samba - Aug 2017 - Mapping subfolder of a samba share in Windows fails with access denied

Hi,

I am trying to map a network drive on a Windows 7 client. It is possible
to map the shared folder, but as soon as I try to map a subfolder,
Windows shows an access denied message and prompts for another username
and password. The user has full control over the subfolder (configured
via the Windows security tab). The samba.log shows:

Aug 22 10:25:19 FILESERVER smbd[5409]:  Could not close dir!
fname=Software, fd=-1, err=1=Operation not permitted

if the user tries to map the subfolder "Software" of the share
"\\file\data". Similar log messages can be seen in the logs of our
fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the
windows machine (roaming profiles and mapped Documents folder). This
happens in principle for all shares on our server (also the user and
profiles shares which where set up as described in the samba wiki) and
all users including the administrator account.

The configuration of the samba active directory domain controller with
two example shares (Centos 7, Samba 4.6.6):

[global]
        netbios name = DOMAINC
        realm = TEST.TESTDOMAIN.DE
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        load printers = no

        bind interfaces only = yes
        interfaces = lo ens1f0

        tls enabled = yes
        tls keyfile = tls/domainc.test.testdomain.de.key.pem
        tls certfile = tls/domainc.test.testdomain.de.cert.pem
        tls cafile = tls/intermediate.cert.pem

        log level = 3
        log file = /var/log/samba.log

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/test.testdomain.de/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


And the fileserver config with two example shares:

[global]            
        workgroup = TEST                   
        realm TEST.TESTDOMAIN.DE                                          
        netbios name = FILE               
        security = ads                    
        idmap config *:range = 10000-19999
        idmap config pi5:backend = rid    
        idmap config pi5:range 20000-1999999
        vfs objects = acl_xattr           
        inherit acls = yes                
        store dos attributes = yes        
        map acl inherit = yes             
        template shell = /bin/bash        
        template homedir /gluster/mnt/users/%U
        winbind use default domain = yes  
        winbind refresh tickets = yes     
        log file = /var/log/samba.log     
        username map /var/run/gluster/shared_storage/ctdb/usermap
        log level = 1

[users]

        comment = User Home
Directories

        path /

        kernel share modes No

        create mask 0700

        directory mask 0700

        read only No

        vfs objects = acl_xattr
glusterfs

        glusterfs:volfile_server = 172.17.1.3
172.17.1.4

        glusterfs:loglevel 1

        glusterfs:logfile /var/log/samba/glusterfs-users.log

        glusterfs:volume = users 

[data]

        comment Data

        path /

        kernel share modes No

        create mask 0700

        directory mask 0700

        read only No

        vfs objects = acl_xattr
glusterfs

        glusterfs:volume data

        glusterfs:loglevel 1

        glusterfs:logfile /var/log/samba/glusterfs-data.log

        glusterfs:volfile_server = 172.17.1.3 172.17.1.4

And the usermap file

!root = PI5\Administrator PI5\administrator Administrator administrator

Best Regards

Nicolas

On Tue, 22 Aug 2017 10:59:53 +0200
Nicolas Zuber via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I am trying to map a network drive on a Windows 7 client. It is
> possible to map the shared folder, but as soon as I try to map a
> subfolder, Windows shows an access denied message and prompts for
> another username and password. The user has full control over the
> subfolder (configured via the Windows security tab). The samba.log
> shows:
> 
> Aug 22 10:25:19 FILESERVER smbd[5409]:  Could not close dir!
> fname=Software, fd=-1, err=1=Operation not permitted
> 
> if the user tries to map the subfolder "Software" of the share
> "\\file\data". Similar log messages can be seen in the logs of
our
> fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the
> windows machine (roaming profiles and mapped Documents folder). This
> happens in principle for all shares on our server (also the user and
> profiles shares which where set up as described in the samba wiki) and
> all users including the administrator account.
> 
> The configuration of the samba active directory domain controller with
> two example shares (Centos 7, Samba 4.6.6):
> 
I take that the workgroup name should be 'PI5' instead of 'TEST'
Also you have 'vfs objects = acl_xattr' in [global], so you don't
need
it in the shares. Both shares seem to be the same path, so why two
shares ?

As you seem to be using Posix ACLs on the shares, have you read this
wiki page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Rowland

> On Tue, 22 Aug 2017 10:59:53 +0200
> Nicolas Zuber via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I am trying to map a network drive on a Windows 7 client. It is
>> possible to map the shared folder, but as soon as I try to map a
>> subfolder, Windows shows an access denied message and prompts for
>> another username and password. The user has full control over the
>> subfolder (configured via the Windows security tab). The samba.log
>> shows:
>>
>> Aug 22 10:25:19 FILESERVER smbd[5409]:  Could not close dir!
>> fname=Software, fd=-1, err=1=Operation not permitted
>>
>> if the user tries to map the subfolder "Software" of the
share
>> "\\file\data". Similar log messages can be seen in the logs
of our
>> fileserver (Centos 7, Samba 4.6.6) if the user logs in/out on the
>> windows machine (roaming profiles and mapped Documents folder). This
>> happens in principle for all shares on our server (also the user and
>> profiles shares which where set up as described in the samba wiki) and
>> all users including the administrator account.
>>
>> The configuration of the samba active directory domain controller with
>> two example shares (Centos 7, Samba 4.6.6):
>>
> I take that the workgroup name should be 'PI5' instead of
'TEST'
> Also you have 'vfs objects = acl_xattr' in [global], so you
don't need
> it in the shares. Both shares seem to be the same path, so why two
> shares ?
You are right, the workgroup name is 'PI5' and I will remove the
duplicated 'acl_xattr'. The path is the same, because samba is directly
accessing the gluster via gluster vfs without the fuse layer. As far as
I understood the path in this configuration is relative to the gluster
volume rather than to the local filesystem. Because I have two different
gluster volumes (users and shares), I need two different
shares.
>
> As you seem to be using Posix ACLs on the shares, have you read this
> wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>
> Rowland
>
>
Until know I set the permissions of files and folders with a Windows
client. For this I set the three parameters in the '[global]'
configuration section

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

as described in the samba wiki :
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

What part of the configuration indicates the use of Posix ACLS?

Regards
Nicolas