[Bug 1743354] Re: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED
alberto fiaschi
alberto.fiaschi at gmail.com
Wed Jan 24 09:23:12 UTC 2018
moreover all shared files are owned by local user nobody and all shares
have option force user nobody. See a share config example:
[Staff]
comment = Staff DAI
path = /samba/shares/DAI/groups/dip_staff
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/DAI/.zfs/snapshot
shadow:basedir = /samba/shares/DAI
shadow:localtime = yes
valid users = @dai_dip_staff_ro, at dai_dip_staff_rw
write list = @dai_dip_staff_rw
force user = nobody
force group = dai_quota
----------------------------------------------------------------
*«L'immaginazione è più importante della conoscenza.» - Albert
Einstein.*
*Alberto M.Fiaschi*
*http://it.linkedin.com/pub/alberto-fiaschi
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5> *
2018-01-23 17:22 GMT+01:00 alberto fiaschi <alberto.fiaschi at gmail.com>:
>
>
>
>
> 2018-01-23 13:25 GMT+01:00 Andreas Hasenack <andreas at canonical.com>:
>
>> Thanks for filing this bug in Ubuntu.
>>
>> When the problem occurs, does the command "id <user>" show the correct
>> group membership info for the affected <user>?
>>
>> yes : id show all groups
>
>> Do you have any sort of NSS caching service running, like nscd? If yes,
>> you should perhaps disable it.
>>
>> yes but the problem happens randomly on users and groups present in LDAP
> and not changed for a long time
>
> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1743354
>>
>> Title:
>> samba with backend ldap: can not access share or file even if user is
>> authorized : NT_STATUS_ACCESS_DENIED
>>
>> Status in samba package in Ubuntu:
>> New
>>
>> Bug description:
>> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
>> Is some days that users can not access some files although the user has
>> all the rights.
>> As a solution I have to do a cmod a +rwx on the files involved.
>> now it occurs that users authorized to a new shared folder can not use
>> it.(attach log file)
>> User a.fiaschi is in group dirsan_Rifiuti_rw but get
>> NT_STATUS_ACCESS_DENIED
>> share config is
>>
>> [Rifiuti]
>> comment = Rifiuti
>> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>> #*********** ZFS snapshot
>> #vfs objects = shadow_copy2
>> shadow:format = %Y-%m-%d_%H.%M.%S--5d
>> shadow:sort = desc
>> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
>> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
>> shadow:localtime = yes
>> #******* snapshot end *************
>> valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
>> write list = @dirsan_Rifiuti_rw
>> force user = nobody
>> force group = dirsan_quota
>> #_______ FINE AUTO ADD Rifiuti ________
>>
>> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
>> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>>
>>
>>
>> smbldap-groupshow dirsan_Rifiuti_rw
>> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,
>> dc=aop,dc=int
>> objectClass: top,posixGroup,sambaGroupMapping
>> cn: dirsan_Rifiuti_rw
>> gidNumber: 6490
>> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
>> sambaGroupType: 2
>> displayName: dirsan_Rifiuti_rw
>> memberUid: a.ciucci,m.dalco,a.fiaschi
>>
>>
>>
>> global config :
>> # This is the main Samba configuration file. You should read the
>> # smb.conf(5) manual page in order to understand the options listed
>> # here. Samba has a huge number of configurable options (perhaps too
>> # many!) most of which are not shown in this example
>> #
>> # For a step to step guide on installing, configuring and using samba,
>> # read the Samba-HOWTO-Collection. This may be obtained from:
>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
>> #
>> # Many working examples of smb.conf files can be found in the
>> # Samba-Guide which is generated daily and can be downloaded from:
>> # http://www.samba.org/samba/docs/Samba-Guide.pdf
>> #
>> # Any line which starts with a ; (semi-colon) or a # (hash)
>> # is a comment and is ignored. In this example we will use a #
>> # for commentry and a ; for parts of the config file that you
>> # may wish to enable
>> #
>> # NOTE: Whenever you modify this file you should run the command
>> "testparm"
>> # to check that you have not made any basic syntactic errors.
>> #
>> #======================= Global Settings ==============================
>> =======
>> [global]
>>
>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
>> workgroup = AOUP
>> SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
>> # server string is the equivalent of the NT Description field
>> server string = AOUPSRV file server
>> # OTTIMIZZAZIONI latenza ipv4 ....
>> #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>> #socket options = IPTOS_LOWDELAY TCP_NODELAY
>> kernel oplocks = yes
>> #in ascolto solo su interfaccia/ip impostati
>> #bind interfaces only = yes
>> #interfaces = 127.0.0.1/8 172.24.81.0/24
>> #per sicurezza contro man in the middle
>> server signing = mandatory
>> # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia
>> autenticazione facilmente crackabile
>> #ntlm auth = no
>> #----
>> netbios name = zfs-cis
>> #passdb backend = ldapsam:ldap://ldap.aop.int/
>> #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
>> #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://
>> ldap.aop.int/"
>> passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/
>> ldap://172.29.10.180/ ldap://172.29.10.181/"
>> #unix soket su /var/run/ldapi
>> #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
>> client NTLMv2 auth = yes
>> client lanman auth = no
>> #----ESSENZIALE PER win8 map to guest = Bad User
>> #map to guest = Bad User
>> ##----ESSENZIALE PER win8 map to guest = Bad User
>> #
>>
>> #TEST -----------------------
>>
>>
>> # END TEST -------------------
>>
>>
>> restrict anonymous = 2
>> map to guest = never
>> usershare allow guests = no
>> #posix locking = No
>> log file = /var/log/samba/%I.log
>>
>> #log level = 255
>> log level = 1 auth:2 passdb:2 idmap:2
>>
>> hide dot files = yes
>> max log size = 5000
>> time server = Yes
>> deadtime = 25
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> local master =yes
>> logon script = logon.bat
>> #ldap ssl = start tls
>> ldap ssl = off
>> ldap admin dn = cn=manager,dc=aop,dc=int
>> ldap delete dn = Yes
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Users
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = Yes
>> add user script = /usr/sbin/smbldap-useradd -m
>> add group script = /usr/sbin/smbldap-groupadd -p
>> add user to group script = /usr/sbin/smbldap-groupmod -m
>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>> set primary group script = /usr/sbin/smbldap-usermod -g
>> add machine script = /usr/sbin/smbldap-useradd -w
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>> ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
>> ldap user suffix = ou=Users
>> create mask = 0777
>> directory mask = 0777
>> nt acl support = No
>> case sensitive = No
>> # disabilito supporto stampanti
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>> #wins server = 172.29.10.128
>> wins support = yes
>>
>> wins proxy = yes
>> dns proxy = yes
>> debug uid = yes
>> ####### provo a levare smb ports = 139
>>
>> #OTTIMIZZAZIONE IO
>> min receivefile size = 16384
>> use sendfile = true
>> strict allocate = Yes
>> aio read size = 16384
>> aio write size = 16384
>> write cache size = 65536
>> # fine--------OTTIMIZZAZIONE IO
>>
>> map hidden = no
>> map system = no
>> map archive = no
>> map readonly = no
>> store dos attributes = yes
>>
>> strict locking = no
>> follow symlinks = yes
>> unix extensions = yes
>>
>> #unix charset = utf-8
>> #dos charset = cp1250
>>
>> dos charset = 850
>> unix charset = ISO8859-1
>>
>>
>> # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
>> #smb ports = 139
>> #aggiunta per provare uso di criptazione per client da windows 8 in su
>> ....
>> # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!
>>
>> smb encrypt = desired
>> #smb encrypt = off
>> ## ************************************************************
>> ********************************
>> ## ************************************************************
>> ********************************
>> ## ************************************************************
>> ********************************
>> # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
>> #Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no
>> non c'è nome netbios
>> #server min protocol = NT1
>> #
>> #server max protocol = NT1
>> #client ipc max protocol = NT1
>> ## ************************************************************
>> ********************************
>>
>>
>>
>> # test hide share seza diritti con secureshare
>> #vfs objects = acl_xattr
>> #map acl inherit = yes
>>
>> #fine test hide share -------------------------------
>>
>>
>> #*********** ZFS snapshot
>> #vfs objects = shadow_copy2
>> #shadow:format = %Y-%m-%d_%H.%M.%S--8d
>> #shadow:sort = desc
>> #shadow:snapdir = /samba/share/.zfs/snapshot
>> #shadow:basedir = /samba/share
>> #shadow:localtime = yes
>> #******* snapshot end *************
>>
>> #access based share enum = yes
>>
>> vfs objects = shadow_copy2
>>
>> #*********** PER AUDIT ******************************
>> *************************
>> #vfs objects = full_audit vfs shadow_copy2
>> #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P
>>
>>
>> #full_audit:success = chflags chmod chown close connect
>> disconnect lock mkdir mknod open opendir read rename rmdir
>> write unlink pread pwrite
>> #full_audit:success = all
>> #full_audit:failure = chdir chflags chmod chown closedir
>> connect fchmod fchown lock mkdir mknod open opendir pwrite
>> read removexattr rename rmdir write unlink
>> #full_audit:facility = LOCAL6
>> #full_audit:priority = DEBUG
>>
>> #*********** FINE PER AUDIT ******************************
>> ********************
>> include = /samba/servers_config/%i
>>
>> #####include = /etc/samba/servers/ALL_CONF
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354
>> /+subscriptions
>>
>
>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1743354
Title:
samba with backend ldap: can not access share or file even if user is
authorized : NT_STATUS_ACCESS_DENIED
Status in samba package in Ubuntu:
New
Bug description:
Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
Is some days that users can not access some files although the user has all the rights.
As a solution I have to do a cmod a +rwx on the files involved.
now it occurs that users authorized to a new shared folder can not use it.(attach log file)
User a.fiaschi is in group dirsan_Rifiuti_rw but get NT_STATUS_ACCESS_DENIED
share config is
[Rifiuti]
comment = Rifiuti
path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
#*********** ZFS snapshot
#vfs objects = shadow_copy2
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
shadow:localtime = yes
#******* snapshot end *************
valid users = @dirsan_Rifiuti_ro, at dirsan_Rifiuti_rw
write list = @dirsan_Rifiuti_rw
force user = nobody
force group = dirsan_quota
#_______ FINE AUTO ADD Rifiuti ________
ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
smbldap-groupshow dirsan_Rifiuti_rw
dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
objectClass: top,posixGroup,sambaGroupMapping
cn: dirsan_Rifiuti_rw
gidNumber: 6490
sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
sambaGroupType: 2
displayName: dirsan_Rifiuti_rw
memberUid: a.ciucci,m.dalco,a.fiaschi
global config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = AOUP
SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
# server string is the equivalent of the NT Description field
server string = AOUPSRV file server
# OTTIMIZZAZIONI latenza ipv4 ....
#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
#socket options = IPTOS_LOWDELAY TCP_NODELAY
kernel oplocks = yes
#in ascolto solo su interfaccia/ip impostati
#bind interfaces only = yes
#interfaces = 127.0.0.1/8 172.24.81.0/24
#per sicurezza contro man in the middle
server signing = mandatory
# SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
#ntlm auth = no
#----
netbios name = zfs-cis
#passdb backend = ldapsam:ldap://ldap.aop.int/
#passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
#passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"
#unix soket su /var/run/ldapi
#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
client NTLMv2 auth = yes
client lanman auth = no
#----ESSENZIALE PER win8 map to guest = Bad User
#map to guest = Bad User
##----ESSENZIALE PER win8 map to guest = Bad User
#
#TEST -----------------------
# END TEST -------------------
restrict anonymous = 2
map to guest = never
usershare allow guests = no
#posix locking = No
log file = /var/log/samba/%I.log
#log level = 255
log level = 1 auth:2 passdb:2 idmap:2
hide dot files = yes
max log size = 5000
time server = Yes
deadtime = 25
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
local master =yes
logon script = logon.bat
#ldap ssl = start tls
ldap ssl = off
ldap admin dn = cn=manager,dc=aop,dc=int
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p
add user to group script = /usr/sbin/smbldap-groupmod -m
delete user from group script = /usr/sbin/smbldap-groupmod -x
set primary group script = /usr/sbin/smbldap-usermod -g
add machine script = /usr/sbin/smbldap-useradd -w
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
ldap user suffix = ou=Users
create mask = 0777
directory mask = 0777
nt acl support = No
case sensitive = No
# disabilito supporto stampanti
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#wins server = 172.29.10.128
wins support = yes
wins proxy = yes
dns proxy = yes
debug uid = yes
####### provo a levare smb ports = 139
#OTTIMIZZAZIONE IO
min receivefile size = 16384
use sendfile = true
strict allocate = Yes
aio read size = 16384
aio write size = 16384
write cache size = 65536
# fine--------OTTIMIZZAZIONE IO
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
strict locking = no
follow symlinks = yes
unix extensions = yes
#unix charset = utf-8
#dos charset = cp1250
dos charset = 850
unix charset = ISO8859-1
# DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
#smb ports = 139
#aggiunta per provare uso di criptazione per client da windows 8 in su ....
# SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!
smb encrypt = desired
#smb encrypt = off
## ********************************************************************************************
## ********************************************************************************************
## ********************************************************************************************
# DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
#Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non c'è nome netbios
#server min protocol = NT1
#
#server max protocol = NT1
#client ipc max protocol = NT1
## ********************************************************************************************
# test hide share seza diritti con secureshare
#vfs objects = acl_xattr
#map acl inherit = yes
#fine test hide share -------------------------------
#*********** ZFS snapshot
#vfs objects = shadow_copy2
#shadow:format = %Y-%m-%d_%H.%M.%S--8d
#shadow:sort = desc
#shadow:snapdir = /samba/share/.zfs/snapshot
#shadow:basedir = /samba/share
#shadow:localtime = yes
#******* snapshot end *************
#access based share enum = yes
vfs objects = shadow_copy2
#*********** PER AUDIT *******************************************************
#vfs objects = full_audit vfs shadow_copy2
#full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P
#full_audit:success = chflags chmod chown close connect disconnect lock mkdir mknod open opendir read rename rmdir write unlink pread pwrite
#full_audit:success = all
#full_audit:failure = chdir chflags chmod chown closedir connect fchmod fchown lock mkdir mknod open opendir pwrite read removexattr rename rmdir write unlink
#full_audit:facility = LOCAL6
#full_audit:priority = DEBUG
#*********** FINE PER AUDIT **************************************************
include = /samba/servers_config/%i
#####include = /etc/samba/servers/ALL_CONF
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions
More information about the foundations-bugs
mailing list