LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (http://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Permission Problem on a Samba3 Share in a Samba4 Domain. (http://www.linuxquestions.org/questions/linux-enterprise-47/permission-problem-on-a-samba3-share-in-a-samba4-domain-4175443161/)

varouj 12-27-2012 02:34 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
 
Hello everyone
I have reached the end of my rope and desperately need help.
I have recently installed two Samba4 Active Directory Domain Controllers which are working perfectly, and I have joined a Samba3 Server to this domain and everything went well. I can authenticate users on samba3 server and can see all the groups in the domain. The problem I am having is accessing the share that I have created on the Samba3 server. I can see the Share from windows XP or Windows 7 box but when I try to Access is I get “Access Denied” When I look at the security tab of the Share from any of the Windows PCs, I can see the “Domain Admins” and the Owner listed but the permissions are blank and when I try to set the permissions I get “Access Denied”. Kinit and Klist work fine. The ntp is set correctly and the server and domain controller times are identical.


Here are my configuration files and commands that I have ran.


[root@Samba3 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.COMPANY.COM = {
kdc = 192.168.1.101
default_domain = DOMAIN.COMPANY.COM
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.128 samba3.domain.company.com samba3
192.168.1.101 samba-ad.domain.company.com samba-ad





[root@Samba3 ~]# cat /etc/samba/smb.conf
[global]
netbios name = Samba3
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U



[Data]
comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+vavanessians"
admin users = "DOMAIN+vavanessians"





/etc/nsswitch.conf
passwd: compat winbind
shadow: compat
group: compat winbind


[root@Samba3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore] pam_krb5.so
account sufficient [default = bad success=ok user_unknown=ignore] pam_winbind.so cached_login use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_winbind.so use_first_pass

Here is the result of the commands that I ran:



l[root@Samba3 ~]# ls -ld /data
drwxrwxrwx+ 2 vavanessians domain admins 4096 Dec 21 11:05 /data

[root@Samba3 ~]# getfacl /data
getfacl: Removing leading '/' from absolute path names
# file: data
# owner: vavanessians
# group: domain\040admins
user::rwx
user:vavanessians:rwx
group::rwx
mask::rwx
other::rwx

[root@Samba3 ~]# wbinfo -u
vavanessians
vadam
fsalam
enaja
administrator
krbtgt
guest


[root@Samba3 ~]# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
it

[root@localhost ~]# ssh vavanessians@samba3
vavanessians@samba3's password:
Last login: Thu Dec 27 09:58:54 2012 from 192.1681.1.145
Could not chdir to home directory /home/vavanessians: No such file or directory
-bash-4.1$


[root@Samba3 ~]# wbinfo --group-info="Domain Admins"
domain admins:*:605:vavanessians,enaja,fsalam,administrator

Any help is greatly appreciated.

Ser Olmy 12-27-2012 02:43 PM

Perhaps a silly question, but have you mounted the file system with ACL support enabled? This is not the default on all distributions, and getfacl/setfacl works anyway if the file system itself supports ACLs, but the ACL is not actually enforced.

varouj 12-27-2012 03:59 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
 
Thank you for your quick reply. The Distribution I am Using is CentOS 6.3 and I have enable acl in /etc/fstab.

[root@Samba3 ~]# mount
/dev/mapper/vg_samba3-lv_root on / type ext4 (rw,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_samba3-lv_usr on /usr type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /root/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev)

I am puzzeled as everything seems to work except permissions.

Ser Olmy 12-27-2012 04:12 PM

Don't you need extended attributes (xattr) as well on a file system hosting a Samba share?

varouj 12-27-2012 05:06 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
 
Once again, thanks for your quick response. I added the user_xattr to the file system, but still had the same problem. However, your suggestions led me to look at the selinux. selinux seems to be the problem, I changed its settings from "enforcing" to "disabled" and it seems to have fixed the problem. I wonder if there is a way to around this?

Thanks again for you timely help.


All times are GMT -5. The time now is 08:11 PM.