Jason Secord
2016-Sep-23 07:30 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
Mediawiki is throwing an error at this moment but I followed that page when I set up the shares and triple checked everything when I last reset ACLs. JS On Sep 23, 2016 2:51 AM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Thu, 22 Sep 2016 19:23:05 -0400 > Jason Secord via samba <samba at lists.samba.org> wrote: > > > *Another reply that was accidentally sent to the wrong address...* > > > > I ran another test of a share on the raid array after making the > > changes you suggested Rowland. I reset the ACLs > > on /mnt/md0/samba_shares/test as outlined in the wiki and set the > > default group to domain admins. I executed setfacl commands g=rwx > > and chgrp domain admins, then added the directory to my smb.conf and > > ran "smbcontrol all reload-config". I then logged in to a Windows > > box as administrator and set ACLs for my test domain user account, > > allowing full control in both share permissions and the security > > tabs, applied settings and closed the snap-in. > > > > I then logged in to another machine as my test user and tried to > > access the new share and still received access denied. > > > > I'd be oh so happy if this thread ends and the raid controller isn't > > the root cause of this issue, but my gut says it must be as shares > > that I copied from the array to the system drive retained the ACLs I > > had set previously and we're accessible without modification. I just > > wish I could find some indication that this is a known issue, my > > Google fu fails to reveal any evidence supporting the theory. > > > > > > Kind Regards, > > > > JS > > > > On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <it at plymouthhistory.org> > > wrote: > > > > > Hi Rowland, > > > > > > > > > *Apparently I accidentally replied directly to you instead of the > > > list, this is from a couple days ago...* > > > > > > First off, thanks again for your help, your insight is invaluable. > > > > > > I have completed the changes you suggested: > > > > > > I've used ADUC to remove the NIS Domain and UID/GID number from the > > > following Users/Groups: > > > > > > - group policy creator owners > > > - enterprise admins > > > - schema admins > > > - dnsadmins > > > - Administrator > > > > > > I've added "username map = /etc/samba/user.map" to my smb.conf > > > > > > I've created /etc/samba/user.map > > > > > > ls -la /etc/samba/user.map > > > -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map > > > > > > cat /etc/samba/user.map > > > !root = PHM\Administrator PHM\administrator Administrator > > > administrator > > > > > > Here is the output of the getfacl command you requested I run: > > > > > > sudo getfacl /mnt/md0/samba_shares/Accounts > > > getfacl: Removing leading '/' from absolute path names > > > # file: mnt/md0/samba_shares/Accounts > > > # owner: itwerks > > > # group: domain\040admins > > > user::rwx > > > group::rwx > > > other::rwx > > > default:user::rwx > > > default:group::rwx > > > default:group:domain\040admins:rwx > > > default:mask::rwx > > > default:other::rwx > > > > > If you look at the result of the 'getfacl' command, you can see that > the share belongs to itwerks:Domain Admins, they both have 'rwx' > permissions and 'others' is supposed to also get 'rwx' permissions, but > I don't think it is working this way. Can I suggest you read this wiki > page: > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Sep-23 08:03 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
On Fri, 23 Sep 2016 03:30:10 -0400 Jason Secord via samba <samba at lists.samba.org> wrote:> Mediawiki is throwing an error at this moment but I followed that > page when I set up the shares and triple checked everything when I > last reset ACLs. > > JSI have asked somebody to look into the wiki problem, wait until it comes back again and then have another look. The problem from my perpective is that I don't fully understand just who is supposed to have access to the share. At the moment, only 'itwerks' and 'Domain Admins' are shown by getfacl, I would expect some other user or group to be mentioned. Rowland
Jason Secord
2016-Sep-25 04:49 UTC
[Samba] Domain Member Server: Domain Users cannot access shares
Hi Rowland,>From the top down, I'm going to try and cover every step involved in thewiki and give you as much info as I can in the hope that we can get this issue resolved, or at least determine that there is nothing wrong with my config and that the underlying array has to be the weak point, even if none of us know why. *Step 1: Filesystem support* We need the filesystem to support "user and system xattr name spaces" and have ACL and XATTR support. Per the wiki ext4 "uses all the required options by default" so editing the entry in fstab is not required. My kernel must also have "CONFIG_EXT4_FS_SECURITY=y" and "CONFIG_EXT4_FS_POSIX_ACL=y" enabled. *The RAID array's filesystem:* /dev/md0: UUID="593d0107-cea3-42f5-a451-8b548a1df6f0" TYPE="*ext4*" *The RAID array's fstab entry:* /dev/md0 /mnt/md0 ext4 defaults 0 0 *My kernel config:* ~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_SECURITY *CONFIG_EXT4_FS_SECURITY=y* ~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_POSIX_ACL *CONFIG_EXT4_FS_POSIX_ACL=y* *Step 2: Test the filesystem* *Make sure the package "attr" is installed:* attr is already the newest version (1:2.4.47-2). *Test xattr support **(all commands executed on the /dev/md0 filesystem)**:* *Run the following commands as root to test xattr support:* root at phmsrv01:/mnt/md0# touch test.txt root at phmsrv01:/mnt/md0# setfattr -n user.test -v test test.txt root at phmsrv01:/mnt/md0# setfattr -n security.test -v test2 test.txt *The commands returned the correct output:* root at phmsrv01:/mnt/md0# getfattr -d test.txt # file: test.txt user.test="test" root at phmsrv01:/mnt/md0# getfattr -n security.test -d test.txt # file: test.txt security.test="test2" *Run the following commands as root to test extended ACL support:* root at phmsrv01:/mnt/md0# touch test.txt root at phmsrv01:/mnt/md0# setfacl -m g:adm:rwx test.txt *The commands returned the correct output:* root at phmsrv01:/mnt/md0# getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r-- *Step 3: Check Samba ACL Support:* smbd -b | grep HAVE_LIBACL *HAVE_LIBACL* *Step 4: As this is a Domain Member Server, check that extended ACL support exists in the smb.conf:* itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep acl_xattr vfs objects = acl_xattr itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "map acl inherit" map acl inherit = yes itwerks at phmsrv01:~$ cat /etc/samba/smb.conf | grep "store dos attributes" store dos attributes = yes itwerks at phmsrv01:~$ *Step 4: Ensure admin accounts have SeDiskOperatorPrivilege assigned:* itwerks at phmsrv01:~$ net rpc rights list accounts -U'PHM\administrator' -I phmadc01.phm.plymouthhistory.org PHM\Administrator SeDiskOperatorPrivilege PHM\itwerks SeDiskOperatorPrivilege PHM\Domain Admins SeDiskOperatorPrivilege Since I've already gone through the process of creating directories and we know that Domain Admins have Full Control I'm skipping those steps from the wiki. Step 5: Create a Share: I added the "Accounts" directory to my smb.conf again: [RAID-Accounts] comment = PHM Accounts Directory on RAID ARRAY path = /mnt/md0/samba_shares/Accounts read only = no and the executed *sudo smbcontrol all reload-config* *Step 6: Setup share permissions:* I logged in to a Windows 7 workstation that is joined to the domain as user "itwerks", a member of the Domain Admins group with the SeDiskOperatorPrivilege set. I opened the Computer Management snap-in and connected to PHMSRV01. (NOTE: I've always experienced this, and it hasn't ever seemed to cause any harm so I've ignored it, but the first time I expand the "System Tools" tree, or any tree for that matter, when connected to a Samba machine using this snap-in, I receive an error that the RPC service is unavailable. After clearing the notification the snap-in proceeds to connect to the Samba machine and I am able to proceed without issue. I have no idea why this happens. I viewed the shares on PHMSRV01, right-clicked "RAID-Accounts", chose "Properties" and set Share Permissions. "Everyone" is visible already and has Full Control (I have left that setting untouched). I generally require only a couple individual users to be able to access a given share, and in a few exceptions all Domain Users are authorized to do so, but in this case for testing I have added "testuser" and given them Full Control. I then saved the changes by clicking OK. *Step 7: Set ACLs on the root of a share:* I opened the "RAID-Accounts" Properties again, chose the "Security" tab, and added "testuser" with Full Control. hit OK, OK again to save changes. I am fairly certain I executed the aforementioned steps properly, and that I followed the wiki meticulously while doing so. If I am mistaken please do let me know where I went astray. *TESTING 123:* getfacl shows the updated ACLs and 'testuser' has rwx permissions for the share. itwerks at phmsrv01:~$ sudo getfacl /mnt/md0/samba_shares/Accounts [sudo] password for itwerks: getfacl: Removing leading '/' from absolute path names # file: mnt/md0/samba_shares/Accounts # owner: itwerks # group: domain\040admins user::rwx user:itwerks:rwx user:testuser:rwx group::rwx group:domain\040admins:rwx mask::rwx other::rwx default:user::rwx default:user:itwerks:rwx default:user:testuser:rwx default:group::rwx default:group:domain\040admins:rwx default:mask::rwx default:other::rwx So, time to test from another workstation as 'testuser'... I logged in to another workstation as 'testuser', a member of the Domain Users group. In Windows Explorer I navigated to \\PHMSRV01 and all shares are visible. I double-click "RAID_Accounts", the share I've been working with above, and receive the following error: *Windows cannot access \\phmsrv01\RAID-Accounts* *You do not have permission to access \\phmsrv01\RAID-Accounts. Please contact your network administrator blah blah blah.* If I copy this directory from the RAID array to the system drive, change the path in my smb.conf, and reload samba it will immediately be accessible. Unless there's something obvious I'm overlooking, which I readily admit is entirely possible, or there's some hidden nuance only a true greybeard would immediately recognise, I'm at a complete loss as to what is causing this behaviour. Please advise. Kind and Gracious Regards, JS On Fri, Sep 23, 2016 at 4:03 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 23 Sep 2016 03:30:10 -0400 > Jason Secord via samba <samba at lists.samba.org> wrote: > > > Mediawiki is throwing an error at this moment but I followed that > > page when I set up the shares and triple checked everything when I > > last reset ACLs. > > > > JS > > I have asked somebody to look into the wiki problem, wait until it > comes back again and then have another look. > The problem from my perpective is that I don't fully understand just > who is supposed to have access to the share. At the moment, only > 'itwerks' and 'Domain Admins' are shown by getfacl, I would expect some > other user or group to be mentioned. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >