Samba and AD based home shares are visible but not accessible

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba and AD based home shares are visible but not accessible

Samba - General mailing list
I've set up a CentOS system in my predominantly windows environment. Getting it to authenticate users with ssh based on AD user groups using KRB5 and SSSD was comparatively easy, but I am not able to share files from it.

I followed the guide here to get as far as I did: https://www.centos.org/forums/viewtopic.php?t=52872

When I browse to the server using \\<serverIP<file://%3cserverIP>> I am presented with the folder [hidden email]<mailto:[hidden email]> which corresponds to the account I am logged into the windows computer with. However, when I try to open it, I am told I do not have permission. I tried to create a non home folder, that all members of the AD group would be able to have access to, but I seem to be experiencing the same result.

Here is my smb.conf file, sanitized, but with as much information intact as I could manage. I have been at this all day battling it out with suggestions from google and previous posts in this mailing list with no success.


# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
workgroup = <simplified domain name>
realm = univ.school.edu
netbios name = hostname
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
log level = 4
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
#username map script = /bin/echo

#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = [hidden email], @"[hidden email]"
read only = no

[share]
comment = share
path = /share
browseable = yes
writable = yes
valid users = @"[hidden email]"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
On Tue, 20 Jun 2017 20:21:14 +0000
"Cybulski, Adam M via samba" <[hidden email]> wrote:

> I've set up a CentOS system in my predominantly windows environment.
> Getting it to authenticate users with ssh based on AD user groups
> using KRB5 and SSSD was comparatively easy, but I am not able to
> share files from it.
>
> I followed the guide here to get as far as I did:
> https://www.centos.org/forums/viewtopic.php?t=52872
>
> When I browse to the server using \\<serverIP<file://%3cserverIP>> I
> am presented with the folder
> [hidden email]<mailto:[hidden email]> which
> corresponds to the account I am logged into the windows computer
> with. However, when I try to open it, I am told I do not have
> permission. I tried to create a non home folder, that all members of
> the AD group would be able to have access to, but I seem to be
> experiencing the same result.
>
> Here is my smb.conf file, sanitized, but with as much information
> intact as I could manage. I have been at this all day battling it out
> with suggestions from google and previous posts in this mailing list
> with no success.
>
>
> # See smb.conf.example for a more detailed config file or
> # read the smb.conf manpage.
> # Run 'testparm' to verify the config is correct after
> # you modified it.
>
> [global]
> workgroup = <simplified domain name>
> realm = univ.school.edu
> netbios name = hostname
> password server = *
> server string = Samba Server Version %v
> security =ADS
> log file = /var/log/samba/log.%m
> max log size = 5000
> load printers = No
> idmap config * : backend = tdb
> log level = 4
> local master = no
> domain master = no
> preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> name resolve order = wins bcast host lmhosts
> #username map script = /bin/echo
>
> #============================ Share Definitions
> ==============================
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = [hidden email],
> @"[hidden email]" read only = no
>
> [share]
> comment = share
> path = /share
> browseable = yes
> writable = yes
> valid users = @"[hidden email]"

Hi, do you want it to work, or do you want to use sssd ?

If the later, then I suggest you contact the sssd-users mailing list,
you are not using Samba for authentication.

If you do want it to work, then Samba recommends using winbind, see
here for how to set up a Unix domain member:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
On Tue, 11 Jul 2017 17:20:05 +0000
"Cybulski, Adam M" <[hidden email]> wrote:

> That’s a very discouraging answer. I'm really struggling to get the
> hang of this server, and doing a lot of reading and research, I'm
> using SSSD because it seemed to be the best method for allowing an AD
> group log in privileges on the machine, it's recommended by Red Hat,
> and it's what came packaged with my distro.

Yes, red-hat promote sssd, because it is their package. I don't
actually think it is the best method for authentication on a Samba
machine. Are you also aware that sssd uses a version of a winbind lib ?
So why not go the whole way and use winbind, this will get you a fully
supported by Samba set up.


> It took me three weeks
> to make it work for authenticating users, and now I'm being told it
> won't work if I also want to share a folder? These things should not
> be this difficult to integrate.

You should have asked here earlier, I can guarantee that you would have
had a working system (with winbind) well inside your three weeks.

>
> Someone else has pointed out to me that the issue most likely lies in
> configuring ACL's, as I can connect to the system and see the shares,
> but do not have permissions to open them. I've added the needed lines
> to my SMB.conf, mapped an admin account to root, and added interfaces
> = lo eth0 so it will look on the loop back, but when I try to add
> anyone with
>
> >sudo net rpc rights grant 'domain\linuxproject'
> >SeDiskOperatorPrivilege -U domain\admin I constantly get:
>  
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> I really hope you can give me some more advice beyond, throw out
> everything and start over with winbind.

The only user you should map to 'root' is 'Administrator'.
Does your OS know your user, i.e. does 'getent passwd admin' return
anything ?

If you want to use winbind, then I am prepared to try and help you get
it working, if you insist on using sssd, then I repeat, sssd is not
supported by Samba, it is not a Samba product, so you will have to seek
help through the sssd-users mailing list.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
On Tue, 11 Jul 2017 20:03:33 +0000
"Cybulski, Adam M" <[hidden email]> wrote:

> Thanks Roland, I'm giving it a go with winbind. Do I have to remove
> SSSD and drop off the domain to make it work?

I would do both.
> I've tried following
> the steps to join as a member server, but it's not gone that
> smoothly. I may try from the beginning with a second server.

What steps are you following ?
Have you read the Samba wiki ?

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> One of the things I've been struggling with is knowing when
> instructions want me to replace something with my environments
> settings and when it needs to be typed as written.

Yes, it can sometimes be confusing ;-)
If you follow the Samba wiki and don't understand something, please
ask, the only dumb question is the one you do not ask. It is also a two
way street, if you don't understand something, chances are that others
don't understand it either, so we need to make it clearer on the wiki.

>
> Getent passwd admin does not return anything, but I don't know why it
> would, I have no account named Admin, neither on the Linux box, nor
> in my domain. Why would I map an account that doesn't exist?
>

I asked because you posted this:

sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege
-U domain\admin I constantly get:

This clearly shows a user called 'admin'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
Am 2017-07-11 um 22:23 schrieb Rowland Penny via samba:

> Yes, it can sometimes be confusing ;-)
> If you follow the Samba wiki and don't understand something, please
> ask, the only dumb question is the one you do not ask. It is also a two
> way street, if you don't understand something, chances are that others
> don't understand it either, so we need to make it clearer on the wiki.

I fully agree to that and like the approach:

if someone understands something (maybe because he built it) it is hard
or impossible for him to consider that someone might not understand
("something so obvious").

This is a fundamental problem with software and its documentation.

And IMO user feedback (constructive, polite, ...) is as relevant in the
whole open source software model as the part of the developer work.

a quote from twitter earlier today:

"Incorrect documentation is often worse than no documentation." -
Bertrand Meyer

;-)

To be explicit: I don't call samba-docs incorrect.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 12 Jul 2017 16:11:56 +0000
"Cybulski, Adam M" <[hidden email]> wrote:

> Ok, Here are all the steps I took today, I am still receiving the
> same issue after following the wiki. Any time I have sanitized
> something  I have put it in <carrots> and tried to maintain the
> capitalization as it appeared. Everything else is exactly as written
> or displayed.
>

> Kerberos:
> Krb5.conf:

Change it to:

[libdefaults]
 default_realm = UNIV.<SCHOOL>.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = true

> Configure Samba:
>
> Made new smb.conf with following information:
>
> [global]
> security = ADS
> workgroup = <DOMAINALIAS>
> realm = UNIV.<SCHOOL>.EDU
>
> log file = /var/log/samba/%m.log
> log level = 1
>      
> idmap config * : backend = ad
>     idmap config * : range = 3000-7999

Sorry, but that is wrong ;-)

I would expect something like:

    winbind nss info = rfc2307
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config <DOMAINALIAS> : backend = ad
    idmap config <DOMAINALIAS> : schema_mode = rfc2307
    idmap config <DOMAINALIAS> : range = 10000-99999

Or (from 4.6.0):

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config <DOMAINALIAS> : backend = ad
    idmap config <DOMAINALIAS> : unix_nss_info = yes
    idmap config <DOMAINALIAS> : range = 10000-99999

> username map = /usr/local/samba/etc/smbuser.map
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> MAPPING DOMAIN ADMIN ACCOUNT: (I think this is where I may have been
> going wrong. I was using a domain account, that is supposed to have
> admin permissions on this system, but does not have “Domain Join”
> privileges in our domain. This may cause issues, as there are not
> supposed to be any accounts that have both admin privileges on this
> box, and have domain admin privileges. I have changed this to an
> account with domain join privlidges.)
>
> Smbusers.map
> # Unix_name = SMB_Name1 SMB_Name2 ...
>  ! root = <DOMAINALIAS>\<Domainadmin> <DOMAINALIAS>\<domainadmin>
> <Domainadmin> <domainadmin> nobody = guest smbguest pcguest

'root' is normally mapped to 'Administrator', not sure your way is
going to work.

>
> Join the domain:
>
> #net ads join -U <domainadmin>
> Enter <domainadmin>'s password:
> Using short domain name -- <DOMAINALIAS>
> Joined '<HOSTNAME>' to dns domain 'univ.<school>.edu'
> DNS Update for <hostname>.univ.<school>.edu failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL

This is normally because of permission problems.

>
> The wiki advises I test if dynamic DNS updates are working. I cannot
> run any commands on the DC, I’m in one department at a university,
> this is handles at the University IT level. 10,000 other systems are
> working fine though.

What is your DC and does it run a dns server ?

>
> Configuring NSS:
> Nsswitch.conf:
> passwd:     files sss winbind
> shadow:     files sss
> group:      files sss winbind
> hosts:      files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount:  files sss
> aliases:    files nisplus

Can I suggest you remove sssd and this should remove all mention of
'sss', otherwise, move 'sss' to after 'winbind'

>
> Starting services:
>
>  # systemctl start winbind
>  # systemctl start smbd
> Failed to start smbd.service: Unit not found.
>  # systemctl start smb
>  # systemctl start nmb
>
> Testing:  <-------WIKI OUT OF DATE? ----->
> #wbinfo --ping-dc
> bash: wbinfo: command not found...

Er, no:
wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to
"dc1.samdom.example.com" succeeded

It cannot find wbinfo, I think you need to install
'samba4-winbind-clients'


>
> Setting up a share:
>
> I have ACL support, and it is in the smb.conf

Again, er, no you haven't

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba and AD based home shares are visible but not accessible

Samba - General mailing list
On Mon, 17 Jul 2017 14:09:41 +0000
"Cybulski, Adam M" <[hidden email]> wrote:

> Thanks for your help Rowland, I found this in my Junk folder,
>
> I changed my KRB5.conf and SMB.conf as you suggested, and manually
> removed sss from Nsswitch.conf, honestly, I don't know how to
> uninstall SSSD.

Yum remove sssd ???

>
> I used this in my smb.conf, because I'm running 4.4.4:
>     winbind nss info = rfc2307
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config <DOMAINALIAS> : backend = ad
>     idmap config <DOMAINALIAS> : schema_mode = rfc2307
>     idmap config <DOMAINALIAS> : range = 10000-99999
>

That looks OK.

>
> I still don't understand this line:
>
> >'root' is normally mapped to 'Administrator', not sure your way is
> going to work.
>
> I don't have any account called Administrator, is it built into
> samba? What is this referring to?

No it isn't built into Samba, it is built into AD i.e. the DOMAIN
Administrator.

>
> What is your DC and does it run a dns server ?
>
> Our DC is Windows 2008 R2, and the DNS server is a separate server,
> do I need to designate this somewhere?

Your clients should look to your DNS server for the domain info, this
means that teh dns server must know all your domain dns records.

>
> As for permissions issues, there could be something as the account I
> can use to join machines to the domain with has delegated
> permissions, I can only add machines and users in designated OU's. I
> do not have access to the full DOMAIN ADMINISTRATOR account, I don't
> think any one person here does.

I think you should use members of the Domain Admins group instead.

>
> >wbinfo --ping-dc
> >checking the NETLOGON for domain[SAMDOM] dc connection to
> >"dc1.samdom.example.com" succeeded
>
> >It cannot find wbinfo, I think you need to install
> >'samba4-winbind-clients'
>
> That worked, I received the "connection succeded" response.
>
> I'm still receiving the same errors though.
>

Well, at least you are moving in the right direction.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...