thr3ads.net - samba - [Samba] Samba4 Permission Problem [Nov 2019]

If this information is useful, please help other people find it:
Share via:

André Luiz

2019-Nov-26 11:01 UTC

[Samba] Samba4 Permission Problem

Hello everyone,


I am having the following problem with my samba:


I did the installation and compilation from source and samba is working
correctly integrated with my AD. However the following situation happens:
when I am logged on to the workstation with a user from the domain
administrators group I can create files and folders on the share. When I am
logged in with a user who does not belong to the admin group, I cannot
create anything within the share because it gives a permission denied error
even though this user (non admin) is allowed to modify in the folder.


Samba Version: 4.11.2

OS: CentOS 7.7 - 1908

Storage File System: ext4


Workstation: Windows 10 Pro 1903

OS Compilation: 18362.175


Active Directory: Windows 2016 STD


smb.conf file


[global]

        server role = MEMBER SERVER

        security = ADS

        realm = DOMAIN.LOCAL

        workgroup = DOMAIN

        dedicated key tab file = /etc/krb5.keytab

        kerberos method = secrets and key tab

        server string = Linux File Server

        log file = /var/log/samba/%m.log

        log level = 3 auth_audit: 3 auth_json_audit: 3

        idmap config *: backend = tdb

        idmap config *: range = 10000-20000

        idmap config DOMAIN: backend = rid

        idmap config DOMAIN: range = 30000 - 40000

        winbind refresh tickets = yes

        winbind offline logon = yes

        winbind enum users = yes

        winbind enum groups = yes

        winbind nested groups = yes

        winbind expand groups = 2

        winbind use default domain = yes

        os level = 20

        domain master = no

        master location = no

        preferred master = no

        map to guest = bad user

        host msdfs = no

        netbios name = linux-fs

        client min protocol = SMB2

        client max protocol = SMB3

        hosts allow = 192.168.

        unix extensions = no

        reset on zero you = yes

        veto files 
        hide unreadable = yes

        acl group control = yes

        acl map full control = true

        ea support = yes

        dos filetimes = yes

        restrict anonymous = 2

        guest ok = no

        vfs objects = acl_xattr

        map acl inherit = Yes

        attributes store = Yes

        inherit acls = true

        dos filemode = true

        force unknown acl user = true

        unix extensions = no

        wide links = yes


[data]

        path = / fileserver / data

        read only = no

        admin users = "@DOMAIN \ domain admins"

        valid users = "@DOMAIN \ domain admins", "@ DOMAIN \
domain users"

        write list = "@DOMAIN \ domain admins", "@ DOMAIN \
domain users"

        create mask - 0770

        browseable = yes

        writeable = yes


Logs found in file with workstation IP:



[2019/11/26 07:45:20.837967,  3] ../../source3/smbd/dir.c:662(dptr_create)

  creating new dirptr 0 for path ., expect_close = 0

[2019/11/26 07:45:20.838294,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found . fname=. (.)

[2019/11/26 07:45:20.838449,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)

[2019/11/26 07:45:20.838998,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found my_windows_user
fname=my_windows_user (my_windows_user)

[2019/11/26 07:45:20.839621,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found .recycle fname=.recycle (.recycle)

[2019/11/26 07:45:20.839819,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_NO_MORE_FILES] || at
../../source3/smbd/smb2_query_directory.c:159

[2019/11/26 07:45:20.840626,  3]
../../source3/smbd/trans2.c:3526(smbd_do_qfsinfo)

  smbd_do_qfsinfo: level = 1001

[2019/11/26 07:45:20.840774,  3]
../../source3/smbd/trans2.c:3526(smbd_do_qfsinfo)

  smbd_do_qfsinfo: level = 1005

[2019/11/26 07:45:20.844005,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.845695,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.847389,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.849103,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.850856,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.853251,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.856722,  3]
../../source3/smbd/nttrans.c:2047(smbd_do_query_security_desc)

  smbd_do_query_security_desc: sd_size = 48.

[2019/11/26 07:45:20.859302,  3] ../../lib/util/access.c:371(allow_access)

  Allowed connection from 192.168.2.218 (192.168.2.218)

[2019/11/26 07:45:20.859446,  3]
../../source3/smbd/service.c:605(make_connection_snum)

  make_connection_snum: Connect path is '/tmp' for service [IPC$]

[2019/11/26 07:45:20.859520,  3]
../../source3/smbd/vfs.c:114(vfs_init_default)

  Initialising default vfs hooks

[2019/11/26 07:45:20.859548,  3]
../../source3/smbd/vfs.c:140(vfs_init_custom)

  Initialising custom vfs hooks from [/[Default VFS]/]

[2019/11/26 07:45:20.859579,  3]
../../source3/smbd/vfs.c:140(vfs_init_custom)

  Initialising custom vfs hooks from [acl_xattr]

[2019/11/26 07:45:20.859639,  2]
../../source3/modules/vfs_acl_xattr.c:233(connect_acl_xattr)

  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service IPC$

[2019/11/26 07:45:20.859928,  3]
../../source3/smbd/service.c:851(make_connection_snum)

  192.168.2.218 (ipv4:192.168.2.218:54324) connect to service IPC$
initially as user DOMAIN\my_windows_user (uid=35306, gid=30513) (pid 3108)

[2019/11/26 07:45:20.863989,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at ../../source3/smbd/smb2_getinfo.c:159

[2019/11/26 07:45:20.865503,  3]
../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)

  api_pipe_bind_req: lsarpc -> lsarpc rpc service

[2019/11/26 07:45:20.865597,  3]
../../source3/rpc_server/srv_pipe.c:356(check_bind_req)

  check_bind_req for lsarpc context_id=0

[2019/11/26 07:45:20.865652,  3]
../../source3/rpc_server/srv_pipe.c:399(check_bind_req)

  check_bind_req: lsarpc -> lsarpc rpc service

[2019/11/26 07:45:20.866731,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_OPENPOLICY2

[2019/11/26 07:45:20.867673,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_LOOKUPSIDS2

[2019/11/26 07:45:20.869386,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_CLOSE


Thanks


Andre

Rowland penny

2019-Nov-26 11:49 UTC

head link

[Samba] Samba4 Permission Problem

On 26/11/2019 11:01, Andr? Luiz via samba wrote:> Hello everyone,
>
>
> I am having the following problem with my samba:
>
>
> I did the installation and compilation from source and samba is working
> correctly integrated with my AD. However the following situation happens:
> when I am logged on to the workstation with a user from the domain
> administrators group I can create files and folders on the share. When I am
> logged in with a user who does not belong to the admin group, I cannot
> create anything within the share because it gives a permission denied error
> even though this user (non admin) is allowed to modify in the folder.
>
>
> Samba Version: 4.11.2
>
> OS: CentOS 7.7 - 1908
>
> Storage File System: ext4
>
>
> Workstation: Windows 10 Pro 1903
>
> OS Compilation: 18362.175
>
>
> Active Directory: Windows 2016 STD
>
>
> smb.conf file
>
>You have a couple of problem lines:

reset on zero you = yes
attributes store = Yes

Do you mean:

reset on zero vc = yes
store dos attributes = Yes

If so, I would remove them.

You also have in [global]

map to guest = bad user
guest ok = no

Not much point in having them, the first maps any unknown users to guest 
and then the second (which is a default setting) denies guest access, I 
would remove both.

Why do you want 'wide links' ?

I would remove these lines:

unix extensions = no
unix extensions = no
wide links = yes

Finally, we come to your share:

I would make it look like this:

[data]
 ??????? path = /fileserver/data
 ??????? read only = no

And then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Nov 2019 - Samba4 Permission Problem

[Samba] Samba4 Permission Problem

[Samba] Samba4 Permission Problem

Seemingly Similar Threads