samba - May 2019 - NT_STATUS_ACCESS_DENIED on a directory I have permission to access

On Fri, 3 May 2019 15:36:59 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Paul, 
> 
> Look at this: user=paulg,uid=2381 
> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
> 
> Now, look at this : 
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > # - You must set a DOMAIN backend configuration
> > # idmap config for the ONEEXAMPLECA domain
> > idmap config ONEEXAMPLECA : backend = rid
> > idmap config ONEEXAMPLECA : range = 10000-999999   
> 
> What do you notice here. ( the hint is 2381:1000 ) and i would expect
> to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is
> a local users one, not AD-DC users. 
> 
> Your ranges are out of sync now, and that your denied is completly
> correct. 
> 
Good catch Louis, those numbers are even outside the '*' domain, so
must be a local Unix user and group and how many times do I have to
say this:

You cannot have local Unix users and groups in /etc/passwd & /etc/group
and expect them to work on a Samba Unix domain.

If the ID numbers are in AD, then the only reason would be if this is
a classicupgraded domain (which I personally hate) and if so, the
ranges in smb.conf will need altering to match.

Rowland

On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
> On Fri, 3 May 2019 15:36:59 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
>> Hai Paul,
>>
>> Look at this: user=paulg,uid=2381
>> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
>> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
>>
>> Now, look at this :
>>> idmap config * : backend = tdb
>>> idmap config * : range = 3000-7999
>>> # - You must set a DOMAIN backend configuration
>>> # idmap config for the ONEEXAMPLECA domain
>>> idmap config ONEEXAMPLECA : backend = rid
>>> idmap config ONEEXAMPLECA : range = 10000-999999
>> What do you notice here. ( the hint is 2381:1000 ) and i would expect
>> to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is
>> a local users one, not AD-DC users.
>>
>> Your ranges are out of sync now, and that your denied is completly
>> correct.
>>
> Good catch Louis, those numbers are even outside the '*' domain, so
> must be a local Unix user and group and how many times do I have to
> say this:
>
> You cannot have local Unix users and groups in /etc/passwd & /etc/group
> and expect them to work on a Samba Unix domain.
>
> If the ID numbers are in AD, then the only reason would be if this is
> a classicupgraded domain (which I personally hate) and if so, the
> ranges in smb.conf will need altering to match.
>
> Rowland
>   
>
Louis and Rowland,

Thank you both for your suggestions. Why only the mail directory, why 
wouldn't I get a permission error on the other directories?

This is a classic upgraded domain. In this situation, what would be ideal..?

1 ) Configure the local builtin accounts?

idmap config *   :  range = 100-999

2) Configure the Domain accounts?

idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 1000-999999

Suggestions and links always welcomed :)

Paul

-- 
Paul Griffith | Computer Systems Coordinator
Electrical Engineering & Computer Science | Lassonde School of Engineering
York University | 4700 Keele St., Toronto ON M3J 1P3 Canada
T:416-736-2100 x70258 | F:416-736-5872

On Mon, 6 May 2019 10:33:27 -0400
Paul Griffith <paulg at eecs.yorku.ca> wrote:
> On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
> > On Fri, 3 May 2019 15:36:59 +0200
> > "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> >  
> >> Hai Paul,
> >>
> >> Look at this: user=paulg,uid=2381
> >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
> >>
> >> Now, look at this :  
> >>> idmap config * : backend = tdb
> >>> idmap config * : range = 3000-7999
> >>> # - You must set a DOMAIN backend configuration
> >>> # idmap config for the ONEEXAMPLECA domain
> >>> idmap config ONEEXAMPLECA : backend = rid
> >>> idmap config ONEEXAMPLECA : range = 10000-999999  
> >> What do you notice here. ( the hint is 2381:1000 ) and i would
> >> expect to see 10000:10000 or higher. Do you see what i mean? Your
> >> UID/GID is a local users one, not AD-DC users.
> >>
> >> Your ranges are out of sync now, and that your denied is completly
> >> correct.
> >>  
> > Good catch Louis, those numbers are even outside the '*'
domain, so
> > must be a local Unix user and group and how many times do I have to
> > say this:
> >
> > You cannot have local Unix users and groups in /etc/passwd
> > & /etc/group and expect them to work on a Samba Unix domain.
> >
> > If the ID numbers are in AD, then the only reason would be if this
> > is a classicupgraded domain (which I personally hate) and if so, the
> > ranges in smb.conf will need altering to match.
> >
> > Rowland
> >   
> >  
> 
> Louis and Rowland,
> 
> Thank you both for your suggestions. Why only the mail directory, why 
> wouldn't I get a permission error on the other directories?
> 
> This is a classic upgraded domain. In this situation, what would be
> ideal..?
> 
> 1 ) Configure the local builtin accounts?
> 
> idmap config *   :  range = 100-999
No, set this above the 'ONEEXAMPLECA' domain
> 
> 2) Configure the Domain accounts?
> 
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 1000-999999
if your lowest Unix ID in AD is 1000 and your highest is less than
999999, then yes, but use the 'ad' backend instead.

If you don't care about the ID's (in which case, why did you run the
classicupgrade ?), the range can be anything you like, if you use
the 'rid' backend.

Rowland
> 
> Suggestions and links always welcomed :)
> 
> Paul
>