Test 1:
User User1 is a member of group Group1.
Group1 has R-X rights to the shared folder SITES.
When User1 connects to the server over SMB he sees SITES but when he tries to
access it he gets access denied.
Logs for the attempt show “chdir (/srv/SITES) failed, reason: Permission denied”
Test 2:
The same user can connect to the server over SSH and access the folder according
to the group permissions as expected.
Test 3:
The user is given specific permissions (via setfacl -m u:user1:r-x) or general
permissions (via chmod o+rx).
User1 connects over SMB and has access to the share as expected.
I can’t figure out if this is a problem with my config or with samba. I question
samba but I have this working just fine on an older server. I think SSSD is OK
as it seems to be authenticating the user just fine.
Group1 definitely has R-X permissions to the folder.
User1 is definitely a member of Group1 as confirmed by command ‘groups User1’.
Current Server (not working):
Ubuntu 18.04.2
SSSD
Samba 4.7.6-Ubuntu
Older Server (working with same permissions):
Ubuntu 16.04.6
Winbind
Samba 4.3.11-Ubuntu
Current Server Config:
smb.conf
[global]
security = ADS
realm = DOMAIN.COM
workgroup = DOMAIN
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 1000-50000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307bis
idmap config DOMAIN:unix_nss_info = no
idmap config DOMAIN:default = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = true
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client use spnego = yes
client ipc min protocol = SMB2
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
disable netbios = yes
smb ports = 445
unix extensions = no
interfaces = lo bond0
bind interfaces only = yes
vfs objects = shadow_copy2 acl_xattr
### Previous Versions
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = %Y-%m-%d_%H:%M:%S_%Z
shadow:localtime = yes
### NT ACLs
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
### ACLs
nt acl support = yes
acl group control = yes
map acl inherit = Yes
store dos attributes = yes
### ABE
hide unreadable = yes
access based share enum = true
server string = %h server (Samba, Ubuntu)
dns proxy = no
#### Debugging/Accounting ####
log level = 3
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
### Shares
writable = yes
read only = no
usershare allow guests = no
browseable = yes
guest ok = no
valid users = @“DOMAIN\Group1"
admin users = @“DOMAIN\Admin”
include = /etc/samba/smb.conf.%i
smb.conf.{SERVICE_IP}
[global]
bind interfaces only = yes
interfaces = lo {SERVICE_IP}
log file = /var/log/samba/log.%i
max log size = 1000
keepalive = 60
deadtime = 10
[ADMIN]
comment = Administrative Share
path = /srv/ADMIN_SHARES
valid users = @“DOMAIN\Admin"
[SITES]
comment = ASchool Website Folders
path = /srv/SITES
shadow:basedir = /srv/SITES
wide links = yes
valid users = @“DOMAIN\Group1”
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.COM
debug_level = 0x3ff0
#debug_level = 1
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1
[pam]
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1
pam_id_timeout = 10
[domain/DOMAIN.COM]
id_provider = ad
access_provider = ad
debug_level = 0x3ff0
#debug_level = 1
ldap_id_mapping = true
#ldap_schema = rfc2307bis
#use_fully_qualified_names = True
override_homedir = /home/%u
default_shell = /bin/bash
krb5_keytab = /etc/krb5.keytab
krb5_realm =DOMAIN.COM
ldap_search_base = dc=domain,dc=com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ad_hostname = Server.DOMAIN.COM
ad_domain = DOMAIN.COM
ldap_id_mapping = true
default_shell = /bin/bash
ldap_referrals = false
# 2019-03-30:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
#ignore_group_members = true
ldap_purge_cache_timeout = 0
krb5_auth_timeout = 15
# 2019-04-01: Old config
cache_credentials = True
ldap_schema = ad
Samba Server Logs:
[2019/04/30 11:28:20.929897, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |SITES| in dfs path \Server.Domain.com\SITES is not a dfs
root.
[2019/04/30 11:28:20.929958, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2019/04/30 11:28:20.935817, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 172.25.190.227 (172.25.190.227)
[2019/04/30 11:28:20.935874, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.937229, 3]
../source3/smbd/service.c:595(make_connection_snum)
Connect path is '/srv/SITES' for service [SITES]
[2019/04/30 11:28:20.937284, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.938495, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2019/04/30 11:28:20.938545, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2019/04/30 11:28:20.938568, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2019/04/30 11:28:20.938589, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [shadow_copy2]
[2019/04/30 11:28:20.938621, 2]
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service SITES
[2019/04/30 11:28:20.938675, 3]
../source3/modules/vfs_acl_xattr.c:269(connect_acl_xattr)
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes = yes' and all 'map ...' options to 'no'
[2019/04/30 11:28:20.938855, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.939990, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.941231, 2]
../source3/smbd/service.c:841(make_connection_snum)
6ac25304c5d6d4 (ipv4:172.25.190.227:53406) connect to service SITES initially
as user DOMAIN\User1 (uid={UID}, gid={GID}) (pid 16118)
[2019/04/30 11:28:21.505492, 3]
../source3/smbd/service.c:120(set_current_service)
chdir (/srv/SITES) failed, reason: Permission denied
[2019/04/30 11:28:21.505548, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2491
On Tue, 30 Apr 2019 16:22:10 +0000 "Banks, David \(db2d\) via samba" <samba at lists.samba.org> wrote:> Test 1: > User User1 is a member of group Group1. > Group1 has R-X rights to the shared folder SITES. > When User1 connects to the server over SMB he sees SITES but when he > tries to access it he gets access denied. Logs for the attempt show > “chdir (/srv/SITES) failed, reason: Permission denied” > > Test 2: > The same user can connect to the server over SSH and access the > folder according to the group permissions as expected. > > Test 3: > The user is given specific permissions (via setfacl -m u:user1:r-x) > or general permissions (via chmod o+rx). User1 connects over SMB and > has access to the share as expected. > > I can’t figure out if this is a problem with my config or with samba. > I question samba but I have this working just fine on an older > server. I think SSSD is OK as it seems to be authenticating the user > just fine. Group1 definitely has R-X permissions to the folder. User1 > is definitely a member of Group1 as confirmed by command ‘groups > User1’. > > > Current Server (not working): > Ubuntu 18.04.2 > SSSD > Samba 4.7.6-Ubuntu > > Older Server (working with same permissions): > Ubuntu 16.04.6 > Winbind > Samba 4.3.11-Ubuntu >Before I waste my time, are you prepared to run this command: apt-get purge sssd You do not need sssd and it just gets in the way, you have to have winbind running anyway. If you are not prepared to remove sssd, then can I suggest you ask on the sssd-users mailing list, this is because sssd is doing the authentication (or trying to) now. Rowland
On Tue, 30 Apr 2019 16:52:20 +0000 "Banks, David (db2d)" <db2d at virginia.edu> wrote:> Rowland, > > I can certainly give it a try but I was under the impression that > SSSD was the more robust of the two.Where did you get that idea from ? Winbind is as robust as sssd, it must be, sssd uses a Samba lib. There is very little that sssd does, that winbind cannot, also you only have one conf file to configure.> Also, the authentication seems > to working — user can access the server and the logs list successful > authentication — just the samba server running as the user can’t get > to the folder unless posix permissions are wide open.I can try to help you to fix your problem, but not if you continue using sssd, it has been years since I used it, ainly because I relised I did not need it. Whilst you are using sssd, it is doing your authentication and winbind isn't. Rowland
On Tue, 30 Apr 2019 17:51:36 +0000 "Banks, David (db2d)" <db2d at virginia.edu> wrote:> Finally got winbind answering my authentication requests but the > results are the same. > > [2019/04/30 13:50:31.616465, > 3] ../source3/smbd/service.c:120(set_current_service) chdir > (/srv/SITES) failed, reason: Permission deniedI was going to suggest you try this smb.conf: [global] security = ADS realm = DOMAIN.COM workgroup = DOMAIN kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 1000-50000 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 100000-500000 idmap config DOMAIN:schema_mode = rfc2307 winbind use default domain = yes winbind refresh tickets = yes template homedir = /home/%U template shell = /bin/bash client signing = yes client ipc min protocol = SMB2 restrict anonymous = 2 disable netbios = yes smb ports = 445 unix extensions = no interfaces = lo bond0 bind interfaces only = yes vfs objects = shadow_copy2 acl_xattr ### Previous Versions shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:format = %Y-%m-%d_%H:%M:%S_%Z shadow:localtime = yes ### NT ACLs acl_xattr:ignore system acls = yes acl_xattr:default acl style = windows ### ACLs acl group control = yes map acl inherit = Yes store dos attributes = yes ### ABE hide unreadable = yes access based share enum = true server string = %h server (Samba, Ubuntu) dns proxy = no #### Debugging/Accounting #### log level = 3 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### obey pam restrictions = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user include = /etc/samba/smb.conf.%i smb.conf.{SERVICE_IP} [global] interfaces = lo {SERVICE_IP} log file = /var/log/samba/log.%i max log size = 1000 keepalive = 60 deadtime = 10 [ADMIN] comment = Administrative Share path = /srv/ADMIN_SHARES read only = no [SITES] comment = ASchool Website Folders path = /srv/SITES shadow:basedir = /srv/SITES read only = no wide links = yes I was also going to suggest you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs That was until I noticed this: shadow:snapdir = .zfs/snapshot Is the filesystem 'ZFS' ? If so, you could try 'nfs4acl_xattr' instead of 'acl_xattr', but it still might not work correctly. Rowland
On Tue, 30 Apr 2019 18:30:17 +0000 "Banks, David (db2d)" <db2d at virginia.edu> wrote:> I initially started trying to use nfs4acl_xattr but ran into > problems. I’ll look back into it. Thanks! >So it is ZFS, I fear it will not work, freebsd has struggled with using ZFS and Samba. Rowland
We have seen this problem - mishandling of group access on files/directories
with just “unix permissions set” on ZFS filesystems on FreeBSD. Things work fine
if you disable the ZFS ACL stuff, or set an ACL on the file system objects.
Debugging this issue it seems to boil down to the fact that FreeBSD doesn’t
support extended attributes, and when generating the “fake ACL” from the unix
permissions it doesn’t set the “write to attributes allowed” bits (which is
"correct”) - but since Windows thinks it needs group write access to
attributes or it won’t attempt to write to the objects at all…
So we (a co-worker of mine) created the following patch which seems to solve the
issue (it basically lies and adds the “write to attributes” of “write to files”
is set):
--- samba-4.9.4-test/source3/modules/nfs4_acls.c 2018-07-12
10:23:36.000000000 +0200
+++ samba-4.9.4-mikha02/source3/modules/nfs4_acls.c 2019-03-04
11:29:29.263401000 +0100
@@ -380,6 +380,17 @@
DEBUG(10, ("Windows mapped ace flags: 0x%x =>
0x%x\n",
ace->aceFlags, win_ace_flags));
+
+ // 2019-03-04 mikael.haglund at liu.se - Dirtyhack
+ // https://bugzilla.samba.org/show_bug.cgi?id=13809
+ // Windows won't grant write access unless it have write
access on attrib
+ // If write access of the data, then grant write to attribute
+ if(ace->aceMask & 0x2)
+ {
+ ace->aceMask |= 0x000110;
+ DEBUG(2, ("Changing ACL, adding mask for
win-compability"\
+ "new mask: %x\n", ace->aceMask));
+ }
mask = ace->aceMask;
/* Mapping of owner@ and group@ to creator owner and- Peter
- Peter
> On 30 Apr 2019, at 20:40, Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Tue, 30 Apr 2019 18:30:17 +0000
> "Banks, David (db2d)" <db2d at virginia.edu> wrote:
>
>> I initially started trying to use nfs4acl_xattr but ran into
>> problems. I’ll look back into it. Thanks!
>>
>
> So it is ZFS, I fear it will not work, freebsd has struggled with using
> ZFS and Samba.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba