samba - Apr 2016 - Cannot browse mode 0700 directories from Windows with security=ads

We've had a samba server running for ages on CentOS 6 with samba 3.6.23.
(We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime
we'd like to keep this one working.)

The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows
domain (AD) with identical usernames, and we are running Samba primarily
to give Windows users access to some directories on Unix.  We have
joined the Samba server to the Windows domain, and have "security=ads"
in the config.  However, we also have some users who connect from Mac
and Unix clients.  The usernames on the Samba server itself come from
the Unix domain, so it's only using the Windows AD to validate people's
passwords when they connect to Samba.

We have been running happily without running winbindd on the Samba server
and it's all been working perfectly.

However, since the Badlock patches, the Samba server can no longer
authenticate clients from Mac or Unix workstations.  I understand
that this is a known issue, and the official answer is "run winbindd".
Well OK, but unfortunately Winbind seems to have messed up all our
access permissions.

With Winbind running, all users can successfully connect, and all Unix
users can access the correct shares, but Windows is telling some people
"You do not have permission to access X" on some shares.

The first thing we noticed is that users don't have access to directories
that are shared using group permissions.  So if the directory is mode 0770,
not owned by me, but owned by a group that I am a member of, I don't have
access from Windows.

If we put "force group = X" in the config for that share, where X is
the
group owner of the directory (that I am already a member of), I am allowed
access again.  But I don't like to do this because it might grant access
to some people who are not members of the group.

I found from searching on this issue that the problem is likely related
to the fact that the Windows AD groups are being used rather than the
Unix groups, and that we should put "username map script = /bin/echo"
in the config.

With that in place, I can now browse any share with group permissions -
great!  Unfortunately, this stops me from being able to access any
folder that has mode 0700 from Windows even if I own it.

... What have I missed, and what do I need to look at?  BTW I have no
idea what a SID or a RID is, but this does seem to be important somehow.

Thanks
Ian Collier

On 15/04/16 15:20, Ian Collier wrote:
> We've had a samba server running for ages on CentOS 6 with samba
3.6.23.
> (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the
meantime
> we'd like to keep this one working.)
>
> The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows
> domain (AD) with identical usernames, and we are running Samba primarily
> to give Windows users access to some directories on Unix.  We have
> joined the Samba server to the Windows domain, and have
"security=ads"
> in the config.  However, we also have some users who connect from Mac
> and Unix clients.  The usernames on the Samba server itself come from
> the Unix domain, so it's only using the Windows AD to validate
people's
> passwords when they connect to Samba.
>
> We have been running happily without running winbindd on the Samba server
> and it's all been working perfectly.
>
> However, since the Badlock patches, the Samba server can no longer
> authenticate clients from Mac or Unix workstations.  I understand
> that this is a known issue, and the official answer is "run
winbindd".
> Well OK, but unfortunately Winbind seems to have messed up all our
> access permissions.
>
> With Winbind running, all users can successfully connect, and all Unix
> users can access the correct shares, but Windows is telling some people
> "You do not have permission to access X" on some shares.
>
> The first thing we noticed is that users don't have access to
directories
> that are shared using group permissions.  So if the directory is mode 0770,
> not owned by me, but owned by a group that I am a member of, I don't
have
> access from Windows.
>
> If we put "force group = X" in the config for that share, where X
is the
> group owner of the directory (that I am already a member of), I am allowed
> access again.  But I don't like to do this because it might grant
access
> to some people who are not members of the group.
>
> I found from searching on this issue that the problem is likely related
> to the fact that the Windows AD groups are being used rather than the
> Unix groups, and that we should put "username map script =
/bin/echo"
> in the config.
>
> With that in place, I can now browse any share with group permissions -
> great!  Unfortunately, this stops me from being able to access any
> folder that has mode 0700 from Windows even if I own it.
>
> ... What have I missed, and what do I need to look at?  BTW I have no
> idea what a SID or a RID is, but this does seem to be important somehow.
>
> Thanks
> Ian Collier
>
OK, the SID is what identifies the domain, it mostly looks like this:

S-1-5-21-1768301897-3342589593-1064908849

I say 'mostly' because there are some specialised SIDs used by the 
BUILTIN users & groups etc.

The RID is a unique number that identifies the user, group, etc object 
and usually starts from 1000 (again, there are exceptions, Administrator 
is always '500')

So, to identify a user, you would have the SID, with the RID on the end i.e.

S-1-5-21-1768301897-3342589593-1064908849-1000

You really shouldn't have to worry about any of this, because whatever 
tool you use to create a user or group etc, the SID-RID should be 
created automatically.

Having got that out of the way, can you post your smb.conf ?

Rowland

On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote:
> Having got that out of the way, can you post your smb.conf ?
This is slightly redacted so apologise if some essential info
was missing.  Also there are lots of shares but the 0700 access
problem happens on the [homes] share so here's that one:

[global]
        workgroup = ...
        realm = ...
        server string = Samba Server
        interfaces = 127.0.0.1, eth0
        bind interfaces only = Yes
        security = ADS
        password server = dc1... dc2...
        log level = 1
        log file = /var/log/samba/log.%m
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        read only = No
        create mask = 0664
        hosts allow = .../22
        printing = bsd
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        posix locking = no
        kernel oplocks = no
        username map script = /bin/echo

[homes]
        comment = UNIX Home Directories
        path = /auto/users/%U
        create mask = 0750
        directory mask = 0750
        browseable = No

Ian Collier.