Can not change the share permissions

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Can not change the share permissions

Samba - General mailing list
Hello all;
In my network I have a server with samba4 as AD DC and two domain members as file servers with samba4. One of then work property, but the other not.
My samba4 AD DC version is compiled from sources:

[root@gtmad ~]# samba -V
Version 4.5.5

The samba4 as domain member (files server) are installing from .rpm packages of CentOS7.

[root@gtmpve /]# uname --all
Linux gtmpve.gtm.onat.gob.cu 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@gtmpve /]# smbd -V
Version 4.4.4

[root@gtmpve /]# nmbd -V
Version 4.4.4

[root@gtmpve /]# winbindd -V
Version 4.4.4

The problem is that I can not share directory using Windows or POSIX ACLs.
Trying with Windows ACL: I use the Windows 7 RSAT. I use the Computer Management and the option Share Folders. There I changes the folder permission using the Share Permission tab with no problem, but when I try with the Security tab never let me, because of Not access, permission denied. From the network, I can see the share, but can not access to it or the content.

Locally (in the CentOS7 PC with samba4) I can change the owner and permission of the directory:

chmod -R 770 /samba/bibliografia/
chown -R 'ATGTM00\Administrator':'ATGTM00\Domain Admins' /samba/bibliografia/

I test and I guest is Ok:

[root@gtmpve /]# getfacl --access /samba/bibliografia
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: samba/bibliografia
# owner: ATGTM00\134administrator
# group: ATGTM00\134domain\040admins
user::rwx
group::rwx
other::---

I check if everything is in place for winbind and if it is working fine:

[root@gtmpve /]# smbd -b | grep LIBDIR
LIBDIR: /usr/lib64

[root@gtmpve /]# find / -type f -name pam_winbind.so
/usr/lib64/security/pam_winbind.so

[root@gtmpve /]# ln -s /usr/lib64/security/pam_winbind.so /lib64/security/
ln: fallo al crear el enlace simbólico «/lib64/security/pam_winbind.so»: El fichero ya existe (File already exist)

[root@gtmpve /]# ln -s /usr/lib64/libnss_winbind.so.2 /lib64/
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so.2»: El fichero ya existe

[root@gtmpve /]# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln: fallo al crear el enlace simbólico «/lib64/libnss_winbind.so»: El fichero ya existe


[root@gtmpve lib64]# ldconfig --print-cache
339 bibliotecas se encontraron en la caché `/etc/ld.so.cache'
libnss_winbind.so.2 (libc6,x86-64) => /lib64/libnss_winbind.so.2
libnss_winbind.so (libc6,x86-64) => /lib64/libnss_winbind.so

[root@gtmpve /]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root@gtmpve /]# wbinfo -u (No the complete list to reduce the email)
ATGTM00\rommel
ATGTM00\administrator

[root@gtmpve /]# wbinfo -g
ATGTM00\informatica
ATGTM00\domain controllers
ATGTM00\economia
ATGTM00\domain admins
ATGTM00\domain users

I make a lot of test and checks. Here the results:

[root@gtmpve /]# net ads info
LDAP server: 192.168.41.17
LDAP server name: gtmad.gtm.onat.gob.cu
Realm: GTM.ONAT.GOB.CU
Bind Path: dc=GTM,dc=ONAT,dc=GOB,dc=CU
LDAP port: 389
Server time: vie, 31 mar 2017 11:04:12 CDT
KDC server: 192.168.41.17
Server time offset: 0
Last machine account password change: lun, 27 mar 2017 17:09:04 CDT

[root@gtmpve /]# getent passwd (Not the complete list to reduce the long of email)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root@gtmpve /]# getent group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
nfsnobody:x:65534:
ntp:x:38:
wbpriv:x:88:
saslauth:x:76:
ATGTM00\informatica:x:21142:
ATGTM00\economia:x:21162:
ATGTM00\domain admins:x:20512:
ATGTM00\domain users:x:20513:


[root@gtmpve /]# getent passwd 'ATGTM00\administrator'
ATGTM00\administrator:*:20500:20513::/home/administrator:/bin/bash

[root@gtmpve /]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:21144:20513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root@gtmpve /]# id 'ATGTM00\rommel'
uid=21144(ATGTM00\rommel) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),21144(ATGTM00\rommel),21142(ATGTM00\informatica),90000002(BUILTIN\users)

[root@gtmpve /]# id 'ATGTM00\Administrator'
uid=20500(ATGTM00\administrator) gid=20513(ATGTM00\domain users) grupos=20513(ATGTM00\domain users),20500(ATGTM00\administrator),20520(ATGTM00\group policy creator owners),20572(ATGTM00\denied rodc password replication group),20519(ATGTM00\enterprise admins),20518(ATGTM00\schema admins),20512(ATGTM00\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

Here is where I see some problem. "Could not connect to server 127.0.0.1" I suppouse that must be 192.168.41.17 that is the IP addreess of samba4 AD DC.

[root@gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

[root@gtmpve ~]# net rpc rights grant "ATGTM00\Domain Admins" SeDiskOperatorPrivilege -U "ATGM00\administrator"
Enter ATGM00\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 2C 58 E4 F2 35 60 CC 3B A7 D6 D5 60 C4 C7 BF 27 ,X..5`.; ...`...'
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED


Some of my configurations:

[root@gtmpve /]# cat /etc/nsswitch.conf (Just the part that include winbind)
#
passwd: files winbind
group: files winbind


The samba4 configuration:

[root@gtmpve samba]# cat /etc/samba/smb.conf
[global]
netbios name = gtmpve
security = ADS
workgroup = ATGTM00
realm = GTM.ONAT.GOB.CU

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-99999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

[bibliografia]
path = /samba/bibliografia/
read only = no
printable = no
writeable = yes
browseable = yes

Kerberos configuration:

[root@gtmpve samba]# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

Others configurations:

[root@gtmpve samba]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve

[root@gtmpve samba]# cat /etc/hostname
gtmpve.gtm.onat.gob.cu

[root@gtmpve samba]# cat /etc/resolv.conf
# Generated by NetworkManager
search gtm.onat.gob.cu
nameserver 192.168.41.17
nameserver 192.168.41.12

Any idea of what can happend to me, that can not change the permission of shares in the samba4 domain member wich will be a file server.

Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can not change the share permissions

Samba - General mailing list
Hi Rommel,

Am 06.04.2017 um 15:47 schrieb Rommel Rodriguez Toirac via samba:
> The problem is that I can not share directory using Windows
 > or POSIX ACLs. Trying with Windows ACL: I use the Windows 7
 > RSAT. I use the Computer Management and the option Share
 > Folders. There I changes the folder permission using the
 > Share Permission tab with no problem, but when I
 > try with the Security tab never let me, because of
 > Not access, permission denied. From the network, I can
 > see the share, but can not access to it or the content.

Can you please verify that your setup matches everything described in
our guides:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs



> Here is where I see some problem. "Could not connect to server 127.0.0.1"
 > I suppouse that must be 192.168.41.17 that is the IP addreess
 > of samba4 AD DC.

Privileges are stored on each host locally. Therefore you set it on your
file server and not on the DC.



> [root@gtmpve ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U 'ATGM00\administrator'
> Enter ATGM00\administrator's password:
> Bad SMB2 signature for message
> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
> [0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E ........
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_ACCESS_DENIED

Have a look at this thread:
https://lists.samba.org/archive/samba/2015-September/194284.html
There was a solution for the "Bad SMB2 signature for message" error at
the end of the thread.



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can not change the share permissions

Samba - General mailing list
El 6 de abril de 2017 12:37:35 GMT-04:00, Marc Muehlfeld via samba <[hidden email]> escribió:

>Hi Rommel,
>
>Am 06.04.2017 um 15:47 schrieb Rommel Rodriguez Toirac via samba:
>> The problem is that I can not share directory using Windows
> > or POSIX ACLs. Trying with Windows ACL: I use the Windows 7
> > RSAT. I use the Computer Management and the option Share
> > Folders. There I changes the folder permission using the
> > Share Permission tab with no problem, but when I
> > try with the Security tab never let me, because of
> > Not access, permission denied. From the network, I can
> > see the share, but can not access to it or the content.
>
>Can you please verify that your setup matches everything described in
>our guides:
>https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>
>
>> Here is where I see some problem. "Could not connect to server
>127.0.0.1"
> > I suppouse that must be 192.168.41.17 that is the IP addreess
> > of samba4 AD DC.
>
>Privileges are stored on each host locally. Therefore you set it on
>your
>file server and not on the DC.
>
>
>
>> [root@gtmpve ~]# net rpc rights list privileges
>SeDiskOperatorPrivilege -U 'ATGM00\administrator'
>> Enter ATGM00\administrator's password:
>> Bad SMB2 signature for message
>> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
>........
>> [0000] 85 28 83 F4 26 78 EB 45 1C DE 05 C1 EE E1 C3 84 .(..&x.E
>........
>> Could not connect to server 127.0.0.1
>> Connection failed: NT_STATUS_ACCESS_DENIED
>
>Have a look at this thread:
>https://lists.samba.org/archive/samba/2015-September/194284.html
>There was a solution for the "Bad SMB2 signature for message" error at
>the end of the thread.
>
>
>
>Regards,
>Marc

I follow your guides to configure the Domain member server and the file server.
In this message I send the result of some checks that you propouse in this guide plus other that I read in some messages of the list.

Refered to smb2 error I used the solution propupoused, "server signing" with all option (default, mandatory, disabled and auto) and always the same answer.

Rommel Rodriguez Toirac
[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can not change the share permissions

Samba - General mailing list
On Thu, 06 Apr 2017 15:19:04 -0400
Rommel Rodriguez Toirac via samba <[hidden email]> wrote:

>
> I follow your guides to configure the Domain member server and the
> file server. In this message I send the result of some checks that
> you propouse in this guide plus other that I read in some messages of
> the list.
>
> Refered to smb2 error I used the solution propupoused, "server
> signing" with all option (default, mandatory, disabled and auto) and
> always the same answer.
>
> Rommel Rodriguez Toirac
> [hidden email]
>

OK, if I do this:
sudo net rpc rights list privileges
[sudo] password for rowland:
Enter root's password:

I get this:

Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] E7 45 31 59 C0 1A 77 A8   F1 FB 5B 74 9F F6 8D 79   .E1Y..w. ..[t...y
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

So that doesn't work

This didn't either:

net rpc rights list privileges -UAdministrator
Failed to init messaging context

But this does:

sudo net rpc rights list privileges -UAdministrator
Enter Administrator's password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares
           SeSecurityPrivilege  System security

These were all run a Unix domain member, so it sounds like your
problems are down to a permissions problem.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can not change the share permissions

Samba - General mailing list
El 6 de abril de 2017 15:43:11 GMT-04:00, Rowland Penny via samba <[hidden email]> escribió:

>On Thu, 06 Apr 2017 15:19:04 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>>
>> I follow your guides to configure the Domain member server and the
>> file server. In this message I send the result of some checks that
>> you propouse in this guide plus other that I read in some messages of
>> the list.
>>
>> Refered to smb2 error I used the solution propupoused, "server
>> signing" with all option (default, mandatory, disabled and auto) and
>> always the same answer.
>>
>> Rommel Rodriguez Toirac
>> [hidden email]
>>
>
>OK, if I do this:
>sudo net rpc rights list privileges
>[sudo] password for rowland:
>Enter root's password:
>
>I get this:
>
>Bad SMB2 signature for message
>[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........
>........
>[0000] E7 45 31 59 C0 1A 77 A8   F1 FB 5B 74 9F F6 8D 79   .E1Y..w.
>..[t...y
>Could not connect to server 127.0.0.1
>Connection failed: NT_STATUS_ACCESS_DENIED
>
>So that doesn't work
>
>This didn't either:
>
>net rpc rights list privileges -UAdministrator
>Failed to init messaging context
>
>But this does:
>
>sudo net rpc rights list privileges -UAdministrator
>Enter Administrator's password:
>     SeMachineAccountPrivilege  Add machines to domain
>     SeTakeOwnershipPrivilege  Take ownership of files or other objects
>             SeBackupPrivilege  Back up files and directories
>            SeRestorePrivilege  Restore files and directories
>     SeRemoteShutdownPrivilege  Force shutdown from a remote system
>      SePrintOperatorPrivilege  Manage printers
>           SeAddUsersPrivilege  Add users and groups to the domain
>       SeDiskOperatorPrivilege  Manage disk shares
>           SeSecurityPrivilege  System security
>
>These were all run a Unix domain member, so it sounds like your
>problems are down to a permissions problem.
>
>Rowland

Thank Rowland for answer my email;

You right, my mistake:

root@gtmpve ~]# net rpc rights list privileges -UAdministrator
Enter Administrator's password:
     SeMachineAccountPrivilege  Add machines to domain
     SeTakeOwnershipPrivilege  Take ownership of files or other objects
     SeBackupPrivilege  Back up files and directories
     SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
      SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares
       SeSecurityPrivilege  System security

But, the problems still there.

 I can not set Security permissions (using the Security tab) to shared folders or directory using Windows ACL because say Access denied; but in the Shared permissions tab I can change, add or something else permissions or groups or users.


Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can not change the share permissions

Samba - General mailing list
 Hello all;
I still have problem with shares in a domain member used as file server (I want to use it like that)
I check from samba wiki some test that you suggest and all have been pass well. I try to make a new share using POSIX ACL and still not access.
To make the share and apply the permissions and owners:

 [root@gtmpve lib]# mkdir -p /compartido/prueba/
 [root@gtmpve lib]# chmod 2770 /compartido/prueba/
 [root@gtmpve lib]# chown root:"ATGTM00\domain admins" /compartido/prueba/      

My smb.conf look lik that:

 [root@gtmpve lib]# cat /etc/samba/smb.conf    
 [global]
       netbios name = gtmpve
       security = ADS
       workgroup = ATGTM00
       realm = GTM.ONAT.GOB.CU

       log file = /var/log/samba/%m.log
       log level = 10

       idmap config *:backend = tdb
       idmap config *:range = 3000-7999

       idmap config ATGTM00:backend = rid
       idmap config ATGTM00:range = 10000-999999

       winbind nss info = template
       winbind enum groups = yes
       winbind enum users = yes
       
       template shell = /bin/bash
       template homedir = /home/%U

       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes
       create mask = 0666
       directory mask = 0777
       dos filemode = yes
       acl allow execute always = yes
       
       guest account = nobody
       map to guest = Bad User
       
       server string = Servidor de archivos #2
       server role = member server
       local master = no
       domain master = no
       preferred master = no
   
       load printers = no
       printcap name = /dev/null
       disable spoolss = yes

 [prueba]
       path = /compartido/prueba/
       read only = no
       valid users = +ATGTM00\"Domain Users"

The /etc/krb5.conf is like this:

 [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = GTM.ONAT.GOB.CU

This are some of the test and results:

 [root@gtmpve lib]# getent passwd 'ATGTM00\rommel'
 ATGTM00\rommel:*:11144:10513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash
 
 [root@gtmpve lib]# wbinfo --ping-dc
 checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

 [root@gtmpve lib]# getent hosts gtmpve
 192.168.41.16   gtmpve.gtm.onat.gob.cu gtmpve

Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...