[Bug 1743354] Re: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED
Andreas Hasenack
andreas at canonical.com
Wed May 30 18:22:20 UTC 2018
In another comment you said you had to chmod files so the user would get
access, correct? Are you using, or relying on, posix ACLs? If yes, did
you enable that support in the zfs datasets you are exporting?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1743354
Title:
samba with backend ldap: can not access share or file even if user is
authorized : NT_STATUS_ACCESS_DENIED
Status in samba package in Ubuntu:
New
Bug description:
Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
Is some days that users can not access some files although the user has all the rights.
As a solution I have to do a cmod a +rwx on the files involved.
now it occurs that users authorized to a new shared folder can not use it.(attach log file)
User a.fiaschi is in group dirsan_Rifiuti_rw but get NT_STATUS_ACCESS_DENIED
share config is
[Rifiuti]
comment = Rifiuti
path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
#*********** ZFS snapshot
#vfs objects = shadow_copy2
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
shadow:localtime = yes
#******* snapshot end *************
valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
write list = @dirsan_Rifiuti_rw
force user = nobody
force group = dirsan_quota
#_______ FINE AUTO ADD Rifiuti ________
ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
smbldap-groupshow dirsan_Rifiuti_rw
dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
objectClass: top,posixGroup,sambaGroupMapping
cn: dirsan_Rifiuti_rw
gidNumber: 6490
sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
sambaGroupType: 2
displayName: dirsan_Rifiuti_rw
memberUid: a.ciucci,m.dalco,a.fiaschi
global config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = AOUP
SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
# server string is the equivalent of the NT Description field
server string = AOUPSRV file server
# OTTIMIZZAZIONI latenza ipv4 ....
#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
#socket options = IPTOS_LOWDELAY TCP_NODELAY
kernel oplocks = yes
#in ascolto solo su interfaccia/ip impostati
#bind interfaces only = yes
#interfaces = 127.0.0.1/8 172.24.81.0/24
#per sicurezza contro man in the middle
server signing = mandatory
# SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
#ntlm auth = no
#----
netbios name = zfs-cis
#passdb backend = ldapsam:ldap://ldap.aop.int/
#passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
#passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"
#unix soket su /var/run/ldapi
#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
client NTLMv2 auth = yes
client lanman auth = no
#----ESSENZIALE PER win8 map to guest = Bad User
#map to guest = Bad User
##----ESSENZIALE PER win8 map to guest = Bad User
#
#TEST -----------------------
# END TEST -------------------
restrict anonymous = 2
map to guest = never
usershare allow guests = no
#posix locking = No
log file = /var/log/samba/%I.log
#log level = 255
log level = 1 auth:2 passdb:2 idmap:2
hide dot files = yes
max log size = 5000
time server = Yes
deadtime = 25
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
local master =yes
logon script = logon.bat
#ldap ssl = start tls
ldap ssl = off
ldap admin dn = cn=manager,dc=aop,dc=int
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p
add user to group script = /usr/sbin/smbldap-groupmod -m
delete user from group script = /usr/sbin/smbldap-groupmod -x
set primary group script = /usr/sbin/smbldap-usermod -g
add machine script = /usr/sbin/smbldap-useradd -w
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
ldap user suffix = ou=Users
create mask = 0777
directory mask = 0777
nt acl support = No
case sensitive = No
# disabilito supporto stampanti
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#wins server = 172.29.10.128
wins support = yes
wins proxy = yes
dns proxy = yes
debug uid = yes
####### provo a levare smb ports = 139
#OTTIMIZZAZIONE IO
min receivefile size = 16384
use sendfile = true
strict allocate = Yes
aio read size = 16384
aio write size = 16384
write cache size = 65536
# fine--------OTTIMIZZAZIONE IO
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
strict locking = no
follow symlinks = yes
unix extensions = yes
#unix charset = utf-8
#dos charset = cp1250
dos charset = 850
unix charset = ISO8859-1
# DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
#smb ports = 139
#aggiunta per provare uso di criptazione per client da windows 8 in su ....
# SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!
smb encrypt = desired
#smb encrypt = off
## ********************************************************************************************
## ********************************************************************************************
## ********************************************************************************************
# DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
#Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non c'è nome netbios
#server min protocol = NT1
#
#server max protocol = NT1
#client ipc max protocol = NT1
## ********************************************************************************************
# test hide share seza diritti con secureshare
#vfs objects = acl_xattr
#map acl inherit = yes
#fine test hide share -------------------------------
#*********** ZFS snapshot
#vfs objects = shadow_copy2
#shadow:format = %Y-%m-%d_%H.%M.%S--8d
#shadow:sort = desc
#shadow:snapdir = /samba/share/.zfs/snapshot
#shadow:basedir = /samba/share
#shadow:localtime = yes
#******* snapshot end *************
#access based share enum = yes
vfs objects = shadow_copy2
#*********** PER AUDIT *******************************************************
#vfs objects = full_audit vfs shadow_copy2
#full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P
#full_audit:success = chflags chmod chown close connect disconnect lock mkdir mknod open opendir read rename rmdir write unlink pread pwrite
#full_audit:success = all
#full_audit:failure = chdir chflags chmod chown closedir connect fchmod fchown lock mkdir mknod open opendir pwrite read removexattr rename rmdir write unlink
#full_audit:facility = LOCAL6
#full_audit:priority = DEBUG
#*********** FINE PER AUDIT **************************************************
include = /samba/servers_config/%i
#####include = /etc/samba/servers/ALL_CONF
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions
More information about the foundations-bugs
mailing list