samba - May 2019 - NT_STATUS_ACCESS_DENIED on a directory I have permission to access

On Mon, 6 May 2019 10:33:27 -0400
Paul Griffith <paulg at eecs.yorku.ca> wrote:
> On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
> > On Fri, 3 May 2019 15:36:59 +0200
> > "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> >  
> >> Hai Paul,
> >>
> >> Look at this: user=paulg,uid=2381
> >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
> >>
> >> Now, look at this :  
> >>> idmap config * : backend = tdb
> >>> idmap config * : range = 3000-7999
> >>> # - You must set a DOMAIN backend configuration
> >>> # idmap config for the ONEEXAMPLECA domain
> >>> idmap config ONEEXAMPLECA : backend = rid
> >>> idmap config ONEEXAMPLECA : range = 10000-999999  
> >> What do you notice here. ( the hint is 2381:1000 ) and i would
> >> expect to see 10000:10000 or higher. Do you see what i mean? Your
> >> UID/GID is a local users one, not AD-DC users.
> >>
> >> Your ranges are out of sync now, and that your denied is completly
> >> correct.
> >>  
> > Good catch Louis, those numbers are even outside the '*'
domain, so
> > must be a local Unix user and group and how many times do I have to
> > say this:
> >
> > You cannot have local Unix users and groups in /etc/passwd
> > & /etc/group and expect them to work on a Samba Unix domain.
> >
> > If the ID numbers are in AD, then the only reason would be if this
> > is a classicupgraded domain (which I personally hate) and if so, the
> > ranges in smb.conf will need altering to match.
> >
> > Rowland
> >   
> >  
> 
> Louis and Rowland,
> 
> Thank you both for your suggestions. Why only the mail directory, why 
> wouldn't I get a permission error on the other directories?
> 
> This is a classic upgraded domain. In this situation, what would be
> ideal..?
> 
> 1 ) Configure the local builtin accounts?
> 
> idmap config *   :  range = 100-999
No, set this above the 'ONEEXAMPLECA' domain
> 
> 2) Configure the Domain accounts?
> 
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 1000-999999
if your lowest Unix ID in AD is 1000 and your highest is less than
999999, then yes, but use the 'ad' backend instead.

If you don't care about the ID's (in which case, why did you run the
classicupgrade ?), the range can be anything you like, if you use
the 'rid' backend.

Rowland
> 
> Suggestions and links always welcomed :)
> 
> Paul
>

On 5/6/19 11:59 AM, Rowland Penny via samba wrote:
> On Mon, 6 May 2019 10:33:27 -0400
> Paul Griffith <paulg at eecs.yorku.ca> wrote:
>
>> On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
>>> On Fri, 3 May 2019 15:36:59 +0200
>>> "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
>>>   
>>>> Hai Paul,
>>>>
>>>> Look at this: user=paulg,uid=2381
>>>> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
>>>> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
>>>>
>>>> Now, look at this :
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 3000-7999
>>>>> # - You must set a DOMAIN backend configuration
>>>>> # idmap config for the ONEEXAMPLECA domain
>>>>> idmap config ONEEXAMPLECA : backend = rid
>>>>> idmap config ONEEXAMPLECA : range = 10000-999999
>>>> What do you notice here. ( the hint is 2381:1000 ) and i would
>>>> expect to see 10000:10000 or higher. Do you see what i mean?
Your
>>>> UID/GID is a local users one, not AD-DC users.
>>>>
>>>> Your ranges are out of sync now, and that your denied is
completly
>>>> correct.
>>>>   
>>> Good catch Louis, those numbers are even outside the '*'
domain, so
>>> must be a local Unix user and group and how many times do I have to
>>> say this:
>>>
>>> You cannot have local Unix users and groups in /etc/passwd
>>> & /etc/group and expect them to work on a Samba Unix domain.
>>>
>>> If the ID numbers are in AD, then the only reason would be if this
>>> is a classicupgraded domain (which I personally hate) and if so,
the
>>> ranges in smb.conf will need altering to match.
>>>
>>> Rowland
>>>    
>>>   
>> Louis and Rowland,
>>
>> Thank you both for your suggestions. Why only the mail directory, why
>> wouldn't I get a permission error on the other directories?
>>
>> This is a classic upgraded domain. In this situation, what would be
>> ideal..?
>>
>> 1 ) Configure the local builtin accounts?
>>
>> idmap config *   :  range = 100-999
> No, set this above the 'ONEEXAMPLECA' domain
>
>> 2) Configure the Domain accounts?
>>
>> idmap config ONEEXAMPLECA : backend = rid
>> idmap config ONEEXAMPLECA : range = 1000-999999
> if your lowest Unix ID in AD is 1000 and your highest is less than
> 999999, then yes, but use the 'ad' backend instead.
>
> If you don't care about the ID's (in which case, why did you run
the
> classicupgrade ?), the range can be anything you like, if you use
> the 'rid' backend.
>
> Rowland
>
>> Suggestions and links always welcomed :)
>>
>> Paul
Hello Rowland,

I went back and re-read the following links  and with the changes listed 
below I resolved most of my problems.

[0] - https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[1] - https://wiki.samba.org/index.php/Libnss_winbind_Links
[2] - https://wiki.samba.org/index.php/Idmap_config_ad
[3] - 
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt

[4] - 
https://forums.freebsd.org/threads/samba-ad-getent-passwd-doesnt-return-domain-users.62554/


But I still can't figure out why getent doesn't return anything for the 
domain.  If I use /etc/password it works as expected.

- getent domain fails
getent passwd ONEEXAMPLECA\\paulg
#

 From strace I see it opens the winbindd pipe and talks to the winbind 
process.

lstat("/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=60, ...}) =
0
30477 lstat("/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777,
st_size=0,
...}) = 0
30477 socket(AF_LOCAL, SOCK_STREAM, 0)  = 3
30477 fcntl(3, F_GETFL)                 = 0x2 (flags O_RDWR)
30477 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
30477 fcntl(3, F_GETFD)                 = 0
30477 fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
30477 connect(3, {sa_family=AF_LOCAL, 
sun_path="/var/run/winbindd/pipe"}, 110) = 0

 From log.winbindd log file, nothing is returned.

[2019/05/09 14:45:18.165098,  3, pid=14653, effective(0, 0), real(0, 0)] 
../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
   getpwnam ONEEXAMPLECA\paulg

Any suggestions to tackle the getent domain issue?

What errors could show up if we have the same user names in the local 
/etc/passwd file as in the domain?


--- Changes made ---

  I removed SSSD and related packages.

1 - Since we compile Samba from source, I linked the compiled library 
libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't work. 
I had to use strace to confirm that getent was looking for 
libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)

2 - verify nsswitch.conf
  grep -i winbind /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind

3 - verify /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = AD.ONE.EXAMPLE.CA
  dns_lookup_realm = false
  dns_lookup_kdc = true
  forwardable = true
  proxiable = true
  ignore_k5login = true
  ticket_lifetime = 24h
  renew_lifetime = 7d

4 - Using the command  'samba-tool user edit paulg' I added the UNIX 
ID/GID to uidNumber and gidNumber in AD.

5 - Updated file server conf as per previous e-mails and links above

[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
hostname lookups = yes

preferred master = no
domain master = no


# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999

# idmap config for the ONEEXAMPLECA domain
# range should match UNIX ID in AD
idmap config ONEEXAMPLECA : backend = ad
idmap config ONEEXAMPLECA : schema_mode = rfc2307
idmap config ONEEXAMPLECA : range = 1000-999999
idmap config ONEEXAMPLECA : unix_nss_info = yes

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes

# Keep no in production, set yes when debugging, this slows down your 
samba.
winbind enum users  = no
winbind enum groups = no

# disable usershares creating, when set empty no error log messages.
usershare path 
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

Thank you,
Paul

On Thu, 9 May 2019 15:17:07 -0400
Paul Griffith <paulg at eecs.yorku.ca> wrote:

> Hello Rowland,
> 
> I went back and re-read the following links  and with the changes
> listed below I resolved most of my problems.
> 
> But I still can't figure out why getent doesn't return anything for
> the domain.  If I use /etc/password it works as expected.
> 
> - getent domain fails
> getent passwd ONEEXAMPLECA\\paulg
It should work:
rowland at devstation:~$ getent passwd SAMDOM\\rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>  From log.winbindd log file, nothing is returned.
> 
> [2019/05/09 14:45:18.165098,  3, pid=14653, effective(0, 0), real(0,
> 0)] ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)
>    getpwnam ONEEXAMPLECA\paulg
> 
> Any suggestions to tackle the getent domain issue?
> 
> What errors could show up if we have the same user names in the local 
> /etc/passwd file as in the domain?
You cannot have a user called 'paulg' in /etc/passwd and in AD, if you
do, then the user in /etc/passwd will be used and the user in AD will
be ignored.
> 
> 
> --- Changes made ---
> 
>   I removed SSSD and related packages.
> 
> 1 - Since we compile Samba from source, I linked the compiled library 
> libnss_winbind.so.2 into /lib64, linking libnss_winbind.so didn't
> work. I had to use strace to confirm that getent was looking for 
> libnss_winbind.so.2 and not libnss_winbind.so (CentOS 7.6)
> 
> 2 - verify nsswitch.conf
>   grep -i winbind /etc/nsswitch.conf
> passwd:     files winbind
> group:      files winbind
> 
> 3 - verify /etc/krb5.conf
> 
> # Configuration snippets may be placed in this directory as well
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>   default_realm = AD.ONE.EXAMPLE.CA
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>   forwardable = true
>   proxiable = true
>   ignore_k5login = true
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
> 
> 4 - Using the command  'samba-tool user edit paulg' I added the
UNIX
> ID/GID to uidNumber and gidNumber in AD.
> 
> 5 - Updated file server conf as per previous e-mails and links above
> 
> [global]
> security = ADS
> workgroup = ONEEXAMPLECA
> realm = AD.ONE.EXAMPLE.CA
> hostname lookups = yes
This has nothing to do with your problem, but you really shouldn't have
the line above, you should rely on dns.
> preferred master = no
> domain master = no
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> 
> # idmap config for the ONEEXAMPLECA domain
> # range should match UNIX ID in AD
> idmap config ONEEXAMPLECA : backend = ad
> idmap config ONEEXAMPLECA : schema_mode = rfc2307
> idmap config ONEEXAMPLECA : range = 1000-999999
> idmap config ONEEXAMPLECA : unix_nss_info = yes
> 
> # Renew the kerberos tickets
> winbind refresh tickets = yes
> 
> # Enable offline logins
> winbind offline logon = yes
> 
> # User uid/Gid from AD. (rfc2307)
> winbind nss info = rfc2307
The line above has been replaced by the 'idmap config' line
 
Rowland