland Penny:> Try replacing the global part of your smb.conf with this: > > [global] > netbios name = PLATON > workgroup = FEE > security = ADS > realm = FEE.DE > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Web- und Internet-Mail-Server > interfaces = 10.73.0.6/255.255.0.0 > bind interfaces only = Yes > username map = /etc/samba/smbusers > name resolve order = wins hosts > os level = 0 > local master = No > wins server = 10.73.0.7 10.73.0.21 > > guest ok = Yes > hide dot files = No > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config FEE:backend = rid > idmap config FEE:range = 10000-20000 > > winbind cache time = 10 > template shell = /bin/false > template homedir = /tmp > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > winbind trusted domains only = no > winbind refresh tickets = Yes > > deadtime = 1 > load printers = no > printing = bsd > > Remove all the 'valid users' etc from the shares and use ACLs instead , > either from windows or with setfacl on the member server, see: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLsACLs -- actually, I was about to add nt acl support = no to get back the behaviour of the gone *security* config entries (at least I was told on #samba that this setting would prevent changing the "rights" of existing files, as the former *security* entries did). Maybe I need to explain the purpose of the samba installation on this server. It's not meant to be a sophisticated windows file server, it acts as mail and web server. winbind is used to authenticate and authorize mail and web users via pam, and the file server is only used to upload webpages (web share) or access some files regarding mail, e. g. via the spamlog share. There are only a couple of users which are allowed to do that and as you can see for the web share, certain rights and groups must be enforced to suit the webserver. Sure, if ACLs would have been used and been properly configured for the whole filesystem, then I would accept your suggestion immediately, but for now, I still hassle to go that way. I see the problem in this line of smbd's log, as mentioned in the initial email:> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) failed> platon:~ # wbinfo -s S-1-5-21-2807186310-4085009417-2666197100-1000 > PLATON\root 1This only happens when smbusers contains the mapping to root. In my opinion, it should use the SID for unix user root. Let's see:> platon:~ # wbinfo -n root > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name root> platon:~ # wbinfo -U 0 > S-1-5-21-4224351836-719640785-1152632845-1000> platon:~ # wbinfo -s S-1-5-21-4224351836-719640785-1152632845-1000 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-21-4224351836-719640785-1152632845-1000I cannot tell whether it is expected that two of the three commands fail. So for now, I'd like to make as few changes as possible to get that user mapping working again. It seems I haven't mentioned yet, if I disable that mapping in smbusers, I can access the shares as long as they grant access to an unmapped domain user (for example share FactWork, as I (fee\reinhard.ni) am a member of group fee\g_tb3). Bye. -- Reinhard Ni?l, TB3, -198
Rowland Penny
2015-Mar-20 14:02 UTC
[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
On 20/03/15 13:35, Reinhard Ni?l wrote:> Hi Rowland, > > Am 20.03.2015 um 12:45 schrieb Rowland Penny: > >> Try replacing the global part of your smb.conf with this: >> >> [global] >> netbios name = PLATON >> workgroup = FEE >> security = ADS >> realm = FEE.DE >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Web- und Internet-Mail-Server >> interfaces = 10.73.0.6/255.255.0.0 >> bind interfaces only = Yes >> username map = /etc/samba/smbusers >> name resolve order = wins hosts >> os level = 0 >> local master = No >> wins server = 10.73.0.7 10.73.0.21 >> >> guest ok = Yes >> hide dot files = No >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config FEE:backend = rid >> idmap config FEE:range = 10000-20000 >> >> winbind cache time = 10 >> template shell = /bin/false >> template homedir = /tmp >> >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind expand groups = 1 >> winbind trusted domains only = no >> winbind refresh tickets = Yes >> >> deadtime = 1 >> load printers = no >> printing = bsd >> >> Remove all the 'valid users' etc from the shares and use ACLs instead , >> either from windows or with setfacl on the member server, see: >> >> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >> > > ACLs -- actually, I was about to add nt acl support = no to get > back the behaviour of the gone *security* config entries (at least I > was told on #samba that this setting would prevent changing the > "rights" of existing files, as the former *security* entries did). > > Maybe I need to explain the purpose of the samba installation on this > server. It's not meant to be a sophisticated windows file server, it > acts as mail and web server. > > winbind is used to authenticate and authorize mail and web users via > pam, and the file server is only used to upload webpages (web share) > or access some files regarding mail, e. g. via the spamlog share. > > There are only a couple of users which are allowed to do that and as > you can see for the web share, certain rights and groups must be > enforced to suit the webserver. > > Sure, if ACLs would have been used and been properly configured for > the whole filesystem, then I would accept your suggestion immediately, > but for now, I still hassle to go that way. > > I see the problem in this line of smbd's log, as mentioned in the > initial email: > >> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) >> failed > >> platon:~ # wbinfo -s S-1-5-21-2807186310-4085009417-2666197100-1000 >> PLATON\root 1 > > This only happens when smbusers contains the mapping to root.The SID 'S-1-5-21-2807186310-4085009417-2666197100-1000' is (as I am sure you know) is composed of a set of letters and numbers that identify the domain and a number (RID) that identifies the user/group/computer. The number '1000' is usually given to the first user you create, this is not root! You seem to be mapping ordinary AD users to the Unix user 'root', I would suggest that you either add these users to 'Domain Admins' or create a group and then give this group the required permissions, you could then set an ACL on the various directories via windows and you will end up with similar conditions to what you have now, mapping ordinary users to 'root' is not a good idea.> > In my opinion, it should use the SID for unix user root. Let's see: >'root' shouldn't have a SID, 'Administrator' does though.>> platon:~ # wbinfo -n root >> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >> Could not lookup name root >Yes, that happens on my DC, because 'root' is a Unix user.>> platon:~ # wbinfo -U 0 >> S-1-5-21-4224351836-719640785-1152632845-1000 >This shouldn't happen, on my DC : root at dc01:~# wbinfo -U 0 S-1-5-21-2025076216-3455336656-3842161122-500>> platon:~ # wbinfo -s S-1-5-21-4224351836-719640785-1152632845-1000 >> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND >> Could not lookup sid S-1-5-21-4224351836-719640785-1152632845-1000 >Hmm, on my DC, it is the DC! root at dc01:~# wbinfo -s S-1-5-21-2025076216-3455336656-3842161122-1000 HOME\DC01$ 1> I cannot tell whether it is expected that two of the three commands fail. > > So for now, I'd like to make as few changes as possible to get that > user mapping working again. > > It seems I haven't mentioned yet, if I disable that mapping in > smbusers, I can access the shares as long as they grant access to an > unmapped domain user (for example share FactWork, as I > (fee\reinhard.ni) am a member of group fee\g_tb3). >I come back to my original idea, use ACLs. just one other thought, you really shouldn't use your registered domain for your AD domain. Rowland> Bye. > -- > Reinhard Ni?l, TB3, -198
Reinhard Nißl
2015-Mar-20 17:22 UTC
[Samba] Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
Hi Rowland, Am 20.03.2015 um 15:02 schrieb Rowland Penny:>>> Try replacing the global part of your smb.conf with this: >>> >>> [global] >>> netbios name = PLATON >>> workgroup = FEE >>> security = ADS >>> realm = FEE.DE >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> server string = Web- und Internet-Mail-Server >>> interfaces = 10.73.0.6/255.255.0.0 >>> bind interfaces only = Yes >>> username map = /etc/samba/smbusers >>> name resolve order = wins hosts >>> os level = 0 >>> local master = No >>> wins server = 10.73.0.7 10.73.0.21 >>> >>> guest ok = Yes >>> hide dot files = No >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> idmap config FEE:backend = rid >>> idmap config FEE:range = 10000-20000 >>> >>> winbind cache time = 10 >>> template shell = /bin/false >>> template homedir = /tmp >>> >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind expand groups = 1 >>> winbind trusted domains only = no >>> winbind refresh tickets = Yes >>> >>> deadtime = 1 >>> load printers = no >>> printing = bsd >>> >>> Remove all the 'valid users' etc from the shares and use ACLs instead , >>> either from windows or with setfacl on the member server, see: >>> >>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLsTo appreciate your support, I've put the above lines into smb.conf, modified the shares accordingly and rejoined the domain, so I do have a /etc/krb5.keytab now, but as long as smbusers contains that mapping to root, I still get this error:> SID S-1-5-21-2807186310-4085009417-2666197100-1000 -> getpwuid(10938) failedAccording to these wiki entries https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting there is nothing special in my setup, so I have absolutely no clue, why this root-mapping doesn't work. Bye. -- Reinhard Ni?l, TB3, -198
Apparently Analagous Threads
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)