[Samba] Problems with ldap groups in share folders ACCESS_DENIED
in [Samba]
|
Prev: [Samba] Samba 4--Somethings decidedly broken
Next: [Samba] How to use TCP IP print port in samba
From: Alberto Moreno on 11 Jun 2010 21:30 Hi I have been working all week with samba 3.4.7 in Centos 5.5 PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave. I already have 5 clients join. 1 Windows XP 1 Windows 7 UE 1 Centos 5.5 Desktop 1 Ubuntu 9.x 1 Centos 5.5 I can browse inside windows and see my clients, access some shares. I want to create private shares inside my PDC, I use: force group valid users write list I create a group with smbldap-tools name :it, add 2 users: test1,test2. Centos PDC and others are enable to get users+groups from LDAP: id test1 id test1 uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it) getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false rot:x:1004:513:System User:/home/rot:/sbin/nologin smbbdc$:*:1005:515:Computer:/dev/null:/bin/false pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin test2:x:10002:513:Test Test2:/home/test2:/bin/bash smbpdc$:*:1007:515:Computer:/dev/null:/bin/false pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false getent group root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail,exim news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99: users:x:100: nscd:x:28: floppy:x:19: vcsa:x:69: utmp:x:22: utempter:x:35: slocate:x:21: audio:x:63: rpc:x:32: ecryptfs:x:101: sshd:x:74: dbus:x:81: avahi:x:70: haldaemon:x:68: avahi-autoipd:x:102: exim:x:93: ldap:x:55: screen:x:84: pcap:x:77: apache:x:48: Domain Admins:*:512:root Domain Users:*:513:test1 Domain Guests:*:514: Domain Computers:*:515: Administrators:*:544: Account Operators:*:548: Print Operators:*:550: Backup Operators:*:551: Replicators:*:552: it:*:10001:test1,test2ll I can add ldap groups to directories: total 2088 drwxrwx--- 5 root it 4096 Jun 8 19:32 it This is my smb.conf for this share: [sis] path = /opt/it available = Yes browseable = Yes read only = No guest ok = No writeable = Yes valid users = @it write list = @PIMPOM\it directory mode = 0770 I have try: valid users: @it valid users = \it valid users = @PIMPOM\it the same for write list, combinations, etc and cannot make this happen. If I handle this by user it works, example: valid users = test1 write list = test1 I just need this small thing to work and done. log: [2010/06/08 19:52:04, 3] smbd/process.c:1273(switch_message) switch message SMBtconX (pid 11075) conn 0x0 [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token) NT user token: (NULL) [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/06/08 19:52:04, 5] smbd/uid.c:368(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2010/06/08 19:52:04, 4] smbd/reply.c:680(reply_tcon_and_X) Client requested device type [?????] for share [SIS] [2010/06/08 19:52:04, 5] smbd/service.c:1216(make_connection) making a connection to 'normal' service sistemas [2010/06/08 19:52:04, 3] lib/access.c:362(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2010/06/08 19:52:04, 3] lib/access.c:396(check_access) check_access: hostnames in host allow/deny list. [2010/06/08 19:52:04, 2] lib/access.c:406(check_access) Allowed connection from 172.16.5.204 (172.16.5.204) [2010/06/08 19:52:04, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @PIMPOM\it does not start with 'S-'. [2010/06/08 19:52:04, 5] smbd/password.c:403(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2010/06/08 19:52:04, 5] smbd/password.c:407(user_in_netgroup) looking for user test1 of domain (ANY) in netgroup PIMPOM\it [2010/06/08 19:52:04, 5] smbd/password.c:423(user_in_netgroup) looking for user test1 of domain (ANY) in netgroup PIMPOM\it [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/08 19:52:04, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token) NT user token: (NULL) [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/06/08 19:52:04, 5] lib/smbldap.c:1295(smbldap_search_ext) smbldap_search_ext: base => [dc=pimpom,dc=loc], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope => [2] [2010/06/08 19:52:04, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap) init_group_from_ldap: Entry found for group: 10001 [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/08 19:52:04, 2] smbd/service.c:596(create_connection_server_info) user 'test1' (from session setup) not permitted to access this share (SIS) [2010/06/08 19:52:04, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2010/06/08 19:52:04, 3] smbd/error.c:60(error_packet_set) error packet at smbd/reply.c(689) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2010/06/08 19:52:04, 5] lib/util.c:632(show_msg) [2010/06/08 19:52:04, 5] lib/util.c:642(show_msg) My smb.cong general settings are: [global] workgroup = PIMPOM server string = PDC Domain netbios name = SMBPDC hosts allow = 172.16.0.0/16 127. interfaces = eth0, lo bind interfaces only = Yes deny hosts = 0.0.0.0 # passwd backend encrypt passwords = yes passdb backend = ldapsam:ldap://127.0.0.1/ enable privileges = yes pam password change= Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes # Log options log level = 5 log file = /var/log/samba/%m.%U.log max log size = 500 syslog = 1 # Name resolution name resolve order = wins hosts bcast lmhost # misc timeserver = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Dos-Attribute map hidden = No map system = No map archive = No map read only = No store dos attributes = Yes host msdfs = No # printers - configured to use CUPS and automatically load them load printers = No printcap name = #printing = cups options = show add printer wizard = No # scripts invoked by samba add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %m # LDAP-iConfiguration #ldap delete dn = Yes ldap ssl = off ldap passwd sync = Yes ldap suffix = dc=pimpom,dc=loc ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=pimpom,dc=loc idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 # logon options logon script = logon path = logon path = logon home = logon drive = # setting up as domain controller username map = /home/samba/usermap preferred master = Yes wins support = Yes domain logons = Yes domain master = Yes local master = Yes os level = 64 map acl inherit = Yes unix charset = UTF8 password level = 6 Do u see any issues with my settings? Thanks for your time, any help will be appreciated!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] Samba 4--Somethings decidedly broken Next: [Samba] How to use TCP IP print port in samba |