[Bug 1743354] Re: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED

alberto fiaschi alberto.fiaschi at gmail.com
Wed May 30 07:39:39 UTC 2018 

@ahasenack
Yes. Unfortunately we still have about 2000 clients with windows xp.
But I can not verify if the situation described in the bug has occurred.
I doubt, because our average user is very obtuse and therefore usually calls helpdesk to restore files

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1743354

Title:
   samba with backend ldap: can not access share or file even if user is
  authorized : NT_STATUS_ACCESS_DENIED

Status in samba package in Ubuntu:
  New

Bug description:
  Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
  Is some days that users can not access some files although the user has all the rights.
  As a solution I have to do a cmod a +rwx on the files involved.
  now it occurs that users authorized to a new shared folder can not use it.(attach log file)
  User a.fiaschi is in group dirsan_Rifiuti_rw but get  NT_STATUS_ACCESS_DENIED
  share config is

  [Rifiuti]
  comment = Rifiuti
  path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
  #***********  ZFS snapshot
  #vfs objects = shadow_copy2
  shadow:format = %Y-%m-%d_%H.%M.%S--5d
  shadow:sort = desc
  shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
  shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
  shadow:localtime = yes
  #******* snapshot end *************
  valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
  write list  = @dirsan_Rifiuti_rw
  force user = nobody
  force group = dirsan_quota
  #_______ FINE AUTO ADD Rifiuti ________

  ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
  drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti


  
   smbldap-groupshow dirsan_Rifiuti_rw
  dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
  objectClass: top,posixGroup,sambaGroupMapping
  cn: dirsan_Rifiuti_rw
  gidNumber: 6490
  sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
  sambaGroupType: 2
  displayName: dirsan_Rifiuti_rw
  memberUid: a.ciucci,m.dalco,a.fiaschi


  
  global config :
  # This is the main Samba configuration file. You should read the
  # smb.conf(5) manual page in order to understand the options listed
  # here. Samba has a huge number of configurable options (perhaps too
  # many!) most of which are not shown in this example
  #
  # For a step to step guide on installing, configuring and using samba, 
  # read the Samba-HOWTO-Collection. This may be obtained from:
  #  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
  #
  # Many working examples of smb.conf files can be found in the 
  # Samba-Guide which is generated daily and can be downloaded from: 
  #  http://www.samba.org/samba/docs/Samba-Guide.pdf
  #
  # Any line which starts with a ; (semi-colon) or a # (hash) 
  # is a comment and is ignored. In this example we will use a #
  # for commentry and a ; for parts of the config file that you
  # may wish to enable
  #
  # NOTE: Whenever you modify this file you should run the command "testparm"
  # to check that you have not made any basic syntactic errors. 
  #
  #======================= Global Settings =====================================
  [global]

  # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
  workgroup = AOUP
  SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
  # server string is the equivalent of the NT Description field
  server string =  AOUPSRV file server
  # OTTIMIZZAZIONI latenza ipv4 ....
  #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
  #socket options = IPTOS_LOWDELAY TCP_NODELAY 
  kernel oplocks = yes 
  #in ascolto solo su interfaccia/ip impostati
  #bind interfaces only = yes
  #interfaces = 127.0.0.1/8 172.24.81.0/24 
  #per sicurezza contro man in the middle
   server signing = mandatory
  # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
  #ntlm auth = no
  #----
  netbios name = zfs-cis
  #passdb backend = ldapsam:ldap://ldap.aop.int/
  #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"  
  #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"
  passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"
  #unix soket su /var/run/ldapi
  #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
  client NTLMv2 auth = yes
  client lanman auth = no
  #----ESSENZIALE PER win8 map to guest = Bad User
  #map to guest = Bad User
  ##----ESSENZIALE PER win8 map to guest = Bad User
  #

  #TEST -----------------------


  # END TEST -------------------

  
  restrict anonymous = 2
  map to guest = never
  usershare allow guests = no
  #posix locking = No
  log file = /var/log/samba/%I.log

  #log level = 255
  log level = 1 auth:2 passdb:2  idmap:2

  hide dot files = yes
  max log size = 5000
  time server = Yes
  deadtime = 25
  domain logons = Yes
  os level = 65
  preferred master = Yes
  domain master =  Yes
  local master =yes
  logon script = logon.bat
  #ldap ssl = start tls
  ldap ssl = off
  ldap admin dn = cn=manager,dc=aop,dc=int
  ldap delete dn = Yes
  ldap group suffix = ou=Groups
  ldap idmap suffix = ou=Users
  ldap machine suffix = ou=Computers
  ldap passwd sync = Yes
  add user script = /usr/sbin/smbldap-useradd -m
  add group script = /usr/sbin/smbldap-groupadd -p
  add user to group script = /usr/sbin/smbldap-groupmod -m
  delete user from group script = /usr/sbin/smbldap-groupmod -x
  set primary group script = /usr/sbin/smbldap-usermod -g
  add machine script = /usr/sbin/smbldap-useradd -w
  passwd program = /usr/sbin/smbldap-passwd %u
  passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
  ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
  ldap user suffix = ou=Users
  create mask = 0777
  directory mask = 0777
  nt acl support = No
  case sensitive = No
  # disabilito supporto stampanti
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  #wins server = 172.29.10.128
  wins support = yes

  wins proxy = yes
  dns proxy = yes
  debug uid = yes
  ####### provo a levare smb ports = 139

  #OTTIMIZZAZIONE IO
  min receivefile size = 16384
  use sendfile = true
  strict allocate = Yes
  aio read size       = 16384 
  aio write size      = 16384
  write cache size = 65536
  # fine--------OTTIMIZZAZIONE IO

  map hidden           = no
  map system           = no
  map archive          = no
  map readonly         = no
  store dos attributes = yes

  strict locking = no
  follow symlinks = yes
  unix extensions = yes

  #unix charset = utf-8
  #dos charset = cp1250

  dos charset = 850
  unix charset = ISO8859-1

  
  # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
  #smb ports = 139
  #aggiunta per provare uso di criptazione per client da windows 8 in su ....
  # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!

  smb encrypt = desired
  #smb encrypt = off
  ## ********************************************************************************************
  ## ********************************************************************************************
  ## ********************************************************************************************
  # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip 
  #Aggiunto per ora per WINDOWS 10  forzo uso vecchio protocollo se no non c'è nome netbios 
  #server min protocol = NT1
  #             
  #server max protocol = NT1
  #client ipc max protocol = NT1
  ## ********************************************************************************************


  
  # test hide share  seza diritti con secureshare
  #vfs objects = acl_xattr
  #map acl inherit = yes

  #fine test hide share -------------------------------

  
  #***********  ZFS snapshot
  #vfs objects = shadow_copy2
  #shadow:format = %Y-%m-%d_%H.%M.%S--8d
  #shadow:sort = desc
  #shadow:snapdir = /samba/share/.zfs/snapshot
  #shadow:basedir = /samba/share
  #shadow:localtime = yes
  #******* snapshot end *************

  #access based share enum = yes

  vfs objects = shadow_copy2

  #*********** PER AUDIT *******************************************************
  #vfs objects = full_audit vfs  shadow_copy2
  #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P

  
  #full_audit:success =   chflags  chmod  chown  close    connect  disconnect    lock   mkdir  mknod  open  opendir   read   rename   rmdir     write unlink pread pwrite
  #full_audit:success = all
  #full_audit:failure = chdir  chflags  chmod  chown    closedir  connect    fchmod  fchown    lock    mkdir  mknod  open  opendir  pwrite  read  removexattr  rename    rmdir    write unlink
  #full_audit:facility = LOCAL6
  #full_audit:priority = DEBUG

  #*********** FINE PER AUDIT **************************************************
  include = /samba/servers_config/%i

   #####include = /etc/samba/servers/ALL_CONF

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions

More information about the foundations-bugs mailing list