LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
LinkBack Search this Thread
Old 12-27-2012, 02:34 PM   #1
varouj
LQ Newbie
 
Registered: Oct 2012
Posts: 8

Rep: Reputation: Disabled
Question Permission Problem on a Samba3 Share in a Samba4 Domain.


Hello everyone
I have reached the end of my rope and desperately need help.
I have recently installed two Samba4 Active Directory Domain Controllers which are working perfectly, and I have joined a Samba3 Server to this domain and everything went well. I can authenticate users on samba3 server and can see all the groups in the domain. The problem I am having is accessing the share that I have created on the Samba3 server. I can see the Share from windows XP or Windows 7 box but when I try to Access is I get “Access Denied” When I look at the security tab of the Share from any of the Windows PCs, I can see the “Domain Admins” and the Owner listed but the permissions are blank and when I try to set the permissions I get “Access Denied”. Kinit and Klist work fine. The ntp is set correctly and the server and domain controller times are identical.


Here are my configuration files and commands that I have ran.


[root@Samba3 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.COMPANY.COM = {
kdc = 192.168.1.101
default_domain = DOMAIN.COMPANY.COM
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.128 samba3.domain.company.com samba3
192.168.1.101 samba-ad.domain.company.com samba-ad





[root@Samba3 ~]# cat /etc/samba/smb.conf
[global]
netbios name = Samba3
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U



[Data]
comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+vavanessians"
admin users = "DOMAIN+vavanessians"





/etc/nsswitch.conf
passwd: compat winbind
shadow: compat
group: compat winbind


[root@Samba3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore] pam_krb5.so
account sufficient [default = bad success=ok user_unknown=ignore] pam_winbind.so cached_login use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_winbind.so use_first_pass

Here is the result of the commands that I ran:



l[root@Samba3 ~]# ls -ld /data
drwxrwxrwx+ 2 vavanessians domain admins 4096 Dec 21 11:05 /data

[root@Samba3 ~]# getfacl /data
getfacl: Removing leading '/' from absolute path names
# file: data
# owner: vavanessians
# group: domain\040admins
user::rwx
user:vavanessians:rwx
group::rwx
mask::rwx
other::rwx

[root@Samba3 ~]# wbinfo -u
vavanessians
vadam
fsalam
enaja
administrator
krbtgt
guest


[root@Samba3 ~]# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
it

[root@localhost ~]# ssh vavanessians@samba3
vavanessians@samba3's password:
Last login: Thu Dec 27 09:58:54 2012 from 192.1681.1.145
Could not chdir to home directory /home/vavanessians: No such file or directory
-bash-4.1$


[root@Samba3 ~]# wbinfo --group-info="Domain Admins"
domain admins:*:605:vavanessians,enaja,fsalam,administrator

Any help is greatly appreciated.
 
Old 12-27-2012, 02:43 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,821

Rep: Reputation: Disabled
Perhaps a silly question, but have you mounted the file system with ACL support enabled? This is not the default on all distributions, and getfacl/setfacl works anyway if the file system itself supports ACLs, but the ACL is not actually enforced.
 
Old 12-27-2012, 03:59 PM   #3
varouj
LQ Newbie
 
Registered: Oct 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Permission Problem on a Samba3 Share in a Samba4 Domain.

Thank you for your quick reply. The Distribution I am Using is CentOS 6.3 and I have enable acl in /etc/fstab.

[root@Samba3 ~]# mount
/dev/mapper/vg_samba3-lv_root on / type ext4 (rw,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_ubject_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_samba3-lv_usr on /usr type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /root/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev)

I am puzzeled as everything seems to work except permissions.
 
Old 12-27-2012, 04:12 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,821

Rep: Reputation: Disabled
Don't you need extended attributes (xattr) as well on a file system hosting a Samba share?
 
Old 12-27-2012, 05:06 PM   #5
varouj
LQ Newbie
 
Registered: Oct 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Permission Problem on a Samba3 Share in a Samba4 Domain.

Once again, thanks for your quick response. I added the user_xattr to the file system, but still had the same problem. However, your suggestions led me to look at the selinux. selinux seems to be the problem, I changed its settings from "enforcing" to "disabled" and it seems to have fixed the problem. I wonder if there is a way to around this?

Thanks again for you timely help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server requirement for Domain server using Samba4 for 100 users deep27ak Linux - Server 0 12-15-2012 01:44 PM
[SOLVED] joining samba3 to samba4 pdc swagcute Linux - Server 13 08-03-2012 08:15 PM
share directory with samba domain user permission neo571 Linux - Networking 4 12-02-2008 05:37 AM
Adding WindowsXP Professional to a Samba3 domain.(password problem) slyth1982 Linux - Networking 0 05-05-2004 11:05 AM
So can Samba3 emulate an Active Directory domain? trey85stang Linux - Networking 9 04-22-2004 01:08 AM


All times are GMT -5. The time now is 06:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration