Nicolas Zuber
2017-Aug-22 08:59 UTC
[Samba] Mapping subfolder of a samba share in Windows fails with access denied
Hi, I am trying to map a network drive on a Windows 7 client. It is possible to map the shared folder, but as soon as I try to map a subfolder, Windows shows an access denied message and prompts for another username and password. The user has full control over the subfolder (configured via the Windows security tab). The samba.log shows: Aug 22 10:25:19 FILESERVER smbd[5409]: Could not close dir! fname=Software, fd=-1, err=1=Operation not permitted if the user tries to map the subfolder "Software" of the share "\\file\data". Similar log messages can be seen in the logs of our fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the windows machine (roaming profiles and mapped Documents folder). This happens in principle for all shares on our server (also the user and profiles shares which where set up as described in the samba wiki) and all users including the administrator account. The configuration of the samba active directory domain controller with two example shares (Centos 7, Samba 4.6.6): [global] netbios name = DOMAINC realm = TEST.TESTDOMAIN.DE server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TEST server role = active directory domain controller idmap_ldb:use rfc2307 = yes load printers = no bind interfaces only = yes interfaces = lo ens1f0 tls enabled = yes tls keyfile = tls/domainc.test.testdomain.de.key.pem tls certfile = tls/domainc.test.testdomain.de.cert.pem tls cafile = tls/intermediate.cert.pem log level = 3 log file = /var/log/samba.log [netlogon] path = /usr/local/samba/var/locks/sysvol/test.testdomain.de/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No And the fileserver config with two example shares: [global] workgroup = TEST realm TEST.TESTDOMAIN.DE netbios name = FILE security = ads idmap config *:range = 10000-19999 idmap config pi5:backend = rid idmap config pi5:range 20000-1999999 vfs objects = acl_xattr inherit acls = yes store dos attributes = yes map acl inherit = yes template shell = /bin/bash template homedir /gluster/mnt/users/%U winbind use default domain = yes winbind refresh tickets = yes log file = /var/log/samba.log username map /var/run/gluster/shared_storage/ctdb/usermap log level = 1 [users] comment = User Home Directories path / kernel share modes No create mask 0700 directory mask 0700 read only No vfs objects = acl_xattr glusterfs glusterfs:volfile_server = 172.17.1.3 172.17.1.4 glusterfs:loglevel 1 glusterfs:logfile /var/log/samba/glusterfs-users.log glusterfs:volume = users [data] comment Data path / kernel share modes No create mask 0700 directory mask 0700 read only No vfs objects = acl_xattr glusterfs glusterfs:volume data glusterfs:loglevel 1 glusterfs:logfile /var/log/samba/glusterfs-data.log glusterfs:volfile_server = 172.17.1.3 172.17.1.4 And the usermap file !root = PI5\Administrator PI5\administrator Administrator administrator Best Regards Nicolas
Rowland Penny
2017-Aug-22 10:09 UTC
[Samba] Mapping subfolder of a samba share in Windows fails with access denied
On Tue, 22 Aug 2017 10:59:53 +0200 Nicolas Zuber via samba <samba at lists.samba.org> wrote:> Hi, > > I am trying to map a network drive on a Windows 7 client. It is > possible to map the shared folder, but as soon as I try to map a > subfolder, Windows shows an access denied message and prompts for > another username and password. The user has full control over the > subfolder (configured via the Windows security tab). The samba.log > shows: > > Aug 22 10:25:19 FILESERVER smbd[5409]: Could not close dir! > fname=Software, fd=-1, err=1=Operation not permitted > > if the user tries to map the subfolder "Software" of the share > "\\file\data". Similar log messages can be seen in the logs of our > fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the > windows machine (roaming profiles and mapped Documents folder). This > happens in principle for all shares on our server (also the user and > profiles shares which where set up as described in the samba wiki) and > all users including the administrator account. > > The configuration of the samba active directory domain controller with > two example shares (Centos 7, Samba 4.6.6): >I take that the workgroup name should be 'PI5' instead of 'TEST' Also you have 'vfs objects = acl_xattr' in [global], so you don't need it in the shares. Both shares seem to be the same path, so why two shares ? As you seem to be using Posix ACLs on the shares, have you read this wiki page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs Rowland
Nicolas Zuber
2017-Aug-22 11:21 UTC
[Samba] Mapping subfolder of a samba share in Windows fails with access denied
> On Tue, 22 Aug 2017 10:59:53 +0200 > Nicolas Zuber via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I am trying to map a network drive on a Windows 7 client. It is >> possible to map the shared folder, but as soon as I try to map a >> subfolder, Windows shows an access denied message and prompts for >> another username and password. The user has full control over the >> subfolder (configured via the Windows security tab). The samba.log >> shows: >> >> Aug 22 10:25:19 FILESERVER smbd[5409]: Could not close dir! >> fname=Software, fd=-1, err=1=Operation not permitted >> >> if the user tries to map the subfolder "Software" of the share >> "\\file\data". Similar log messages can be seen in the logs of our >> fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the >> windows machine (roaming profiles and mapped Documents folder). This >> happens in principle for all shares on our server (also the user and >> profiles shares which where set up as described in the samba wiki) and >> all users including the administrator account. >> >> The configuration of the samba active directory domain controller with >> two example shares (Centos 7, Samba 4.6.6): >> > I take that the workgroup name should be 'PI5' instead of 'TEST' > Also you have 'vfs objects = acl_xattr' in [global], so you don't need > it in the shares. Both shares seem to be the same path, so why two > shares ?You are right, the workgroup name is 'PI5' and I will remove the duplicated 'acl_xattr'. The path is the same, because samba is directly accessing the gluster via gluster vfs without the fuse layer. As far as I understood the path in this configuration is relative to the gluster volume rather than to the local filesystem. Because I have two different gluster volumes (users and shares), I need two different shares.> > As you seem to be using Posix ACLs on the shares, have you read this > wiki page: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > > Rowland > >Until know I set the permissions of files and folders with a Windows client. For this I set the three parameters in the '[global]' configuration section vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes as described in the samba wiki : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs What part of the configuration indicates the use of Posix ACLS? Regards Nicolas
Possibly Parallel Threads
- Mapping subfolder of a samba share in Windows fails with access denied
- Upgrading a ctdb cluster: samba not listening on TCP port 445
- Mapping subfolder of a samba share in Windows fails with access denied
- Upgrading a ctdb cluster: samba not listening on TCP port 445
- Weekend Puzzle: computer posing as an UPS