samba - Jan 2018 - R: cannot list/access samba share from Windows client

Thanks for the rapid reply!

I think the problem was in the server role options I’ve modified it in  “server
member” and now I’m able to list the shares under \\linuxserver from any domain
user authenticated in a Windows pc AD member.
But now
1. Execute computer management from a Windows domain member client as a domain
admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer ->
srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on
“Shares”  right click on “share” -> Click Properties -> click on tab
“Security”. In this tab I have the message “You musr have Read permission to
view the properties of this object” even if I have granted
SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute
“Computer Management” as “com_spoleto\adminserver” user (I explained below the
reason I used this user) I can view/modify the ACLs.

Please see MY inline comments, and at the end of this message I pasted my
modified config files:

Inviato da Posta per Windows 10

Da: Rowland Penny
Inviato: lunedì 8 gennaio 2018 15:15
A: samba at lists.samba.org
Cc: Andrea Rossetti
Oggetto: Re: [Samba] cannot list/access samba share from Windows client


>>The Linux samba server is an Ubuntu server
>> 16.04 and I successfully added this samba server to a awindows active
>> directory domain (Windows server 2012 R2). I login to the domain
>> server machine as a domain admins user but II’m not able to
>> list/access to the share when I digit in Windows Explorer
>> \\servername I have the access denied with the request to insert the
>> credential of a user enabled to it. Only the user mapped
>> in  /etc/samba/user.map can manage the server via the ADUC interface
>> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
>> admin Group
>The only mapping in the user.map should be Administrator to root.
I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin
as the COM_SPOLETO\Administrator
For security reasons we have disabled the Administrator user account. In fact I
used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins”
group (see lines below)
>>  root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
>> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>>   COM_SPOLETO\Domain Admins
>>   BUILTIN\Administrators
>>
-----------------------------------------------------------------------------
>> My /etc/samba/user.map
>> !root = COM_SPOLETO\Adminserver
>It is Administrator not Adminserver
As just explained the adminserver is for us the enterprise domain admin.

----------------------------------------------
My modified /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
-------------------------------------------------------------------------------

My modified /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat sss
group:          compat sss
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss
--------------------------------------------------------------------------------

My modified /etc/krb5.conf

[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

On Mon, 8 Jan 2018 18:27:44 +0100
Andrea Rossetti <andy.ros at gmail.com> wrote:
> Thanks for the rapid reply!
> 
> I think the problem was in the server role options I’ve modified it
> in  “server member” and now I’m able to list the shares under
> \\linuxserver from any domain user authenticated in a Windows pc AD
> member. But now 1. Execute computer management from a Windows domain
> member client as a domain admin user (run as
> com_spoleto\rossetti.admin that is a “domain admins” member 2. Right
> click on computer management -> connect to another computer ->
> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools”
> -> I expand “Shared Folders” -> click on “Shares”  right click on
> “share” -> Click Properties -> click on tab “Security”. In this tab I
> have the message “You musr have Read permission to view the
> properties of this object” even if I have granted
> SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If
> I execute “Computer Management” as “com_spoleto\adminserver” user (I
> explained below the reason I used this user) I can view/modify the
> ACLs.
> 
> Please see MY inline comments, and at the end of this message I
> pasted my modified config files:
> 
> Inviato da Posta per Windows 10
> 
> Da: Rowland Penny
> Inviato: lunedì 8 gennaio 2018 15:15
> A: samba at lists.samba.org
> Cc: Andrea Rossetti
> Oggetto: Re: [Samba] cannot list/access samba share from Windows
> client
> 
> 
> 
> >>The Linux samba server is an Ubuntu server
> >> 16.04 and I successfully added this samba server to a awindows
> >> active directory domain (Windows server 2012 R2). I login to the
> >> domain server machine as a domain admins user but II’m not able to
> >> list/access to the share when I digit in Windows Explorer
> >> \\servername I have the access denied with the request to insert
> >> the credential of a user enabled to it. Only the user mapped
> >> in  /etc/samba/user.map can manage the server via the ADUC
> >> interface and list, but I’ve assigned the SeDiskOperatorPrivilege
> >> to all domain admin Group
> 
> >The only mapping in the user.map should be Administrator to root.
> 
> I’ve mapped the user COM_SPOLETO\adminserver because it is an
> enterprise admin as the COM_SPOLETO\Administrator For security
> reasons we have disabled the Administrator user account. In fact I
> used adminserver to grant SeDiskOperatoPrivilege do
> “com_spoleto\domain admins” group (see lines below)
> 
> >>  root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter
> >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
> >>   COM_SPOLETO\Domain Admins
> >>   BUILTIN\Administrators
> 
> >>
-----------------------------------------------------------------------------
> >> My /etc/samba/user.map
> >> !root = COM_SPOLETO\Adminserver
> 
> >It is Administrator not Adminserver
> 
> As just explained the adminserver is for us the enterprise domain
> admin.
> 
> ----------------------------------------------
> My modified /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = COM_SPOLETO
>         realm = COMUNE.SPOLETO.LOCAL
>         server string = %h server (Samba, Ubuntu)
>         interfaces = lo ens32
>         bind interfaces only = Yes
>         server role = member server
>         security = ADS
>         map to guest = Bad User
>         username map = /etc/samba/user.map
>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client signing = if_required
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         create mask = 0700
>         printable = Yes
>         browseable = No
> 
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
> 
> 
> [share]
>         comment = Progetti QGIS per Lizmap
>         path = /home/data/share
>         read only = No
>
-------------------------------------------------------------------------------
> 
> My modified /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for
information
> about this file.
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis sss
> sudoers:        files sss
>
--------------------------------------------------------------------------------
> 
> My modified /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = COMUNE.SPOLETO.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true

You are now solely using sssd for the authentication, you need to ask
on the sssd-users mailing list, either that or purge sssd and set up
winbind correctly.

I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
help any further.

Rowland

Inviato da Posta per Windows 10
>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 18:48
>A: samba at lists.samba.org
>Oggetto: Re: [Samba] R: cannot list/access samba share from Windows client
>
>You are now solely using sssd for the authentication, you need to ask
>on the sssd-users mailing list, either that or purge sssd and set up
>winbind correctly.
>I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
>help any further.
>
>Rowland
Ok I try to purge sssd and configure winbind.

apt-get remove --purge sssd && apt-get autoremove --purge

I successfull removed and re-joined the Linux domain member

root at SRVLNXWINTRA01:/home/data# net ads leave -U
"com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Deleted account for 'SRVLNXWINTRA01' in realm
'COMUNE.SPOLETO.LOCAL'
root at SRVLNXWINTRA01:/home/data# net ads join -U
"com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Using short domain name -- COM_SPOLETO
Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local'

I modified the config files (see below)
And restarted the services

systemctl restart smbd nmbd winbind

I verified that the SeDiskOperatorPrivilege was set up correctly to “domain
admins” Group

root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
  COM_SPOLETO\Domain Admins
  BUILTIN\Administrators

I verified the connectiviti with the domain

root at SRVLNXWINTRA01:/home/data# wbinfo --ping-dc
checking the NETLOGON for domain[COM_SPOLETO] dc connection to
"SRVW3KDC01.comune.spoleto.local" succeeded

but now when I Look up Domain Users and Groups

root at SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti
root at SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain
admins"

I have no response and so I’m unable to assign the permission attribute to the
share

root at SRVLNXWINTRA01:/home/data# LANG=en_EN chown
root:"com_spoleto\domain admins" share
chown: invalid group: 'root:com_spoleto\\domain admins'

I’m very confused now!

--------------------------------------------------------------------------------
now my /etc/samba/smb.conf is

# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config com_spoleto : range = 10000-29999
        idmap config com_spoleto : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
----------------------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files
-------------------------------------------------------------------------------------

My /etc/krb5.conf
[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true