[Samba] Fwd: Problems with ldap groups in share folders ACCESS_DENIED
in [Samba]
|
Prev: [Samba] "Idmap module nss already registered" ???
Next: Fwd: Problems with ldap groups in share folders ACCESS_DENIED
From: Alberto Moreno on 14 Jun 2010 12:20 On Mon, Jun 14, 2010 at 8:41 AM, Gaiseric Vandal <gaiseric.vandal(a)gmail.com> wrote: > On 06/14/2010 03:44 AM, Alberto Moreno wrote: >> >> On Sat, Jun 12, 2010 at 1:58 PM, Gaiseric Vandal >> <gaiseric.vandal(a)gmail.com>  wrote: >> >>> >>> On each machine I would try running >>> >>>     net groupmap list >>> >>>     net user info someuser -U Administrator >>> >>> >>> That is to make sure that the group mappings for key groups (e.g. Domain >>> Users) is setup to verify that  users are in the groups you think that >>> they >>> are.  You don't need group mappings for all your user groups (you will >>> see >>> warnings in logs about missing SID's) but for the well known groups and >>> groups used in shares you will need mappings. >>> >>> >>> I found that when I moved to samba 3.4.x that the ou=groups seemed to be >>> ignored, and that the entire LDAP branch for the domain was searched for >>> groups (I had had one ou for unix groups and one ou for group mappings.) >>> The results was that  access was broken if it required a user being in >>> the >>> "domain users" group, or "domain users" being in the local users groups >>> on >>> windows server. >>> >>> >>> >>> >>> -----Original Message----- >>> From: samba-bounces(a)lists.samba.org >>> [mailto:samba-bounces(a)lists.samba.org] >>> On Behalf Of Alberto Moreno >>> Sent: Friday, June 11, 2010 9:27 PM >>> To: samba(a)lists.samba.org >>> Subject: [Samba] Problems with ldap groups in share folders ACCESS_DENIED >>> >>> Hi I have been working all week with samba 3.4.7 in Centos 5.5 >>> PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave. >>> >>> I already have 5 clients join. >>> >>> 1 Windows XP >>> 1 Windows 7 UE >>> 1 Centos 5.5 Desktop >>> 1 Ubuntu 9.x >>> 1 Centos 5.5 >>> >>> I can browse inside windows and see my clients, access some shares. I >>> want to  create private shares inside my PDC, I use: >>> >>> force group >>> valid users >>> write list >>> >>> I create a group with smbldap-tools name :it, add 2 users: test1,test2. >>> >>> Centos PDC and others are enable to get users+groups from LDAP: >>> >>> id test1 >>> id test1 >>> uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it) >>> >>> getent passwd >>> root:x:0:0:root:/root:/bin/bash >>> bin:x:1:1:bin:/bin:/sbin/nologin >>> daemon:x:2:2:daemon:/sbin:/sbin/nologin >>> adm:x:3:4:adm:/var/adm:/sbin/nologin >>> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin >>> sync:x:5:0:sync:/sbin:/bin/sync >>> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown >>> halt:x:7:0:halt:/sbin:/sbin/halt >>> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin >>> news:x:9:13:news:/etc/news: >>> uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin >>> operator:x:11:0:operator:/root:/sbin/nologin >>> games:x:12:100:games:/usr/games:/sbin/nologin >>> gopher:x:13:30:gopher:/var/gopher:/sbin/nologin >>> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin >>> nobody:x:99:99:Nobody:/:/sbin/nologin >>> nscd:x:28:28:NSCD Daemon:/:/sbin/nologin >>> vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin >>> rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin >>> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >>> dbus:x:81:81:System message bus:/:/sbin/nologin >>> avahi:x:70:70:Avahi daemon:/:/sbin/nologin >>> haldaemon:x:68:68:HAL daemon:/:/sbin/nologin >>> >>> avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin >>> exim:x:93:93::/var/spool/exim:/sbin/nologin >>> ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false >>> pcap:x:77:77::/var/arpwatch:/sbin/nologin >>> apache:x:48:48:Apache:/var/www:/sbin/nologin >>> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false >>> nobody:x:999:514:nobody:/dev/null:/bin/false >>> rot:x:1004:513:System User:/home/rot:/sbin/nologin >>> smbbdc$:*:1005:515:Computer:/dev/null:/bin/false >>> pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false >>> test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin >>> test2:x:10002:513:Test Test2:/home/test2:/bin/bash >>> smbpdc$:*:1007:515:Computer:/dev/null:/bin/false >>> pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false >>> pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false >>> pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false >>> >>> getent group >>> >>> root:x:0:root >>> bin:x:1:root,bin,daemon >>> daemon:x:2:root,bin,daemon >>> sys:x:3:root,bin,adm >>> adm:x:4:root,adm,daemon >>> tty:x:5: >>> disk:x:6:root >>> lp:x:7:daemon,lp >>> mem:x:8: >>> kmem:x:9: >>> wheel:x:10:root >>> mail:x:12:mail,exim >>> news:x:13:news >>> uucp:x:14:uucp >>> man:x:15: >>> games:x:20: >>> gopher:x:30: >>> dip:x:40: >>> ftp:x:50: >>> lock:x:54: >>> nobody:x:99: >>> users:x:100: >>> nscd:x:28: >>> floppy:x:19: >>> vcsa:x:69: >>> utmp:x:22: >>> utempter:x:35: >>> slocate:x:21: >>> audio:x:63: >>> rpc:x:32: >>> ecryptfs:x:101: >>> sshd:x:74: >>> dbus:x:81: >>> avahi:x:70: >>> haldaemon:x:68: >>> avahi-autoipd:x:102: >>> exim:x:93: >>> ldap:x:55: >>> screen:x:84: >>> pcap:x:77: >>> apache:x:48: >>> Domain Admins:*:512:root >>> Domain Users:*:513:test1 >>> Domain Guests:*:514: >>> Domain Computers:*:515: >>> Administrators:*:544: >>> Account Operators:*:548: >>> Print Operators:*:550: >>> Backup Operators:*:551: >>> Replicators:*:552: >>> it:*:10001:test1,test2ll >>> >>> I can add ldap groups to directories: >>> >>> total 2088 >>> drwxrwx--- 5 root   it        4096 Jun  8 19:32 it >>> >>> This is my smb.conf for this share: >>> [sis] >>>     path = /opt/it >>>     available = Yes >>>     browseable = Yes >>>     read only = No >>>     guest ok = No >>>     writeable = Yes >>>     valid users = @it >>>     write list = @PIMPOM\it >>>     directory mode = 0770 >>> >>> I have try: >>> valid users: @it >>> valid users = \it >>> valid users = @PIMPOM\it >>> >>> the same for write list, combinations, etc and cannot make this happen. >>> >>> If I handle this by user it works, example: >>> >>>     valid users = test1 >>>     write list = test1 >>> >>> I just need this small thing to work and done. >>> >>> log: >>> >>> [2010/06/08 19:52:04,  3] smbd/process.c:1273(switch_message) >>>  switch message SMBtconX (pid 11075) conn 0x0 >>> [2010/06/08 19:52:04,  3] smbd/sec_ctx.c:310(set_sec_ctx) >>>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>> [2010/06/08 19:52:04,  5] auth/token_util.c:522(debug_nt_user_token) >>>  NT user token: (NULL) >>> [2010/06/08 19:52:04,  5] auth/token_util.c:548(debug_unix_user_token) >>>  UNIX token of user 0 >>>  Primary group is 0 and contains 0 supplementary groups >>> [2010/06/08 19:52:04,  5] smbd/uid.c:368(change_to_root_user) >>>  change_to_root_user: now uid=(0,0) gid=(0,0) >>> [2010/06/08 19:52:04,  4] smbd/reply.c:680(reply_tcon_and_X) >>>  Client requested device type [?????] for share [SIS] >>> [2010/06/08 19:52:04,  5] smbd/service.c:1216(make_connection) >>>  making a connection to 'normal' service sistemas >>> [2010/06/08 19:52:04,  3] lib/access.c:362(only_ipaddrs_in_list) >>>  only_ipaddrs_in_list: list has non-ip address (127.) >>> [2010/06/08 19:52:04,  3] lib/access.c:396(check_access) >>>  check_access: hostnames in host allow/deny list. >>> [2010/06/08 19:52:04,  2] lib/access.c:406(check_access) >>>  Allowed connection from 172.16.5.204 (172.16.5.204) >>> [2010/06/08 19:52:04,  3] lib/util_sid.c:228(string_to_sid) >>>  string_to_sid: Sid @PIMPOM\it does not start with 'S-'. >>> [2010/06/08 19:52:04,  5] smbd/password.c:403(user_in_netgroup) >>>  Unable to get default yp domain, let's try without specifying it >>> [2010/06/08 19:52:04,  5] smbd/password.c:407(user_in_netgroup) >>>  looking for user test1 of domain (ANY) in netgroup PIMPOM\it >>> [2010/06/08 19:52:04,  5] smbd/password.c:423(user_in_netgroup) >>>  looking for user test1 of domain (ANY) in netgroup PIMPOM\it >>> [2010/06/08 19:52:04,  3] smbd/sec_ctx.c:210(push_sec_ctx) >>>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >>> [2010/06/08 19:52:04,  3] smbd/uid.c:428(push_conn_ctx) >>>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >>> [2010/06/08 19:52:04,  3] smbd/sec_ctx.c:310(set_sec_ctx) >>>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >>> [2010/06/08 19:52:04,  5] auth/token_util.c:522(debug_nt_user_token) >>>  NT user token: (NULL) >>> [2010/06/08 19:52:04,  5] auth/token_util.c:548(debug_unix_user_token) >>>  UNIX token of user 0 >>>  Primary group is 0 and contains 0 supplementary groups >>> [2010/06/08 19:52:04,  5] lib/smbldap.c:1295(smbldap_search_ext) >>>  smbldap_search_ext: base =>  [dc=pimpom,dc=loc], filter => >>> [(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope >>> =>  [2] >>> [2010/06/08 19:52:04,  2] passdb/pdb_ldap.c:2434(init_group_from_ldap) >>>  init_group_from_ldap: Entry found for group: 10001 >>> [2010/06/08 19:52:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx) >>>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >>> [2010/06/08 19:52:04,  2] >>> smbd/service.c:596(create_connection_server_info) >>>  user 'test1' (from session setup) not permitted to access this share >>> (SIS) >>> [2010/06/08 19:52:04,  1] smbd/service.c:676(make_connection_snum) >>>  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED >>> [2010/06/08 19:52:04,  3] smbd/error.c:60(error_packet_set) >>>  error packet at smbd/reply.c(689) cmd=117 (SMBtconX) >>> NT_STATUS_ACCESS_DENIED >>> [2010/06/08 19:52:04,  5] lib/util.c:632(show_msg) >>> [2010/06/08 19:52:04,  5] lib/util.c:642(show_msg) >>> >>> My smb.cong general settings are: >>> >>> [global] >>>     workgroup = PIMPOM >>>     server string = PDC Domain >>>     netbios name = SMBPDC >>>     hosts allow = 172.16.0.0/16 127. >>>     interfaces = eth0, lo >>>     bind interfaces only = Yes >>>     deny hosts = 0.0.0.0 >>> # passwd backend >>>     encrypt passwords = yes >>>     passdb backend = ldapsam:ldap://127.0.0.1/ >>>     enable privileges = yes >>>     pam password change= Yes >>>     passwd program = /usr/bin/passwd %u >>>     passwd chat = *New*UNIX*password* %nn >>> *ReType*new*UNIX*password* %nn * >>> passwd:*all*authentication*tokens*updated*successfully* >>>     unix password sync = Yes >>> >>> # Log options >>>     log level = 5 >>>     log file = /var/log/samba/%m.%U.log >>>     max log size = 500 >>>     syslog = 1 >>> >>> # Name resolution >>>     name resolve order = wins hosts bcast lmhost >>> >>> # misc >>>     timeserver = No >>>     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> # Dos-Attribute >>>     map hidden = No >>>     map system = No >>>     map archive = No >>>     map read only = No >>>     store dos attributes = Yes >>>     host msdfs = No >>> # printers - configured to use CUPS and automatically load them >>>     load printers = No >>>     printcap name = >>> #printing = >>>     cups options = >>>     show add printer wizard = No >>> >>> >>> # scripts invoked by samba >>>     add user script = /usr/sbin/smbldap-useradd -m %u >>>     delete user script = /usr/sbin/smbldap-userdel %u >>>     add group script = /usr/sbin/smbldap-groupadd -p %g >>>     delete group script = /usr/sbin/smbldap-groupdel %g >>>     add user to group script = /usr/sbin/smbldap-groupmod -m %u %g >>>     delete user from group script = /usr/sbin/smbldap-groupmod -x %u >>> %g >>>     set primary group script = /usr/sbin/smbldap-usermod -g %g %u >>>     add machine script = /usr/sbin/smbldap-useradd -w %m >>> >>> # LDAP-iConfiguration >>> #ldap delete dn = Yes >>>     ldap ssl = off >>>     ldap passwd sync = Yes >>>     ldap suffix = dc=pimpom,dc=loc >>>     ldap machine suffix = ou=Computers >>>     ldap user suffix = ou=Users >>>     ldap group suffix = ou=Groups >>>     ldap idmap suffix = ou=Idmap >>>     ldap admin dn = cn=Manager,dc=pimpom,dc=loc >>>     idmap backend = ldap:ldap://127.0.0.1 >>>     idmap uid = 10000-20000 >>>     idmap gid = 10000-20000 >>> # logon options >>>     logon script = >>>     logon path = >>>     logon path = >>>     logon home = >>>     logon drive = >>> >>> # setting up as domain controller >>>     username map = /home/samba/usermap >>>     preferred master = Yes >>>     wins support = Yes >>>     domain logons = Yes >>>     domain master = Yes >>>     local master = Yes >>>     os level = 64 >>>     map acl inherit = Yes >>>     unix charset = UTF8 >>>     password level = 6 >>> >>> Do u see any issues with my settings? >>> >>> Thanks for your time, any help will be appreciated!!! >>> -- >>> LIving the dream... >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions:  https://lists.samba.org/mailman/options/samba >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions:  https://lists.samba.org/mailman/options/samba >>> >>> >> >> mmm interesting. >> >> In this case u have sometime like: >> >> ou=Group >> ou=Groups >> >> Under the same domain? >> >> How do u handle this or could u explain in more detail, I will >> appreciated, thanks!!! >> >> > > You need to see what groups are in each ou.  You will need to consolidate > into one OU or the other.   You may need to update smb.conf  (for samba) >  and/or /etc/ldap.conf (for an linux client ldap authentication.) > > > I would consolidate everything into "ou=group" so that you don't break any > linux ldap client functionality. > > >    1 - export the contents of "ou=groups" to an ldif file >    2 - delete ou=groups from ldap, >   3-  make a backup of the ldif file,  then edit the ldif file to remove > groups already defined in "ou=group."  Change text strings "ou=groups" to > ou=group" and reimport the file into LDAP. > > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba > I was thinking that will be more complicated. Hey what distro are u using? do already has this on production? Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |