Ian Collier
2016-Apr-15 14:20 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
We've had a samba server running for ages on CentOS 6 with samba 3.6.23. (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime we'd like to keep this one working.) The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows domain (AD) with identical usernames, and we are running Samba primarily to give Windows users access to some directories on Unix. We have joined the Samba server to the Windows domain, and have "security=ads" in the config. However, we also have some users who connect from Mac and Unix clients. The usernames on the Samba server itself come from the Unix domain, so it's only using the Windows AD to validate people's passwords when they connect to Samba. We have been running happily without running winbindd on the Samba server and it's all been working perfectly. However, since the Badlock patches, the Samba server can no longer authenticate clients from Mac or Unix workstations. I understand that this is a known issue, and the official answer is "run winbindd". Well OK, but unfortunately Winbind seems to have messed up all our access permissions. With Winbind running, all users can successfully connect, and all Unix users can access the correct shares, but Windows is telling some people "You do not have permission to access X" on some shares. The first thing we noticed is that users don't have access to directories that are shared using group permissions. So if the directory is mode 0770, not owned by me, but owned by a group that I am a member of, I don't have access from Windows. If we put "force group = X" in the config for that share, where X is the group owner of the directory (that I am already a member of), I am allowed access again. But I don't like to do this because it might grant access to some people who are not members of the group. I found from searching on this issue that the problem is likely related to the fact that the Windows AD groups are being used rather than the Unix groups, and that we should put "username map script = /bin/echo" in the config. With that in place, I can now browse any share with group permissions - great! Unfortunately, this stops me from being able to access any folder that has mode 0700 from Windows even if I own it. ... What have I missed, and what do I need to look at? BTW I have no idea what a SID or a RID is, but this does seem to be important somehow. Thanks Ian Collier
Rowland penny
2016-Apr-15 15:06 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
On 15/04/16 15:20, Ian Collier wrote:> We've had a samba server running for ages on CentOS 6 with samba 3.6.23. > (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime > we'd like to keep this one working.) > > The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows > domain (AD) with identical usernames, and we are running Samba primarily > to give Windows users access to some directories on Unix. We have > joined the Samba server to the Windows domain, and have "security=ads" > in the config. However, we also have some users who connect from Mac > and Unix clients. The usernames on the Samba server itself come from > the Unix domain, so it's only using the Windows AD to validate people's > passwords when they connect to Samba. > > We have been running happily without running winbindd on the Samba server > and it's all been working perfectly. > > However, since the Badlock patches, the Samba server can no longer > authenticate clients from Mac or Unix workstations. I understand > that this is a known issue, and the official answer is "run winbindd". > Well OK, but unfortunately Winbind seems to have messed up all our > access permissions. > > With Winbind running, all users can successfully connect, and all Unix > users can access the correct shares, but Windows is telling some people > "You do not have permission to access X" on some shares. > > The first thing we noticed is that users don't have access to directories > that are shared using group permissions. So if the directory is mode 0770, > not owned by me, but owned by a group that I am a member of, I don't have > access from Windows. > > If we put "force group = X" in the config for that share, where X is the > group owner of the directory (that I am already a member of), I am allowed > access again. But I don't like to do this because it might grant access > to some people who are not members of the group. > > I found from searching on this issue that the problem is likely related > to the fact that the Windows AD groups are being used rather than the > Unix groups, and that we should put "username map script = /bin/echo" > in the config. > > With that in place, I can now browse any share with group permissions - > great! Unfortunately, this stops me from being able to access any > folder that has mode 0700 from Windows even if I own it. > > ... What have I missed, and what do I need to look at? BTW I have no > idea what a SID or a RID is, but this does seem to be important somehow. > > Thanks > Ian Collier >OK, the SID is what identifies the domain, it mostly looks like this: S-1-5-21-1768301897-3342589593-1064908849 I say 'mostly' because there are some specialised SIDs used by the BUILTIN users & groups etc. The RID is a unique number that identifies the user, group, etc object and usually starts from 1000 (again, there are exceptions, Administrator is always '500') So, to identify a user, you would have the SID, with the RID on the end i.e. S-1-5-21-1768301897-3342589593-1064908849-1000 You really shouldn't have to worry about any of this, because whatever tool you use to create a user or group etc, the SID-RID should be created automatically. Having got that out of the way, can you post your smb.conf ? Rowland
Ian Collier
2016-Apr-15 15:21 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote:> Having got that out of the way, can you post your smb.conf ?This is slightly redacted so apologise if some essential info was missing. Also there are lots of shares but the 0700 access problem happens on the [homes] share so here's that one: [global] workgroup = ... realm = ... server string = Samba Server interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS password server = dc1... dc2... log level = 1 log file = /var/log/samba/log.%m load printers = No printcap name = /dev/null disable spoolss = Yes read only = No create mask = 0664 hosts allow = .../22 printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j posix locking = no kernel oplocks = no username map script = /bin/echo [homes] comment = UNIX Home Directories path = /auto/users/%U create mask = 0750 directory mask = 0750 browseable = No Ian Collier.
Apparently Analagous Threads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads