Rowland Penny
2019-May-06 15:59 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On Mon, 6 May 2019 10:33:27 -0400 Paul Griffith <paulg at eecs.yorku.ca> wrote:> On 5/3/19 9:53 AM, Rowland Penny via samba wrote: > > On Fri, 3 May 2019 15:36:59 +0200 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> Hai Paul, > >> > >> Look at this: user=paulg,uid=2381 > >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o > >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) > >> > >> Now, look at this : > >>> idmap config * : backend = tdb > >>> idmap config * : range = 3000-7999 > >>> # - You must set a DOMAIN backend configuration > >>> # idmap config for the ONEEXAMPLECA domain > >>> idmap config ONEEXAMPLECA : backend = rid > >>> idmap config ONEEXAMPLECA : range = 10000-999999 > >> What do you notice here. ( the hint is 2381:1000 ) and i would > >> expect to see 10000:10000 or higher. Do you see what i mean? Your > >> UID/GID is a local users one, not AD-DC users. > >> > >> Your ranges are out of sync now, and that your denied is completly > >> correct. > >> > > Good catch Louis, those numbers are even outside the '*' domain, so > > must be a local Unix user and group and how many times do I have to > > say this: > > > > You cannot have local Unix users and groups in /etc/passwd > > & /etc/group and expect them to work on a Samba Unix domain. > > > > If the ID numbers are in AD, then the only reason would be if this > > is a classicupgraded domain (which I personally hate) and if so, the > > ranges in smb.conf will need altering to match. > > > > Rowland > > > > > > Louis and Rowland, > > Thank you both for your suggestions. Why only the mail directory, why > wouldn't I get a permission error on the other directories? > > This is a classic upgraded domain. In this situation, what would be > ideal..? > > 1 ) Configure the local builtin accounts? > > idmap config * : range = 100-999No, set this above the 'ONEEXAMPLECA' domain> > 2) Configure the Domain accounts? > > idmap config ONEEXAMPLECA : backend = rid > idmap config ONEEXAMPLECA : range = 1000-999999if your lowest Unix ID in AD is 1000 and your highest is less than 999999, then yes, but use the 'ad' backend instead. If you don't care about the ID's (in which case, why did you run the classicupgrade ?), the range can be anything you like, if you use the 'rid' backend. Rowland> > Suggestions and links always welcomed :) > > Paul >
Paul Griffith
2019-May-09 19:17 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On 5/6/19 11:59 AM, Rowland Penny via samba wrote:> On Mon, 6 May 2019 10:33:27 -0400 > Paul Griffith <paulg at eecs.yorku.ca> wrote: > >> On 5/3/19 9:53 AM, Rowland Penny via samba wrote: >>> On Fri, 3 May 2019 15:36:59 +0200 >>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >>> >>>> Hai Paul, >>>> >>>> Look at this: user=paulg,uid=2381 >>>> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o >>>> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) >>>> >>>> Now, look at this : >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 3000-7999 >>>>> # - You must set a DOMAIN backend configuration >>>>> # idmap config for the ONEEXAMPLECA domain >>>>> idmap config ONEEXAMPLECA : backend = rid >>>>> idmap config ONEEXAMPLECA : range = 10000-999999 >>>> What do you notice here. ( the hint is 2381:1000 ) and i would >>>> expect to see 10000:10000 or higher. Do you see what i mean? Your >>>> UID/GID is a local users one, not AD-DC users. >>>> >>>> Your ranges are out of sync now, and that your denied is completly >>>> correct. >>>> >>> Good catch Louis, those numbers are even outside the '*' domain, so >>> must be a local Unix user and group and how many times do I have to >>> say this: >>> >>> You cannot have local Unix users and groups in /etc/passwd >>> & /etc/group and expect them to work on a Samba Unix domain. >>> >>> If the ID numbers are in AD, then the only reason would be if this >>> is a classicupgraded domain (which I personally hate) and if so, the >>> ranges in smb.conf will need altering to match. >>> >>> Rowland >>> >>> >> Louis and Rowland, >> >> Thank you both for your suggestions. Why only the mail directory, why >> wouldn't I get a permission error on the other directories? >> >> This is a classic upgraded domain. In this situation, what would be >> ideal..? >> >> 1 ) Configure the local builtin accounts? >> >> idmap config * : range = 100-999 > No, set this above the 'ONEEXAMPLECA' domain > >> 2) Configure the Domain accounts? >> >> idmap config ONEEXAMPLECA : backend = rid >> idmap config ONEEXAMPLECA : range = 1000-999999 > if your lowest Unix ID in AD is 1000 and your highest is less than > 999999, then yes, but use the 'ad' backend instead. > > If you don't care about the ID's (in which case, why did you run the > classicupgrade ?), the range can be anything you like, if you use > the 'rid' backend. > > Rowland > >> Suggestions and links always welcomed :) >> >> PaulHello Rowland, I went back and re-read the following links and with the changes listed below I resolved most of my problems. [0] - https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member [1] - https://wiki.samba.org/index.php/Libnss_winbind_Links [2] - https://wiki.samba.org/index.php/Idmap_config_ad [3] - https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt [4] - https://forums.freebsd.org/threads/samba-ad-getent-passwd-doesnt-return-domain-users.62554/ But I still can't figure out why getent doesn't return anything for the domain. If I use /etc/password it works as expected. - getent domain fails getent passwd ONEEXAMPLECA\\paulg # From strace I see it opens the winbindd pipe and talks to the winbind process. lstat("/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0 30477 lstat("/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 30477 socket(AF_LOCAL, SOCK_STREAM, 0) = 3 30477 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) 30477 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 30477 fcntl(3, F_GETFD) = 0 30477 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 30477 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/winbindd/pipe"}, 110) = 0 From log.winbindd log file, nothing is returned. [2019/05/09 14:45:18.165098, 3, pid=14653, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send) getpwnam ONEEXAMPLECA\paulg Any suggestions to tackle the getent domain issue? What errors could show up if we have the same user names in the local /etc/passwd file as in the domain? --- Changes made --- I removed SSSD and related packages. 1 - Since we compile Samba from source, I linked the compiled library libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't work. I had to use strace to confirm that getent was looking for libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6) 2 - verify nsswitch.conf grep -i winbind /etc/nsswitch.conf passwd: files winbind group: files winbind 3 - verify /etc/krb5.conf # Configuration snippets may be placed in this directory as well [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.ONE.EXAMPLE.CA dns_lookup_realm = false dns_lookup_kdc = true forwardable = true proxiable = true ignore_k5login = true ticket_lifetime = 24h renew_lifetime = 7d 4 - Using the command 'samba-tool user edit paulg' I added the UNIX ID/GID to uidNumber and gidNumber in AD. 5 - Updated file server conf as per previous e-mails and links above [global] security = ADS workgroup = ONEEXAMPLECA realm = AD.ONE.EXAMPLE.CA hostname lookups = yes preferred master = no domain master = no # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 1000000-1999999 # idmap config for the ONEEXAMPLECA domain # range should match UNIX ID in AD idmap config ONEEXAMPLECA : backend = ad idmap config ONEEXAMPLECA : schema_mode = rfc2307 idmap config ONEEXAMPLECA : range = 1000-999999 idmap config ONEEXAMPLECA : unix_nss_info = yes # Renew the kerberos tickets winbind refresh tickets = yes # Enable offline logins winbind offline logon = yes # User uid/Gid from AD. (rfc2307) winbind nss info = rfc2307 # With default domain, wbinfo -u, yes = username, no is SAMBADOM\username winbind use default domain = yes # Keep no in production, set yes when debugging, this slows down your samba. winbind enum users = no winbind enum groups = no # disable usershares creating, when set empty no error log messages. usershare path # For Windows ACL support on member file server, enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /eecs/home/%U Thank you, Paul
Rowland Penny
2019-May-09 19:48 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On Thu, 9 May 2019 15:17:07 -0400 Paul Griffith <paulg at eecs.yorku.ca> wrote:> Hello Rowland, > > I went back and re-read the following links and with the changes > listed below I resolved most of my problems. > > But I still can't figure out why getent doesn't return anything for > the domain. If I use /etc/password it works as expected. > > - getent domain fails > getent passwd ONEEXAMPLECA\\paulgIt should work: rowland at devstation:~$ getent passwd SAMDOM\\rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> From log.winbindd log file, nothing is returned. > > [2019/05/09 14:45:18.165098, 3, pid=14653, effective(0, 0), real(0, > 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send) > getpwnam ONEEXAMPLECA\paulg > > Any suggestions to tackle the getent domain issue? > > What errors could show up if we have the same user names in the local > /etc/passwd file as in the domain?You cannot have a user called 'paulg' in /etc/passwd and in AD, if you do, then the user in /etc/passwd will be used and the user in AD will be ignored.> > > --- Changes made --- > > I removed SSSD and related packages. > > 1 - Since we compile Samba from source, I linked the compiled library > libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't > work. I had to use strace to confirm that getent was looking for > libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6) > > 2 - verify nsswitch.conf > grep -i winbind /etc/nsswitch.conf > passwd: files winbind > group: files winbind > > 3 - verify /etc/krb5.conf > > # Configuration snippets may be placed in this directory as well > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.ONE.EXAMPLE.CA > dns_lookup_realm = false > dns_lookup_kdc = true > forwardable = true > proxiable = true > ignore_k5login = true > ticket_lifetime = 24h > renew_lifetime = 7d > > 4 - Using the command 'samba-tool user edit paulg' I added the UNIX > ID/GID to uidNumber and gidNumber in AD. > > 5 - Updated file server conf as per previous e-mails and links above > > [global] > security = ADS > workgroup = ONEEXAMPLECA > realm = AD.ONE.EXAMPLE.CA > hostname lookups = yesThis has nothing to do with your problem, but you really shouldn't have the line above, you should rely on dns.> preferred master = no > domain master = no > > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > # idmap config for the ONEEXAMPLECA domain > # range should match UNIX ID in AD > idmap config ONEEXAMPLECA : backend = ad > idmap config ONEEXAMPLECA : schema_mode = rfc2307 > idmap config ONEEXAMPLECA : range = 1000-999999 > idmap config ONEEXAMPLECA : unix_nss_info = yes > > # Renew the kerberos tickets > winbind refresh tickets = yes > > # Enable offline logins > winbind offline logon = yes > > # User uid/Gid from AD. (rfc2307) > winbind nss info = rfc2307The line above has been replaced by the 'idmap config' line Rowland
Seemingly Similar Threads
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access