samba - Sep 2016 - Domain Member Server: Domain Users cannot access shares

Hello to the Samba devs and mailing list subscribers,

I've run into a bit of trouble getting a new domain member server setup.

I've got three Ubuntu 14.04 64 bit VMs running the latest stable build of
Samba built from source acting as Domain Controllers.  I've got a fourth
physical machine running Ubuntu 16.04 64 bit running the canonical
distribution samba (Version 4.3.9-Ubuntu) that I've configured as a Domain
Member Server providing file sharing for the domain.  Shared directories
are stored on a RAID 1 array formatted ext4.  Currently I can see and
access all shares using any account that is a member of the Domain Admins
group, and can alter Share Permissions and ACLs via the Security tab via
the Computer Management snap-in running on a Windows 7 workstation that is
joined to the domain.  I've reset all ACLs and executed chmod g=rwx /mnt
and chgrp "DOMAIN\Domain Admins" /mnt and granted "Everyone"
and "Domain
Users" Full Access in both the Share PErmissions and Security tabs.  Any
attempt to view shares on the domain member server when logged in as a user
who is a member of the "Domain Users" group fails, I am prompted to
enter
credentials, I do so and the are rejected.  Domain Admins can both view all
shares and access their contents without a problem.

My smb.conf:

# Global parameters

[global]

        workgroup = PHM
        realm = PHM.PLYMOUTHHISTORY.ORG
        netbios name = phmsrv01
        security = ads
        printing = CUPS
        printcap name = /dev/null
        encrypt passwords = yes
bind interfaces only = yes
interfaces = lo eno2


        log file = /var/log/samba/samba.%m.log
        log level = 2

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
allow trusted domains = yes

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain PRIA
        idmap config PHM:backend = ad
        idmap config PHM:schema_mode = rfc2307
        idmap config PHM:range = 10000-9999999

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307

        # Enable extended ACL support
https://wiki.samba.org/index.php/Shares_wi
                     th_Windows_ACLs
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes


[home]
path = /mnt/md0/samba_shares/home
read only = no
admin users = @"PHM\Domain Admins"

[Profiles]
path = /mnt/md0/samba_shares/Profiles
read only = no
admin users = @"PHM\Domain Admins"

[Accounts]
comment = PHM Accounts
path = /mnt/md0/samba_shares/Accounts
        admin users = @"PHM\Domain Admins"
        read only = no
valid users = @"PHM\Domain Users"

[Director-sec]
comment = Director-Sec Share
path = /mnt/md0/samba_shares/Director_sec
admin users = @"PHM\Domain Admins"
read only = no

[Director-ek]
comment = Director-ek Share
path = /mnt/md0/samba_shares/Director-ek
admin users = @"PHM\Domain Admins"
read only = no

[Edu_data]
comment = Edu-data Share
path = /mnt/md0/samba_shares/Edu_data
admin users = @"PHM\Domain Admins"
read only = no

[PlymouthData]
comment = PlymouthData Share
path = /mnt/md0/samba_shares/PlymouthData
admin users = @"PHM\Domain Admins"
read only = no

[PP4]
comment = PP4 Share
path = /mnt/md0/samba_shares/pp4
admin users = @"PHM\Domain Admins"
read only = no

[PP5]
comment = PP5 Share
path = /mnt/md0/samba_shares/PP5
admin users = @"PHM\Domain Admins"
read only = no

[Primary]
comment = Primary Share
path = /mnt/md0/samba_shares/Primary
admin users = @"PHM\Domain Admins"
read only = no

[secdata]
comment = secdata share
path = /mnt/md0/samba_shares/secdata
admin users = @"PHM\Domain Admins"
read only = no

[STORE]
comment = Store Share
path = /mnt/md0/samba_shares/STORE
admin users = @"PHM\Domain Admins"
read only = no

[Vol_data]
comment = Vol_data Share
path = /mnt/md0/samba_shares/Vol_data
admin users = @"PHM\Domain Admins"
read only = no

[samba_backups]
comment = PHM Samba AD Backups
path = /mnt/md0/samba_shares/samba_backups
admin users = @"PHM\Domain Admins"
read only = no

[ITWERKS]
comment = ITWERKS Admin Share
path = /mnt/md0/samba_shares/ITWERKS
admin users = @"PHM\Domain Admins"
read only = no

[test]
path = /mnt/md0/samba_shares/test
read only = no
        admin users = @"PHM\Domain Admins"

[test2]
path = /home/itwerks/testshare
read only = no


My /etc/krb5.conf:

[libdefaults]
        default_realm = PHM.PLYMOUTHHISTORY.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true

My /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Results of getent group:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,itwerks
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:itwerks
floppy:x:25:
tape:x:26:
sudo:x:27:itwerks
audio:x:29:pulse
dip:x:30:itwerks
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:itwerks
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
netdev:x:109:
messagebus:x:110:
uuidd:x:111:
ssl-cert:x:112:
lpadmin:x:113:itwerks
lightdm:x:114:
nopasswdlogin:x:115:
whoopsie:x:116:
mlocate:x:117:
ssh:x:118:
avahi-autoipd:x:119:
avahi:x:120:
bluetooth:x:121:
scanner:x:122:saned
colord:x:123:
pulse:x:124:
pulse-access:x:125:
rtkit:x:126:
saned:x:127:
itwerks:x:1000:
sambashare:x:128:itwerks
vboxusers:x:129:itwerks
gdm:x:130:
geoclue:x:131:
ntp:x:132:
winbindd_priv:x:133:
postfix:x:134:
postdrop:x:135:
group policy creator owners:x:10004:
enterprise admins:x:10002:
domain admins:x:10000:
schema admins:x:10005:
domain users:x:10001:
dnsadmins:x:10003:

Results of getent passwd:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management
daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech
Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
itwerks:x:1000:1000:itwerks,,,:/home/itwerks:/bin/bash
gdm:x:121:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
geoclue:x:122:131::/var/lib/geoclue:/bin/false
sshd:x:123:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:124:132::/home/ntp:/bin/false
postfix:x:125:134::/var/spool/postfix:/bin/false
ekerstens:*:10002:10001:Elizabeth Kerstens:/home/ekerstens:/bin/sh
mbeddoes:*:10010:10001:Madelyne Beddoes:/home/mbeddoes:/bin/sh
sbrindley:*:10006:10001:Sherrie Brindley:/home/sbrindley:/bin/sh
mthackston:*:10008:10001:Mary Thackston:/home/mthackston:/bin/sh
swilson:*:10009:10001:Shannon Wilson:/home/swilson:/bin/sh
administrator:*:10001:10001:Administrator:/home/Administrator:/bin/sh
hnielsen:*:10007:10001:Heidi Nielsen:/home/hnielsen:/bin/sh
jburroughs:*:10017:10001:Jim Burroughs:/home/jburroughs:/bin/sh
mmccann:*:10003:10001:Melody McCann:/home/mmccann:/bin/sh
lryder:*:10005:10001:Leslie Ryder:/home/lryder:/bin/sh
jburns:*:10004:10001:Janet Burns:/home/jburns:/bin/sh
research1:*:10014:10001:Research 1:/home/research1:/bin/sh
store:*:10015:10001:Store User:/home/store:/bin/sh
phmadmin:*:10016:10001:PHM Admin:/home/phmadmin:/bin/sh
intern1:*:10011:10001:Intern 1:/home/intern1:/bin/sh
intern2:*:10012:10001:Intern 2:/home/intern2:/bin/sh
intern3:*:10013:10001:Intern 3:/home/intern3:/bin/sh
itwerks:*:10000:10001:it werks:/home/itwerks:/bin/sh

Status of the smbd, nmbd, and winbind daemons:

● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
   Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
   Active: active (running) since Tue 2016-09-20 11:27:07 EDT; 4h 58min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 16736 ExecStop=/etc/init.d/smbd stop (code=exited,
status=0/SUCCESS
  Process: 16891 ExecStart=/etc/init.d/smbd start (code=exited,
status=0/SUCCE
   CGroup: /system.slice/smbd.service
           ├─16908 /usr/sbin/smbd -D
           ├─16909 /usr/sbin/smbd -D
           ├─16911 /usr/sbin/smbd -D
           └─17092 /usr/sbin/smbd -D

Sep 20 11:27:07 phmsrv01 systemd[1]: Starting LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16891]:  * Starting SMB/CIFS daemon smbd
Sep 20 11:27:07 phmsrv01 smbd[16891]:    ...done.
Sep 20 11:27:07 phmsrv01 systemd[1]: Started LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16908]: [2016/09/20 11:27:07.830678,  0]
../lib/
Sep 20 11:27:07 phmsrv01 smbd[16908]:   STATUS=daemon 'smbd' finished
starting


● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd)
   Loaded: loaded (/etc/init.d/nmbd; bad; vendor preset: enabled)
   Active: active (running) since Tue 2016-09-20 11:27:21 EDT; 4h 58min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 16785 ExecStop=/etc/init.d/nmbd stop (code=exited,
status=0/SUCCESS
  Process: 16944 ExecStart=/etc/init.d/nmbd start (code=exited,
status=0/SUCCE
   CGroup: /system.slice/nmbd.service
           └─16963 /usr/sbin/nmbd -D

Sep 20 11:27:21 phmsrv01 nmbd[16944]:    ...done.
Sep 20 11:27:21 phmsrv01 systemd[1]: Started LSB: start Samba NetBIOS
nameserv
Sep 20 11:27:21 phmsrv01 nmbd[16963]: [2016/09/20 11:27:21.069255,  0]
../lib/
Sep 20 11:27:21 phmsrv01 nmbd[16963]:   STATUS=daemon 'nmbd' finished
starting
Sep 20 11:27:44 phmsrv01 nmbd[16963]: [2016/09/20 11:27:44.518048,  0]
../sour
Sep 20 11:27:44 phmsrv01 nmbd[16963]:   *****
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]:   Samba name server PHMSRV01 is now a
lo
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]:   *****


● winbind.service - LSB: start Winbind daemon
   Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
   Active: active (running) since Tue 2016-09-20 11:27:29 EDT; 4h 58min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 16840 ExecStop=/etc/init.d/winbind stop (code=exited,
status=0/SUCC
  Process: 17024 ExecStart=/etc/init.d/winbind start (code=exited,
status=0/SU
   CGroup: /system.slice/winbind.service
           ├─17043 /usr/sbin/winbindd
           ├─17044 /usr/sbin/winbindd
           ├─17054 /usr/sbin/winbindd
           ├─17093 /usr/sbin/winbindd
           └─17218 /usr/sbin/winbindd

Sep 20 11:27:29 phmsrv01 systemd[1]: Starting LSB: start Winbind daemon...
Sep 20 11:27:29 phmsrv01 winbind[17024]:  * Starting the Winbind daemon
winbin
Sep 20 11:27:29 phmsrv01 winbind[17024]:    ...done.
Sep 20 11:27:29 phmsrv01 systemd[1]: Started LSB: start Winbind daemon.
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.606830,  0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]:   initialize_winbindd_cache:
clearin
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.645601,  0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]:   STATUS=daemon 'winbindd'
finished


ls -la of my main share directory:

ls -la /mnt/md0/samba_shares/
total 172
drwxrwxrwx+ 19 itwerks itwerks  4096 Sep 19 21:31 .
drwxrwx---  11 itwerks itwerks  4096 Sep 18 14:14 ..
drwxrwxrwx+  3 itwerks itwerks 36864 Sep 18 13:11 Accounts
drwxrwxrwx+ 30 itwerks itwerks  4096 Sep 18 13:14 Director-ek
drwxrwxrwx+ 47 itwerks itwerks  4096 Sep 18 13:14 Director_sec
drwxrwxrwx+  2 itwerks itwerks  4096 Oct 29  2010 Edu_data
drwxrwxrwx+ 21 itwerks itwerks  4096 Sep 18 18:37 home
drwxrwxrwx+ 11 itwerks itwerks  4096 Sep 18 20:45 ITWERKS
drwxrwxrwx+ 62 itwerks itwerks  4096 Sep 18 13:39 PlymouthData
drwxrwxrwx+  2 itwerks itwerks  4096 Sep 18 14:16 pp4
drwxrwxrwx+  3 itwerks itwerks  4096 Sep 18 13:58 PP5
drwxrwxrwx+  5 itwerks itwerks  4096 Oct 29  2010 Primary
drwxrwxrwx+  7 itwerks itwerks  4096 Sep 18 16:39 Profiles
drwxrwxrwx+  2 itwerks itwerks  4096 Sep 18 02:19 samba_backups
drwxrwxrwx+ 51 itwerks itwerks  4096 Sep 18 14:16 secdata
drwxrwxrwx+ 17 itwerks itwerks  4096 Jul 29  2013 server01
drwxrwxrwx+  3 itwerks itwerks  4096 Sep 18 14:17 STORE
drwxrwxrwx+  2 itwerks itwerks  4096 Sep 19 22:21 test
drwxrwxrwx+  3 itwerks itwerks  4096 Nov 29  2013 Vol_data


I am at a loss as to what I'm doing wrong here, please advise.  If further
information is needed I'm happy to provide it  Thanks in advance for any
help, it is greatly appreciated.

Kind Regards,

JS

So it seems that I have identified the source of all of my permissions
issues, though I'm unclear as to exactly why these problems have occurred
and would love an explanation if anyone can offer one.

I was using mdadm to create a RAID 1 array, formatting it ext4 and storing
all of the data that samba was serving on /dev/md0.  The two drives that
make up the array are hosted by an LSI MegaRaid controller, though they are
not configured within it's interface.  After carefully troubleshooting
every step in the process of setting share permissions and ACLs I decided
to create a test share on the system drive. I copied one of the problematic
directories from the raid array to my home folder and was immediately able
to access it as a Domain User... So something about the RAID array is
causing the failure.  I've since moved all of the shared data to the system
drive and am moving on to other tasks but I'd really like to get it moved
back to the array.

What is going on here?  The system drive is hosted by the same
controller... I've successfully used RAID arrays and mdadm to host shares
at other locations.  I'd really love to understand what's going awry in
this setup.

Kind regards,

JS

On Sep 20, 2016 4:30 PM, "Jason Secord" <it at
plymouthhistory.org> wrote:
> Hello to the Samba devs and mailing list subscribers,
>
> I've run into a bit of trouble getting a new domain member server
setup.
>
> I've got three Ubuntu 14.04 64 bit VMs running the latest stable build
of
> Samba built from source acting as Domain Controllers.  I've got a
fourth
> physical machine running Ubuntu 16.04 64 bit running the canonical
> distribution samba (Version 4.3.9-Ubuntu) that I've configured as a
Domain
> Member Server providing file sharing for the domain.  Shared directories
> are stored on a RAID 1 array formatted ext4.  Currently I can see and
> access all shares using any account that is a member of the Domain Admins
> group, and can alter Share Permissions and ACLs via the Security tab via
> the Computer Management snap-in running on a Windows 7 workstation that is
> joined to the domain.  I've reset all ACLs and executed chmod g=rwx
/mnt
> and chgrp "DOMAIN\Domain Admins" /mnt and granted
"Everyone" and "Domain
> Users" Full Access in both the Share PErmissions and Security tabs. 
Any
> attempt to view shares on the domain member server when logged in as a user
> who is a member of the "Domain Users" group fails, I am prompted
to enter
> credentials, I do so and the are rejected.  Domain Admins can both view all
> shares and access their contents without a problem.
>
> My smb.conf:
>
> # Global parameters
>
> [global]
>
>         workgroup = PHM
>         realm = PHM.PLYMOUTHHISTORY.ORG
>         netbios name = phmsrv01
>         security = ads
>         printing = CUPS
>         printcap name = /dev/null
>         encrypt passwords = yes
> bind interfaces only = yes
> interfaces = lo eno2
>
>
>         log file = /var/log/samba/samba.%m.log
>         log level = 2
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind enum users  = yes
>         winbind enum groups = yes
> allow trusted domains = yes
>
>         # Default idmap config used for BUILTIN and local accounts/groups
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>
>         # idmap config for domain PRIA
>         idmap config PHM:backend = ad
>         idmap config PHM:schema_mode = rfc2307
>         idmap config PHM:range = 10000-9999999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>
>         # Enable extended ACL support https://wiki.samba.org/index.
> php/Shares_wi
>  th_Windows_ACLs
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
>
> [home]
> path = /mnt/md0/samba_shares/home
> read only = no
> admin users = @"PHM\Domain Admins"
>
> [Profiles]
> path = /mnt/md0/samba_shares/Profiles
> read only = no
> admin users = @"PHM\Domain Admins"
>
> [Accounts]
> comment = PHM Accounts
> path = /mnt/md0/samba_shares/Accounts
>         admin users = @"PHM\Domain Admins"
>         read only = no
> valid users = @"PHM\Domain Users"
>
> [Director-sec]
> comment = Director-Sec Share
> path = /mnt/md0/samba_shares/Director_sec
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Director-ek]
> comment = Director-ek Share
> path = /mnt/md0/samba_shares/Director-ek
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Edu_data]
> comment = Edu-data Share
> path = /mnt/md0/samba_shares/Edu_data
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PlymouthData]
> comment = PlymouthData Share
> path = /mnt/md0/samba_shares/PlymouthData
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PP4]
> comment = PP4 Share
> path = /mnt/md0/samba_shares/pp4
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [PP5]
> comment = PP5 Share
> path = /mnt/md0/samba_shares/PP5
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Primary]
> comment = Primary Share
> path = /mnt/md0/samba_shares/Primary
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [secdata]
> comment = secdata share
> path = /mnt/md0/samba_shares/secdata
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [STORE]
> comment = Store Share
> path = /mnt/md0/samba_shares/STORE
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [Vol_data]
> comment = Vol_data Share
> path = /mnt/md0/samba_shares/Vol_data
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [samba_backups]
> comment = PHM Samba AD Backups
> path = /mnt/md0/samba_shares/samba_backups
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [ITWERKS]
> comment = ITWERKS Admin Share
> path = /mnt/md0/samba_shares/ITWERKS
> admin users = @"PHM\Domain Admins"
> read only = no
>
> [test]
> path = /mnt/md0/samba_shares/test
> read only = no
>         admin users = @"PHM\Domain Admins"
>
> [test2]
> path = /home/itwerks/testshare
> read only = no
>
>
> My /etc/krb5.conf:
>
> [libdefaults]
>         default_realm = PHM.PLYMOUTHHISTORY.ORG
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> My /etc/nsswitch.conf:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> Results of getent group:
>
> root:x:0:
> daemon:x:1:
> bin:x:2:
> sys:x:3:
> adm:x:4:syslog,itwerks
> tty:x:5:
> disk:x:6:
> lp:x:7:
> mail:x:8:
> news:x:9:
> uucp:x:10:
> man:x:12:
> proxy:x:13:
> kmem:x:15:
> dialout:x:20:
> fax:x:21:
> voice:x:22:
> cdrom:x:24:itwerks
> floppy:x:25:
> tape:x:26:
> sudo:x:27:itwerks
> audio:x:29:pulse
> dip:x:30:itwerks
> www-data:x:33:
> backup:x:34:
> operator:x:37:
> list:x:38:
> irc:x:39:
> src:x:40:
> gnats:x:41:
> shadow:x:42:
> utmp:x:43:
> video:x:44:
> sasl:x:45:
> plugdev:x:46:itwerks
> staff:x:50:
> games:x:60:
> users:x:100:
> nogroup:x:65534:
> systemd-journal:x:101:
> systemd-timesync:x:102:
> systemd-network:x:103:
> systemd-resolve:x:104:
> systemd-bus-proxy:x:105:
> input:x:106:
> crontab:x:107:
> syslog:x:108:
> netdev:x:109:
> messagebus:x:110:
> uuidd:x:111:
> ssl-cert:x:112:
> lpadmin:x:113:itwerks
> lightdm:x:114:
> nopasswdlogin:x:115:
> whoopsie:x:116:
> mlocate:x:117:
> ssh:x:118:
> avahi-autoipd:x:119:
> avahi:x:120:
> bluetooth:x:121:
> scanner:x:122:saned
> colord:x:123:
> pulse:x:124:
> pulse-access:x:125:
> rtkit:x:126:
> saned:x:127:
> itwerks:x:1000:
> sambashare:x:128:itwerks
> vboxusers:x:129:itwerks
> gdm:x:130:
> geoclue:x:131:
> ntp:x:132:
> winbindd_priv:x:133:
> postfix:x:134:
> postdrop:x:135:
> group policy creator owners:x:10004:
> enterprise admins:x:10002:
> domain admins:x:10000:
> schema admins:x:10005:
> domain users:x:10001:
> dnsadmins:x:10003:
>
> Results of getent passwd:
>
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/
> sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/
> systemd:/bin/false
> systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/
> netif:/bin/false
> systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/
> resolve:/bin/false
> systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
> syslog:x:104:108::/home/syslog:/bin/false
> _apt:x:105:65534::/nonexistent:/bin/false
> messagebus:x:106:110::/var/run/dbus:/bin/false
> uuidd:x:107:111::/run/uuidd:/bin/false
> lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
> whoopsie:x:109:116::/nonexistent:/bin/false
> avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-
> autoipd:/bin/false
> avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
> colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/
> bin/false
> speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-
> dispatcher:/bin/false
> hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
> kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
> pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
> rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
> saned:x:119:127::/var/lib/saned:/bin/false
> usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
> itwerks:x:1000:1000:itwerks,,,:/home/itwerks:/bin/bash
> gdm:x:121:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
> geoclue:x:122:131::/var/lib/geoclue:/bin/false
> sshd:x:123:65534::/var/run/sshd:/usr/sbin/nologin
> ntp:x:124:132::/home/ntp:/bin/false
> postfix:x:125:134::/var/spool/postfix:/bin/false
> ekerstens:*:10002:10001:Elizabeth Kerstens:/home/ekerstens:/bin/sh
> mbeddoes:*:10010:10001:Madelyne Beddoes:/home/mbeddoes:/bin/sh
> sbrindley:*:10006:10001:Sherrie Brindley:/home/sbrindley:/bin/sh
> mthackston:*:10008:10001:Mary Thackston:/home/mthackston:/bin/sh
> swilson:*:10009:10001:Shannon Wilson:/home/swilson:/bin/sh
> administrator:*:10001:10001:Administrator:/home/Administrator:/bin/sh
> hnielsen:*:10007:10001:Heidi Nielsen:/home/hnielsen:/bin/sh
> jburroughs:*:10017:10001:Jim Burroughs:/home/jburroughs:/bin/sh
> mmccann:*:10003:10001:Melody McCann:/home/mmccann:/bin/sh
> lryder:*:10005:10001:Leslie Ryder:/home/lryder:/bin/sh
> jburns:*:10004:10001:Janet Burns:/home/jburns:/bin/sh
> research1:*:10014:10001:Research 1:/home/research1:/bin/sh
> store:*:10015:10001:Store User:/home/store:/bin/sh
> phmadmin:*:10016:10001:PHM Admin:/home/phmadmin:/bin/sh
> intern1:*:10011:10001:Intern 1:/home/intern1:/bin/sh
> intern2:*:10012:10001:Intern 2:/home/intern2:/bin/sh
> intern3:*:10013:10001:Intern 3:/home/intern3:/bin/sh
> itwerks:*:10000:10001:it werks:/home/itwerks:/bin/sh
>
> Status of the smbd, nmbd, and winbind daemons:
>
> ● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
>    Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
>    Active: active (running) since Tue 2016-09-20 11:27:07 EDT; 4h 58min ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 16736 ExecStop=/etc/init.d/smbd stop (code=exited,
> status=0/SUCCESS
>   Process: 16891 ExecStart=/etc/init.d/smbd start (code=exited,
> status=0/SUCCE
>    CGroup: /system.slice/smbd.service
>            ├─16908 /usr/sbin/smbd -D
>            ├─16909 /usr/sbin/smbd -D
>            ├─16911 /usr/sbin/smbd -D
>            └─17092 /usr/sbin/smbd -D
>
> Sep 20 11:27:07 phmsrv01 systemd[1]: Starting LSB: start Samba SMB/CIFS
> daemon
> Sep 20 11:27:07 phmsrv01 smbd[16891]:  * Starting SMB/CIFS daemon smbd
> Sep 20 11:27:07 phmsrv01 smbd[16891]:    ...done.
> Sep 20 11:27:07 phmsrv01 systemd[1]: Started LSB: start Samba SMB/CIFS
> daemon
> Sep 20 11:27:07 phmsrv01 smbd[16908]: [2016/09/20 11:27:07.830678,  0]
> ../lib/
> Sep 20 11:27:07 phmsrv01 smbd[16908]:   STATUS=daemon 'smbd'
finished
> starting
>
>
> ● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd)
>    Loaded: loaded (/etc/init.d/nmbd; bad; vendor preset: enabled)
>    Active: active (running) since Tue 2016-09-20 11:27:21 EDT; 4h 58min ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 16785 ExecStop=/etc/init.d/nmbd stop (code=exited,
> status=0/SUCCESS
>   Process: 16944 ExecStart=/etc/init.d/nmbd start (code=exited,
> status=0/SUCCE
>    CGroup: /system.slice/nmbd.service
>            └─16963 /usr/sbin/nmbd -D
>
> Sep 20 11:27:21 phmsrv01 nmbd[16944]:    ...done.
> Sep 20 11:27:21 phmsrv01 systemd[1]: Started LSB: start Samba NetBIOS
> nameserv
> Sep 20 11:27:21 phmsrv01 nmbd[16963]: [2016/09/20 11:27:21.069255,  0]
> ../lib/
> Sep 20 11:27:21 phmsrv01 nmbd[16963]:   STATUS=daemon 'nmbd'
finished
> starting
> Sep 20 11:27:44 phmsrv01 nmbd[16963]: [2016/09/20 11:27:44.518048,  0]
> ../sour
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:   *****
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:   Samba name server PHMSRV01 is now
> a lo
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:
> Sep 20 11:27:44 phmsrv01 nmbd[16963]:   *****
>
>
> ● winbind.service - LSB: start Winbind daemon
>    Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
>    Active: active (running) since Tue 2016-09-20 11:27:29 EDT; 4h 58min ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 16840 ExecStop=/etc/init.d/winbind stop (code=exited,
> status=0/SUCC
>   Process: 17024 ExecStart=/etc/init.d/winbind start (code=exited,
> status=0/SU
>    CGroup: /system.slice/winbind.service
>            ├─17043 /usr/sbin/winbindd
>            ├─17044 /usr/sbin/winbindd
>            ├─17054 /usr/sbin/winbindd
>            ├─17093 /usr/sbin/winbindd
>            └─17218 /usr/sbin/winbindd
>
> Sep 20 11:27:29 phmsrv01 systemd[1]: Starting LSB: start Winbind daemon...
> Sep 20 11:27:29 phmsrv01 winbind[17024]:  * Starting the Winbind daemon
> winbin
> Sep 20 11:27:29 phmsrv01 winbind[17024]:    ...done.
> Sep 20 11:27:29 phmsrv01 systemd[1]: Started LSB: start Winbind daemon.
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.606830,  0]
> ../
> Sep 20 11:27:29 phmsrv01 winbindd[17043]:   initialize_winbindd_cache:
> clearin
> Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.645601,  0]
> ../
> Sep 20 11:27:29 phmsrv01 winbindd[17043]:   STATUS=daemon
'winbindd'
> finished
>
>
> ls -la of my main share directory:
>
> ls -la /mnt/md0/samba_shares/
> total 172
> drwxrwxrwx+ 19 itwerks itwerks  4096 Sep 19 21:31 .
> drwxrwx---  11 itwerks itwerks  4096 Sep 18 14:14 ..
> drwxrwxrwx+  3 itwerks itwerks 36864 Sep 18 13:11 Accounts
> drwxrwxrwx+ 30 itwerks itwerks  4096 Sep 18 13:14 Director-ek
> drwxrwxrwx+ 47 itwerks itwerks  4096 Sep 18 13:14 Director_sec
> drwxrwxrwx+  2 itwerks itwerks  4096 Oct 29  2010 Edu_data
> drwxrwxrwx+ 21 itwerks itwerks  4096 Sep 18 18:37 home
> drwxrwxrwx+ 11 itwerks itwerks  4096 Sep 18 20:45 ITWERKS
> drwxrwxrwx+ 62 itwerks itwerks  4096 Sep 18 13:39 PlymouthData
> drwxrwxrwx+  2 itwerks itwerks  4096 Sep 18 14:16 pp4
> drwxrwxrwx+  3 itwerks itwerks  4096 Sep 18 13:58 PP5
> drwxrwxrwx+  5 itwerks itwerks  4096 Oct 29  2010 Primary
> drwxrwxrwx+  7 itwerks itwerks  4096 Sep 18 16:39 Profiles
> drwxrwxrwx+  2 itwerks itwerks  4096 Sep 18 02:19 samba_backups
> drwxrwxrwx+ 51 itwerks itwerks  4096 Sep 18 14:16 secdata
> drwxrwxrwx+ 17 itwerks itwerks  4096 Jul 29  2013 server01
> drwxrwxrwx+  3 itwerks itwerks  4096 Sep 18 14:17 STORE
> drwxrwxrwx+  2 itwerks itwerks  4096 Sep 19 22:21 test
> drwxrwxrwx+  3 itwerks itwerks  4096 Nov 29  2013 Vol_data
>
>
> I am at a loss as to what I'm doing wrong here, please advise.  If
further
> information is needed I'm happy to provide it  Thanks in advance for
any
> help, it is greatly appreciated.
>
> Kind Regards,
>
> JS
>

On Tue, 20 Sep 2016 23:38:19 -0400
Jason Secord via samba <samba at lists.samba.org> wrote:
> So it seems that I have identified the source of all of my permissions
> issues, though I'm unclear as to exactly why these problems have
> occurred and would love an explanation if anyone can offer one.
> 
> I was using mdadm to create a RAID 1 array, formatting it ext4 and
> storing all of the data that samba was serving on /dev/md0.  The two
> drives that make up the array are hosted by an LSI MegaRaid
> controller, though they are not configured within it's interface.
> After carefully troubleshooting every step in the process of setting
> share permissions and ACLs I decided to create a test share on the
> system drive. I copied one of the problematic directories from the
> raid array to my home folder and was immediately able to access it as
> a Domain User... So something about the RAID array is causing the
> failure.  I've since moved all of the shared data to the system drive
> and am moving on to other tasks but I'd really like to get it moved
> back to the array.
> 
> What is going on here?  The system drive is hosted by the same
> controller... I've successfully used RAID arrays and mdadm to host
> shares at other locations.  I'd really love to understand what's
> going awry in this setup.
> 
> Kind regards,
> 
> JS
> 
Your raid setup may be the main culprit here, but your Samba setup
isn't helping.

Can I suggest a few alterations ?

Remove the gidNumber from these groups:

group policy creator owners
enterprise admins
schema admins
dnsadmins

Remove the uidNumber from this user:

administrator

Add this line to smb.conf:

username map = /etc/samba/user.map

Then create the user.map

nano /etc/samba/user.map

!root = PHM\Administrator PHM\administrator Administrator
administrator

Remove all the instances of 'admin users' & 'valid users'
from the
shares. Use Windows ACLs instead, see here for more info:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Try running 'getfacl /mnt/md0/samba_shares/Accounts'

Rowland

On Wed, 21 Sep 2016 11:09:15 -0400
Jason Secord <it at plymouthhistory.org> wrote:
> Hi Rowland,
> 
> I've already removed all "admin users" and "valid
users" entries from
> my smb.conf, they ended up there after hours of confusion trying to
> drill down to the root of the problem.
> 
> To remove the aforementioned UID/GIDs, I can do that via the tab in
> ADUC, correct?  Is there a document best practices when applying UNIX
> attributes to accounts?
You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
> 
> I haven't encountered any mention of creating a user.map in the
> documentation, nor have I ever created one in the past.  Is this
> something that is considered a best practice a well?  Can you point
> me to any documentation on user.maps?  
Not too sure about the documentation, There is some in 'man smb.conf',
but it is easier to describe it to you.

On a Samba AD DC, Administrator gets mapped to root automatically, but
on a domain member it isn't. There are two schools of thought here,
one is to give Administrator a uidNumber, but I don't recommend this.
If you do give Administrator a uidNumber, it becomes just another
Unix user with just the same permissions as any other user and it
breaks the DC. The other option is to use a 'username map', this will
do what the DC does and maps Administrator to the root user.
> I will make this adjustments 
> tonight and update you along with the results of that getfacl command
> you requested.
> 
> I have applied ACLs to all shares already.
>

Hi Rowland,


*Apparently I accidentally replied directly to you instead of the list,
this is from a couple days ago...*

First off, thanks again for your help, your insight is invaluable.

I have completed the changes you suggested:

I've used ADUC to remove the NIS Domain and UID/GID number from the
following Users/Groups:

   - group policy creator owners
   - enterprise admins
   - schema admins
   - dnsadmins
   - Administrator

I've added "username map = /etc/samba/user.map" to my smb.conf

I've created /etc/samba/user.map

ls -la /etc/samba/user.map
-rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map

cat /etc/samba/user.map
!root = PHM\Administrator PHM\administrator Administrator administrator

Here is the output of the getfacl command you requested I run:

sudo getfacl /mnt/md0/samba_shares/Accounts
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx

Regards,

JS

On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at plymouthhistory.org>
wrote:
> I ran another test of a share on the raid array after making the changes
> you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test as
> outlined in the wiki and set the default group to domain admins.  I
> executed setfacl commands g=rwx and chgrp domain admins, then added the
> directory to my smb.conf and ran "smbcontrol all reload-config". 
I then
> logged in to a Windows box as administrator and set ACLs for my test domain
> user account, allowing full control in both share permissions and the
> security tabs, applied settings and closed the snap-in.
>
> I then logged in to another machine as my test user and tried to access
> the new share and still received access denied.
>
> I'd be oh so happy if this thread ends and the raid controller
isn't the
> root cause of this issue, but my gut says it must be as shares that I
> copied from the array to the system drive retained the ACLs I had set
> previously and we're accessible without modification.  I just wish I
could
> find some indication that this is a known issue, my Google fu fails to
> reveal any evidence supporting the theory.
>
> JS
>
> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at
plymouthhistory.org> wrote:
>
>> Hi Rowland,
>>
>> First off, thanks again for your help, your insight is invaluable.
>>
>> I have completed the changes you suggested:
>>
>> I've used ADUC to remove the NIS Domain and UID/GID number from the
>> following Users/Groups:
>>
>>    - group policy creator owners
>>    - enterprise admins
>>    - schema admins
>>    - dnsadmins
>>    - Administrator
>>
>> I've added "username map = /etc/samba/user.map" to my
smb.conf
>>
>> I've created /etc/samba/user.map
>>
>> ls -la /etc/samba/user.map
>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>
>> cat /etc/samba/user.map
>> !root = PHM\Administrator PHM\administrator Administrator administrator
>>
>> Here is the output of the getfacl command you requested I run:
>>
>> sudo getfacl /mnt/md0/samba_shares/Accounts
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/md0/samba_shares/Accounts
>> # owner: itwerks
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:domain\040admins:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>> Regards,
>>
>> JS
>>
>>
>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Wed, 21 Sep 2016 11:09:15 -0400
>>> Jason Secord <it at plymouthhistory.org> wrote:
>>>
>>> > Hi Rowland,
>>> >
>>> > I've already removed all "admin users" and
"valid users" entries from
>>> > my smb.conf, they ended up there after hours of confusion
trying to
>>> > drill down to the root of the problem.
>>> >
>>> > To remove the aforementioned UID/GIDs, I can do that via the
tab in
>>> > ADUC, correct?  Is there a document best practices when
applying UNIX
>>> > attributes to accounts?
>>>
>>> You can do it with ADUC, or you can use ldb or ldap tools or ADSI
edit.
>>>
>>> >
>>> > I haven't encountered any mention of creating a user.map
in the
>>> > documentation, nor have I ever created one in the past.  Is
this
>>> > something that is considered a best practice a well?  Can you
point
>>> > me to any documentation on user.maps?
>>>
>>> Not too sure about the documentation, There is some in 'man
smb.conf',
>>> but it is easier to describe it to you.
>>>
>>> On a Samba AD DC, Administrator gets mapped to root automatically,
but
>>> on a domain member it isn't. There are two schools of thought
here,
>>> one is to give Administrator a uidNumber, but I don't recommend
this.
>>> If you do give Administrator a uidNumber, it becomes just another
>>> Unix user with just the same permissions as any other user and it
>>> breaks the DC. The other option is to use a 'username map',
this will
>>> do what the DC does and maps Administrator to the root user.
>>>
>>> > I will make this adjustments
>>> > tonight and update you along with the results of that getfacl
command
>>> > you requested.
>>> >
>>> > I have applied ACLs to all shares already.
>>> >
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>

*Another reply that was accidentally sent to the wrong address...*

I ran another test of a share on the raid array after making the changes
you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test as
outlined in the wiki and set the default group to domain admins.  I
executed setfacl commands g=rwx and chgrp domain admins, then added the
directory to my smb.conf and ran "smbcontrol all reload-config".  I
then
logged in to a Windows box as administrator and set ACLs for my test domain
user account, allowing full control in both share permissions and the
security tabs, applied settings and closed the snap-in.

I then logged in to another machine as my test user and tried to access the
new share and still received access denied.

I'd be oh so happy if this thread ends and the raid controller isn't the
root cause of this issue, but my gut says it must be as shares that I
copied from the array to the system drive retained the ACLs I had set
previously and we're accessible without modification.  I just wish I could
find some indication that this is a known issue, my Google fu fails to
reveal any evidence supporting the theory.


Kind Regards,

JS

On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org>
wrote:
> Hi Rowland,
>
>
> *Apparently I accidentally replied directly to you instead of the list,
> this is from a couple days ago...*
>
> First off, thanks again for your help, your insight is invaluable.
>
> I have completed the changes you suggested:
>
> I've used ADUC to remove the NIS Domain and UID/GID number from the
> following Users/Groups:
>
>    - group policy creator owners
>    - enterprise admins
>    - schema admins
>    - dnsadmins
>    - Administrator
>
> I've added "username map = /etc/samba/user.map" to my
smb.conf
>
> I've created /etc/samba/user.map
>
> ls -la /etc/samba/user.map
> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>
> cat /etc/samba/user.map
> !root = PHM\Administrator PHM\administrator Administrator administrator
>
> Here is the output of the getfacl command you requested I run:
>
> sudo getfacl /mnt/md0/samba_shares/Accounts
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/md0/samba_shares/Accounts
> # owner: itwerks
> # group: domain\040admins
> user::rwx
> group::rwx
> other::rwx
> default:user::rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::rwx
>
> Regards,
>
> JS
>
> On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <it at
plymouthhistory.org>
> wrote:
>
>> I ran another test of a share on the raid array after making the
changes
>> you suggested Rowland.  I reset the ACLs on /mnt/md0/samba_shares/test
as
>> outlined in the wiki and set the default group to domain admins.  I
>> executed setfacl commands g=rwx and chgrp domain admins, then added the
>> directory to my smb.conf and ran "smbcontrol all
reload-config".  I then
>> logged in to a Windows box as administrator and set ACLs for my test
domain
>> user account, allowing full control in both share permissions and the
>> security tabs, applied settings and closed the snap-in.
>>
>> I then logged in to another machine as my test user and tried to access
>> the new share and still received access denied.
>>
>> I'd be oh so happy if this thread ends and the raid controller
isn't the
>> root cause of this issue, but my gut says it must be as shares that I
>> copied from the array to the system drive retained the ACLs I had set
>> previously and we're accessible without modification.  I just wish
I could
>> find some indication that this is a known issue, my Google fu fails to
>> reveal any evidence supporting the theory.
>>
>> JS
>>
>> On Sep 21, 2016 9:02 PM, "Jason Secord" <it at
plymouthhistory.org> wrote:
>>
>>> Hi Rowland,
>>>
>>> First off, thanks again for your help, your insight is invaluable.
>>>
>>> I have completed the changes you suggested:
>>>
>>> I've used ADUC to remove the NIS Domain and UID/GID number from
the
>>> following Users/Groups:
>>>
>>>    - group policy creator owners
>>>    - enterprise admins
>>>    - schema admins
>>>    - dnsadmins
>>>    - Administrator
>>>
>>> I've added "username map = /etc/samba/user.map" to my
smb.conf
>>>
>>> I've created /etc/samba/user.map
>>>
>>> ls -la /etc/samba/user.map
>>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>>
>>> cat /etc/samba/user.map
>>> !root = PHM\Administrator PHM\administrator Administrator
administrator
>>>
>>> Here is the output of the getfacl command you requested I run:
>>>
>>> sudo getfacl /mnt/md0/samba_shares/Accounts
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: mnt/md0/samba_shares/Accounts
>>> # owner: itwerks
>>> # group: domain\040admins
>>> user::rwx
>>> group::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:group::rwx
>>> default:group:domain\040admins:rwx
>>> default:mask::rwx
>>> default:other::rwx
>>>
>>> Regards,
>>>
>>> JS
>>>
>>>
>>> On Wed, Sep 21, 2016 at 12:06 PM, Rowland Penny via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> On Wed, 21 Sep 2016 11:09:15 -0400
>>>> Jason Secord <it at plymouthhistory.org> wrote:
>>>>
>>>> > Hi Rowland,
>>>> >
>>>> > I've already removed all "admin users" and
"valid users" entries from
>>>> > my smb.conf, they ended up there after hours of confusion
trying to
>>>> > drill down to the root of the problem.
>>>> >
>>>> > To remove the aforementioned UID/GIDs, I can do that via
the tab in
>>>> > ADUC, correct?  Is there a document best practices when
applying UNIX
>>>> > attributes to accounts?
>>>>
>>>> You can do it with ADUC, or you can use ldb or ldap tools or
ADSI edit.
>>>>
>>>> >
>>>> > I haven't encountered any mention of creating a
user.map in the
>>>> > documentation, nor have I ever created one in the past. 
Is this
>>>> > something that is considered a best practice a well?  Can
you point
>>>> > me to any documentation on user.maps?
>>>>
>>>> Not too sure about the documentation, There is some in 'man
smb.conf',
>>>> but it is easier to describe it to you.
>>>>
>>>> On a Samba AD DC, Administrator gets mapped to root
automatically, but
>>>> on a domain member it isn't. There are two schools of
thought here,
>>>> one is to give Administrator a uidNumber, but I don't
recommend this.
>>>> If you do give Administrator a uidNumber, it becomes just
another
>>>> Unix user with just the same permissions as any other user and
it
>>>> breaks the DC. The other option is to use a 'username
map', this will
>>>> do what the DC does and maps Administrator to the root user.
>>>>
>>>> > I will make this adjustments
>>>> > tonight and update you along with the results of that
getfacl command
>>>> > you requested.
>>>> >
>>>> > I have applied ACLs to all shares already.
>>>> >
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>