Hello guys. I have a Zentyal 4.2 server which runs Samba 4.3.5 and ACLs for every share. It's currently working fine, no isssues, everyone can access their folders without problems. I've built a Samba 4.3.5 server in a different host which is not a Zentyal server. I've configured this 2nd server as DC. Once a day I run a script to synchronize all shares from my Zentyal to this Samba 4.3.5 server using rsync -aAHS. I can see that all ACLs and permissions are correctly replicated to the destination server but I'm unable to access any shares there. When using a username for testing, I'm able to access a share on the origin server but I can't do it in the destination server. However, if I login with this user at the OS Linux (sudo su - username) I can access the UNIX directory without issues. It's strange how UNIX ACLs and permissions allow this username to access a certain directory but Samba doesn't even if the configuration of this share is exactly the same in both the origin and destination Samba server. This is a portion of the log I see when my username tries to access a share on the destiation server: [2016/04/25 10:42:33.861169, 3] ../source3/smbd/process.c:1490(switch_message) switch message SMBtrans2 (pid 10685) conn 0x55dc388d81b0 [2016/04/25 10:42:33.861237, 3] ../source3/smbd/service.c:198(set_current_service) chdir (/home/samba/shares/Central) failed, reason: Permission denied [2016/04/25 10:42:33.861279, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/process.c(1609) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED [2016/04/25 10:42:37.766316, 3] ../source3/smbd/process.c:1880(process_smb) OK, I know I haven't provided any extra info about my Samba configuration files or any other useful information. But as there's a lot of info I could share with all of you I'd like to know which info you might need to troubleshoot this. I hope someone can point me to some solution or procedure for fixing this problem. Thanks in advance
Hello guys, any idea, someone? :( On Mon, Apr 25, 2016 at 10:59 AM, Jason Voorhees <jvoorhees1 at gmail.com> wrote:> Hello guys. > > I have a Zentyal 4.2 server which runs Samba 4.3.5 and ACLs for every > share. It's currently working fine, no isssues, everyone can access > their folders without problems. > > I've built a Samba 4.3.5 server in a different host which is not a > Zentyal server. I've configured this 2nd server as DC. Once a day I > run a script to synchronize all shares from my Zentyal to this Samba > 4.3.5 server using rsync -aAHS. > > I can see that all ACLs and permissions are correctly replicated to > the destination server but I'm unable to access any shares there. > > When using a username for testing, I'm able to access a share on the > origin server but I can't do it in the destination server. However, if > I login with this user at the OS Linux (sudo su - username) I can > access the UNIX directory without issues. > > It's strange how UNIX ACLs and permissions allow this username to > access a certain directory but Samba doesn't even if the configuration > of this share is exactly the same in both the origin and destination > Samba server. > > This is a portion of the log I see when my username tries to access a > share on the destiation server: > > [2016/04/25 10:42:33.861169, 3] ../source3/smbd/process.c:1490(switch_message) > switch message SMBtrans2 (pid 10685) conn 0x55dc388d81b0 > [2016/04/25 10:42:33.861237, 3] > ../source3/smbd/service.c:198(set_current_service) > chdir (/home/samba/shares/Central) failed, reason: Permission denied > [2016/04/25 10:42:33.861279, 3] ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/process.c(1609) cmd=50 > (SMBtrans2) NT_STATUS_ACCESS_DENIED > [2016/04/25 10:42:37.766316, 3] ../source3/smbd/process.c:1880(process_smb) > > > OK, I know I haven't provided any extra info about my Samba > configuration files or any other useful information. But as there's a > lot of info I could share with all of you I'd like to know which info > you might need to troubleshoot this. > > I hope someone can point me to some solution or procedure for fixing > this problem. > > Thanks in advance
On 25/04/16 16:59, Jason Voorhees wrote:> Hello guys. > > I have a Zentyal 4.2 server which runs Samba 4.3.5 and ACLs for every > share. It's currently working fine, no isssues, everyone can access > their folders without problems. > > I've built a Samba 4.3.5 server in a different host which is not a > Zentyal server. I've configured this 2nd server as DC. Once a day I > run a script to synchronize all shares from my Zentyal to this Samba > 4.3.5 server using rsync -aAHS. > > I can see that all ACLs and permissions are correctly replicated to > the destination server but I'm unable to access any shares there. > > When using a username for testing, I'm able to access a share on the > origin server but I can't do it in the destination server. However, if > I login with this user at the OS Linux (sudo su - username) I can > access the UNIX directory without issues. > > It's strange how UNIX ACLs and permissions allow this username to > access a certain directory but Samba doesn't even if the configuration > of this share is exactly the same in both the origin and destination > Samba server. > > This is a portion of the log I see when my username tries to access a > share on the destiation server: > > [2016/04/25 10:42:33.861169, 3] ../source3/smbd/process.c:1490(switch_message) > switch message SMBtrans2 (pid 10685) conn 0x55dc388d81b0 > [2016/04/25 10:42:33.861237, 3] > ../source3/smbd/service.c:198(set_current_service) > chdir (/home/samba/shares/Central) failed, reason: Permission denied > [2016/04/25 10:42:33.861279, 3] ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/process.c(1609) cmd=50 > (SMBtrans2) NT_STATUS_ACCESS_DENIED > [2016/04/25 10:42:37.766316, 3] ../source3/smbd/process.c:1880(process_smb) > > > OK, I know I haven't provided any extra info about my Samba > configuration files or any other useful information. But as there's a > lot of info I could share with all of you I'd like to know which info > you might need to troubleshoot this. > > I hope someone can point me to some solution or procedure for fixing > this problem. > > Thanks in advance >OK, you have two DCs, on one, your user can access a share, you basically copy the shares to another DC (with all the same permissions etc) and your user cannot access the share on the second DC. How is AD set up ? are you using uidNumber & gidNumber attributes (you will have added them manually) or are you using the xidNumbers created automatically by Samba4. If you have modified the smb.conf on the second DC, can you post this. Can you post the smb.conf from your zential machine. Rowland
> OK, you have two DCs, on one, your user can access a share, you basically > copy the shares to another DC (with all the same permissions etc) and your > user cannot access the share on the second DC. > > How is AD set up ? are you using uidNumber & gidNumber attributes (you will > have added them manually) or are you using the xidNumbers created > automatically by Samba4.I'm not pretty sure about the difference, but I believe it's the 2nd alternative. I guess you could check it from my configuration shown lines below.> > If you have modified the smb.conf on the second DC, can you post this. > Can you post the smb.conf from your zential machine.This is the content of my Zentyal's Samba configuration: [global] workgroup = agn realm = REALM.COM.PE netbios name = fileserver server string = Linux Active Directory server role = dc server role check:inhibit = yes server services = -dns -winbindd +winbind server signing = auto dsdb:schema update allowed = yes drs:max object sync = 1200 idmap_ldb:use rfc2307 = yes interfaces = lo,eth0,eth0:0,eth0:0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log max log size = 100000 include = /etc/samba/shares.conf [netlogon] path = /var/lib/samba/sysvol/agn.com.pe/scripts browseable = no read only = yes [sysvol] path = /var/lib/samba/sysvol read only = no Here the contents of /etc/samba/shares.conf: [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit recycle full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename recycle: directory_mode = 0700 recycle: inherit_nt_acl = Yes recycle: excludedir = /tmp|/var/tmp recycle: versions = Yes recycle: keeptree = Yes recycle: repository = RecycleBin [agnofi] comment = primer compartido path = /home/samba/shares/agnofi browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit recycle acl_xattr:ignore system acls = yes full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename recycle: directory_mode = 0700 recycle: inherit_nt_acl = Yes recycle: excludedir = /tmp|/var/tmp recycle: versions = Yes recycle: keeptree = Yes recycle: repository = RecycleBin There a lot of other additional shares but all of them have the same configuration except for the path. This is the configuration for my 2nd Samba DC: [global] workgroup = AGN realm = realm.com.pe netbios name = FILESERVERSJL server role = active directory domain controller log file = /var/log/samba.log log level = 3 include = /etc/samba/shares.conf server services = -dns -winbindd +winbind server signing = auto dsdb:schema update allowed = yes drs:max object sync = 1200 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts read only = No [sysvol] path = /usr/local/samba-4.3.5/var/locks/sysvol read only = No The contents of the /etc/samba/shares.conf is exactly the same as in Zentyal's server because I copy this file using rsync. Hope this helps. Thanks a lot for your help.