Test 1:
User User1 is a member of group Group1.
Group1 has R-X rights to the shared folder SITES.
When User1 connects to the server over SMB he sees SITES but when he tries to
access it he gets access denied.
Logs for the attempt show “chdir (/srv/SITES) failed, reason: Permission denied”
Test 2:
The same user can connect to the server over SSH and access the folder according
to the group permissions as expected.
Test 3:
The user is given specific permissions (via setfacl -m u:user1:r-x) or general
permissions (via chmod o+rx).
User1 connects over SMB and has access to the share as expected.
I can’t figure out if this is a problem with my config or with samba. I question
samba but I have this working just fine on an older server. I think SSSD is OK
as it seems to be authenticating the user just fine.
Group1 definitely has R-X permissions to the folder.
User1 is definitely a member of Group1 as confirmed by command ‘groups User1’.
Current Server (not working):
Ubuntu 18.04.2
SSSD
Samba 4.7.6-Ubuntu
Older Server (working with same permissions):
Ubuntu 16.04.6
Winbind
Samba 4.3.11-Ubuntu
Current Server Config:
smb.conf
[global]
security = ADS
realm = DOMAIN.COM
workgroup = DOMAIN
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 1000-50000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307bis
idmap config DOMAIN:unix_nss_info = no
idmap config DOMAIN:default = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = true
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client use spnego = yes
client ipc min protocol = SMB2
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
disable netbios = yes
smb ports = 445
unix extensions = no
interfaces = lo bond0
bind interfaces only = yes
vfs objects = shadow_copy2 acl_xattr
### Previous Versions
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = %Y-%m-%d_%H:%M:%S_%Z
shadow:localtime = yes
### NT ACLs
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
### ACLs
nt acl support = yes
acl group control = yes
map acl inherit = Yes
store dos attributes = yes
### ABE
hide unreadable = yes
access based share enum = true
server string = %h server (Samba, Ubuntu)
dns proxy = no
#### Debugging/Accounting ####
log level = 3
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
### Shares
writable = yes
read only = no
usershare allow guests = no
browseable = yes
guest ok = no
valid users = @“DOMAIN\Group1"
admin users = @“DOMAIN\Admin”
include = /etc/samba/smb.conf.%i
smb.conf.{SERVICE_IP}
[global]
bind interfaces only = yes
interfaces = lo {SERVICE_IP}
log file = /var/log/samba/log.%i
max log size = 1000
keepalive = 60
deadtime = 10
[ADMIN]
comment = Administrative Share
path = /srv/ADMIN_SHARES
valid users = @“DOMAIN\Admin"
[SITES]
comment = ASchool Website Folders
path = /srv/SITES
shadow:basedir = /srv/SITES
wide links = yes
valid users = @“DOMAIN\Group1”
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.COM
debug_level = 0x3ff0
#debug_level = 1
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1
[pam]
reconnection_retries = 3
debug_level = 0x3ff0
#debug_level = 1
pam_id_timeout = 10
[domain/DOMAIN.COM]
id_provider = ad
access_provider = ad
debug_level = 0x3ff0
#debug_level = 1
ldap_id_mapping = true
#ldap_schema = rfc2307bis
#use_fully_qualified_names = True
override_homedir = /home/%u
default_shell = /bin/bash
krb5_keytab = /etc/krb5.keytab
krb5_realm =DOMAIN.COM
ldap_search_base = dc=domain,dc=com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ad_hostname = Server.DOMAIN.COM
ad_domain = DOMAIN.COM
ldap_id_mapping = true
default_shell = /bin/bash
ldap_referrals = false
# 2019-03-30:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
#ignore_group_members = true
ldap_purge_cache_timeout = 0
krb5_auth_timeout = 15
# 2019-04-01: Old config
cache_credentials = True
ldap_schema = ad
Samba Server Logs:
[2019/04/30 11:28:20.929897, 3] ../source3/smbd/msdfs.c:1008(get_referred_path)
get_referred_path: |SITES| in dfs path \Server.Domain.com\SITES is not a dfs
root.
[2019/04/30 11:28:20.929958, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2019/04/30 11:28:20.935817, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 172.25.190.227 (172.25.190.227)
[2019/04/30 11:28:20.935874, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.937229, 3]
../source3/smbd/service.c:595(make_connection_snum)
Connect path is '/srv/SITES' for service [SITES]
[2019/04/30 11:28:20.937284, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.938495, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2019/04/30 11:28:20.938545, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2019/04/30 11:28:20.938568, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2019/04/30 11:28:20.938589, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [shadow_copy2]
[2019/04/30 11:28:20.938621, 2]
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service SITES
[2019/04/30 11:28:20.938675, 3]
../source3/modules/vfs_acl_xattr.c:269(connect_acl_xattr)
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes = yes' and all 'map ...' options to 'no'
[2019/04/30 11:28:20.938855, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.939990, 3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
string_to_sid: SID @DOMAIN\Group1 is not in a valid format
[2019/04/30 11:28:20.941231, 2]
../source3/smbd/service.c:841(make_connection_snum)
6ac25304c5d6d4 (ipv4:172.25.190.227:53406) connect to service SITES initially
as user DOMAIN\User1 (uid={UID}, gid={GID}) (pid 16118)
[2019/04/30 11:28:21.505492, 3]
../source3/smbd/service.c:120(set_current_service)
chdir (/srv/SITES) failed, reason: Permission denied
[2019/04/30 11:28:21.505548, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2491