[Bug 1743354] Re: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED
alberto fiaschi
alberto.fiaschi at gmail.com
Tue Jan 23 16:22:28 UTC 2018
2018-01-23 13:25 GMT+01:00 Andreas Hasenack <andreas at canonical.com>:
> Thanks for filing this bug in Ubuntu.
>
> When the problem occurs, does the command "id <user>" show the correct
> group membership info for the affected <user>?
>
> yes : id show all groups
> Do you have any sort of NSS caching service running, like nscd? If yes,
> you should perhaps disable it.
>
> yes but the problem happens randomly on users and groups present in LDAP
and not changed for a long time
--
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743354
>
> Title:
> samba with backend ldap: can not access share or file even if user is
> authorized : NT_STATUS_ACCESS_DENIED
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
> Is some days that users can not access some files although the user has
> all the rights.
> As a solution I have to do a cmod a +rwx on the files involved.
> now it occurs that users authorized to a new shared folder can not use
> it.(attach log file)
> User a.fiaschi is in group dirsan_Rifiuti_rw but get
> NT_STATUS_ACCESS_DENIED
> share config is
>
> [Rifiuti]
> comment = Rifiuti
> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> #*********** ZFS snapshot
> #vfs objects = shadow_copy2
> shadow:format = %Y-%m-%d_%H.%M.%S--5d
> shadow:sort = desc
> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
> shadow:localtime = yes
> #******* snapshot end *************
> valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
> write list = @dirsan_Rifiuti_rw
> force user = nobody
> force group = dirsan_quota
> #_______ FINE AUTO ADD Rifiuti ________
>
> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>
>
>
> smbldap-groupshow dirsan_Rifiuti_rw
> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=
> servizi,dc=aop,dc=int
> objectClass: top,posixGroup,sambaGroupMapping
> cn: dirsan_Rifiuti_rw
> gidNumber: 6490
> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
> sambaGroupType: 2
> displayName: dirsan_Rifiuti_rw
> memberUid: a.ciucci,m.dalco,a.fiaschi
>
>
>
> global config :
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of which are not shown in this example
> #
> # For a step to step guide on installing, configuring and using samba,
> # read the Samba-HOWTO-Collection. This may be obtained from:
> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
> #
> # Many working examples of smb.conf files can be found in the
> # Samba-Guide which is generated daily and can be downloaded from:
> # http://www.samba.org/samba/docs/Samba-Guide.pdf
> #
> # Any line which starts with a ; (semi-colon) or a # (hash)
> # is a comment and is ignored. In this example we will use a #
> # for commentry and a ; for parts of the config file that you
> # may wish to enable
> #
> # NOTE: Whenever you modify this file you should run the command
> "testparm"
> # to check that you have not made any basic syntactic errors.
> #
> #======================= Global Settings ==============================
> =======
> [global]
>
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
> workgroup = AOUP
> SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
> # server string is the equivalent of the NT Description field
> server string = AOUPSRV file server
> # OTTIMIZZAZIONI latenza ipv4 ....
> #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
> #socket options = IPTOS_LOWDELAY TCP_NODELAY
> kernel oplocks = yes
> #in ascolto solo su interfaccia/ip impostati
> #bind interfaces only = yes
> #interfaces = 127.0.0.1/8 172.24.81.0/24
> #per sicurezza contro man in the middle
> server signing = mandatory
> # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia
> autenticazione facilmente crackabile
> #ntlm auth = no
> #----
> netbios name = zfs-cis
> #passdb backend = ldapsam:ldap://ldap.aop.int/
> #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
> #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://
> ldap.aop.int/"
> passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://
> 172.29.10.180/ ldap://172.29.10.181/"
> #unix soket su /var/run/ldapi
> #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
> client NTLMv2 auth = yes
> client lanman auth = no
> #----ESSENZIALE PER win8 map to guest = Bad User
> #map to guest = Bad User
> ##----ESSENZIALE PER win8 map to guest = Bad User
> #
>
> #TEST -----------------------
>
>
> # END TEST -------------------
>
>
> restrict anonymous = 2
> map to guest = never
> usershare allow guests = no
> #posix locking = No
> log file = /var/log/samba/%I.log
>
> #log level = 255
> log level = 1 auth:2 passdb:2 idmap:2
>
> hide dot files = yes
> max log size = 5000
> time server = Yes
> deadtime = 25
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> local master =yes
> logon script = logon.bat
> #ldap ssl = start tls
> ldap ssl = off
> ldap admin dn = cn=manager,dc=aop,dc=int
> ldap delete dn = Yes
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap passwd sync = Yes
> add user script = /usr/sbin/smbldap-useradd -m
> add group script = /usr/sbin/smbldap-groupadd -p
> add user to group script = /usr/sbin/smbldap-groupmod -m
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> set primary group script = /usr/sbin/smbldap-usermod -g
> add machine script = /usr/sbin/smbldap-useradd -w
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
> ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
> ldap user suffix = ou=Users
> create mask = 0777
> directory mask = 0777
> nt acl support = No
> case sensitive = No
> # disabilito supporto stampanti
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> #wins server = 172.29.10.128
> wins support = yes
>
> wins proxy = yes
> dns proxy = yes
> debug uid = yes
> ####### provo a levare smb ports = 139
>
> #OTTIMIZZAZIONE IO
> min receivefile size = 16384
> use sendfile = true
> strict allocate = Yes
> aio read size = 16384
> aio write size = 16384
> write cache size = 65536
> # fine--------OTTIMIZZAZIONE IO
>
> map hidden = no
> map system = no
> map archive = no
> map readonly = no
> store dos attributes = yes
>
> strict locking = no
> follow symlinks = yes
> unix extensions = yes
>
> #unix charset = utf-8
> #dos charset = cp1250
>
> dos charset = 850
> unix charset = ISO8859-1
>
>
> # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
> #smb ports = 139
> #aggiunta per provare uso di criptazione per client da windows 8 in su
> ....
> # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> smb encrypt = desired
> #smb encrypt = off
> ## ************************************************************
> ********************************
> ## ************************************************************
> ********************************
> ## ************************************************************
> ********************************
> # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
> #Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non
> c'è nome netbios
> #server min protocol = NT1
> #
> #server max protocol = NT1
> #client ipc max protocol = NT1
> ## ************************************************************
> ********************************
>
>
>
> # test hide share seza diritti con secureshare
> #vfs objects = acl_xattr
> #map acl inherit = yes
>
> #fine test hide share -------------------------------
>
>
> #*********** ZFS snapshot
> #vfs objects = shadow_copy2
> #shadow:format = %Y-%m-%d_%H.%M.%S--8d
> #shadow:sort = desc
> #shadow:snapdir = /samba/share/.zfs/snapshot
> #shadow:basedir = /samba/share
> #shadow:localtime = yes
> #******* snapshot end *************
>
> #access based share enum = yes
>
> vfs objects = shadow_copy2
>
> #*********** PER AUDIT ******************************
> *************************
> #vfs objects = full_audit vfs shadow_copy2
> #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P
>
>
> #full_audit:success = chflags chmod chown close connect
> disconnect lock mkdir mknod open opendir read rename rmdir
> write unlink pread pwrite
> #full_audit:success = all
> #full_audit:failure = chdir chflags chmod chown closedir connect
> fchmod fchown lock mkdir mknod open opendir pwrite read
> removexattr rename rmdir write unlink
> #full_audit:facility = LOCAL6
> #full_audit:priority = DEBUG
>
> #*********** FINE PER AUDIT ******************************
> ********************
> include = /samba/servers_config/%i
>
> #####include = /etc/samba/servers/ALL_CONF
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 1743354/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1743354
Title:
samba with backend ldap: can not access share or file even if user is
authorized : NT_STATUS_ACCESS_DENIED
Status in samba package in Ubuntu:
New
Bug description:
Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
Is some days that users can not access some files although the user has all the rights.
As a solution I have to do a cmod a +rwx on the files involved.
now it occurs that users authorized to a new shared folder can not use it.(attach log file)
User a.fiaschi is in group dirsan_Rifiuti_rw but get NT_STATUS_ACCESS_DENIED
share config is
[Rifiuti]
comment = Rifiuti
path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
#*********** ZFS snapshot
#vfs objects = shadow_copy2
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
shadow:localtime = yes
#******* snapshot end *************
valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
write list = @dirsan_Rifiuti_rw
force user = nobody
force group = dirsan_quota
#_______ FINE AUTO ADD Rifiuti ________
ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
smbldap-groupshow dirsan_Rifiuti_rw
dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
objectClass: top,posixGroup,sambaGroupMapping
cn: dirsan_Rifiuti_rw
gidNumber: 6490
sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
sambaGroupType: 2
displayName: dirsan_Rifiuti_rw
memberUid: a.ciucci,m.dalco,a.fiaschi
global config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = AOUP
SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
# server string is the equivalent of the NT Description field
server string = AOUPSRV file server
# OTTIMIZZAZIONI latenza ipv4 ....
#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
#socket options = IPTOS_LOWDELAY TCP_NODELAY
kernel oplocks = yes
#in ascolto solo su interfaccia/ip impostati
#bind interfaces only = yes
#interfaces = 127.0.0.1/8 172.24.81.0/24
#per sicurezza contro man in the middle
server signing = mandatory
# SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
#ntlm auth = no
#----
netbios name = zfs-cis
#passdb backend = ldapsam:ldap://ldap.aop.int/
#passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
#passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"
#unix soket su /var/run/ldapi
#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
client NTLMv2 auth = yes
client lanman auth = no
#----ESSENZIALE PER win8 map to guest = Bad User
#map to guest = Bad User
##----ESSENZIALE PER win8 map to guest = Bad User
#
#TEST -----------------------
# END TEST -------------------
restrict anonymous = 2
map to guest = never
usershare allow guests = no
#posix locking = No
log file = /var/log/samba/%I.log
#log level = 255
log level = 1 auth:2 passdb:2 idmap:2
hide dot files = yes
max log size = 5000
time server = Yes
deadtime = 25
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
local master =yes
logon script = logon.bat
#ldap ssl = start tls
ldap ssl = off
ldap admin dn = cn=manager,dc=aop,dc=int
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p
add user to group script = /usr/sbin/smbldap-groupmod -m
delete user from group script = /usr/sbin/smbldap-groupmod -x
set primary group script = /usr/sbin/smbldap-usermod -g
add machine script = /usr/sbin/smbldap-useradd -w
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
ldap user suffix = ou=Users
create mask = 0777
directory mask = 0777
nt acl support = No
case sensitive = No
# disabilito supporto stampanti
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#wins server = 172.29.10.128
wins support = yes
wins proxy = yes
dns proxy = yes
debug uid = yes
####### provo a levare smb ports = 139
#OTTIMIZZAZIONE IO
min receivefile size = 16384
use sendfile = true
strict allocate = Yes
aio read size = 16384
aio write size = 16384
write cache size = 65536
# fine--------OTTIMIZZAZIONE IO
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
strict locking = no
follow symlinks = yes
unix extensions = yes
#unix charset = utf-8
#dos charset = cp1250
dos charset = 850
unix charset = ISO8859-1
# DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
#smb ports = 139
#aggiunta per provare uso di criptazione per client da windows 8 in su ....
# SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!
smb encrypt = desired
#smb encrypt = off
## ********************************************************************************************
## ********************************************************************************************
## ********************************************************************************************
# DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
#Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non c'è nome netbios
#server min protocol = NT1
#
#server max protocol = NT1
#client ipc max protocol = NT1
## ********************************************************************************************
# test hide share seza diritti con secureshare
#vfs objects = acl_xattr
#map acl inherit = yes
#fine test hide share -------------------------------
#*********** ZFS snapshot
#vfs objects = shadow_copy2
#shadow:format = %Y-%m-%d_%H.%M.%S--8d
#shadow:sort = desc
#shadow:snapdir = /samba/share/.zfs/snapshot
#shadow:basedir = /samba/share
#shadow:localtime = yes
#******* snapshot end *************
#access based share enum = yes
vfs objects = shadow_copy2
#*********** PER AUDIT *******************************************************
#vfs objects = full_audit vfs shadow_copy2
#full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P
#full_audit:success = chflags chmod chown close connect disconnect lock mkdir mknod open opendir read rename rmdir write unlink pread pwrite
#full_audit:success = all
#full_audit:failure = chdir chflags chmod chown closedir connect fchmod fchown lock mkdir mknod open opendir pwrite read removexattr rename rmdir write unlink
#full_audit:facility = LOCAL6
#full_audit:priority = DEBUG
#*********** FINE PER AUDIT **************************************************
include = /samba/servers_config/%i
#####include = /etc/samba/servers/ALL_CONF
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions
More information about the foundations-bugs
mailing list