LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-10-2014, 12:59 PM   #1
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Rep: Reputation: Disabled
Question Accessing Samba shares using Winbind


Hello All,

I have a RHEL 6 box setup successfully using winbind. I can SSH over to the Linux box and logon using my AD account. I can also see AD users and groups using wbinfo and etc.

I also have SAMBA up sharing out a directory. I can browse to this server and see the directory share via my Windows 7 workstation however when I click on the share it says "access denied" I cannot figure out why my AD account is getting access denied on this share.

Below is my global setting and my share config.

Any help would be appreciated!

#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2013/11/05 12:07:43
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = myworkgroup
password server = domain controller
realm = MYDOMAIN.COM
security = ads
idmap config * : backend = tdb
idmap config * : range = 16777216-33554431
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 100000-199999
idmap config MYDOMAIN:base_rid = 0

# idmap backend = rid
# below line a test
# idmap config * : backend = rid
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
# additional testing - next three lines made no difference
# winbind separator = +
# winbind enum users = yes
# winbind enum groups = yes



#--authconfig--end-line--

# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *


security = domain
passdb backend = tdbsam
realm = MYDOMAIN.COM

password server = domaincontroller.mydomain.com

[testdir]
path = /testdir
write list = "MYDOMAIN+Domain Users"
browseable = yes
guest ok = yes

Last edited by Rusty Shackleford; 02-11-2014 at 10:51 AM.
 
Old 02-10-2014, 02:06 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Your smb.conf file contains contradictory settings. First, you have "security = ads" which means Samba is a domain member, but further down you have "security = domain". The latter should be deleted.

The fact that you can log in using an AD account, just means PAM is able to authenticate against AD, probably with pam_winbind. However, Samba doesn't use PAM for user authorization; it can't, due to different hash algorithms being used for Linux and AD password storage.

Do you get prompted for a password if you run kinit <AD_user>@<AD.REALM> (where <AD_user> is any valid user from Active Directory and <AD.REALM> is the AD domain name in all caps), and do you get dropped right back to the command prompt after entering the password? Does klist then show a Kerberos ticket issues by krbtgt?

Did you run net ads join to create a computer account in AD for the Samba server?

Does getent passwd and getent group return objects from AD in addition to any locally defined users/groups?
 
Old 02-10-2014, 02:31 PM   #3
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
Your smb.conf file contains contradictory settings. First, you have "security = ads" which means Samba is a domain member, but further down you have "security = domain". The latter should be deleted.

The fact that you can log in using an AD account, just means PAM is able to authenticate against AD, probably with pam_winbind. However, Samba doesn't use PAM for user authorization; it can't, due to different hash algorithms being used for Linux and AD password storage.

Do you get prompted for a password if you run kinit <AD_user>@<AD.REALM> (where <AD_user> is any valid user from Active Directory and <AD.REALM> is the AD domain name in all caps), and do you get dropped right back to the command prompt after entering the password? Does klist then show a Kerberos ticket issues by krbtgt?

Did you run net ads join to create a computer account in AD for the Samba server?

Does getent passwd and getent group return objects from AD in addition to any locally defined users/groups?
I'll address each one.

I ran the kinit as <ad_user>@<MYDOMAIN> and received a "kinit <ad_user>@<MYDOMAIN> kinit: Cannot find KDC for requested realm while getting initial credentials"

I then ran klist and got "klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)"

Yes, the SAMBA server is part of the domain.

the getent passwd and getent group only show the local user and local groups of the Linux server and none from AD.

Any additional help you can provide would be greatly appreciated.

Thank you.
 
Old 02-10-2014, 02:52 PM   #4
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Here's a quick update.

If I run kinit <ad_username> with no domain being specified I get a password prompt saying <ad_username>@MYDOMAIN password. After I enter the password prompt it drops me back to the command line.
 
Old 02-10-2014, 02:52 PM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
getent uses the NSS libraries to perform lookups and resolve object references. Could you post the contents of your /etc/nsswitch.conf file?

The non-functioning kinit may or may not be an issue, depending on the samba version you're running. What does smbd --version report?
 
Old 02-10-2014, 03:07 PM   #6
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
getent uses the NSS libraries to perform lookups and resolve object references. Could you post the contents of your /etc/nsswitch.conf file?

The non-functioning kinit may or may not be an issue, depending on the samba version you're running. What does smbd --version report?
Samba Version 3.6.9-151.el6_4.1

/etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus
 
Old 02-10-2014, 03:15 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
So the winbind libraries are being used, but still no users or groups from AD.

This sounds like a winbind issue. Try wbinfo -u and wbinfo -g, those commands should list AD users and groups respectively.
 
Old 02-10-2014, 03:17 PM   #8
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
So the winbind libraries are being used, but still no users or groups from AD.

This sounds like a winbind issue. Try wbinfo -u and wbinfo -g, those commands should list AD users and groups respectively.
Correct, I see both AD users and AD groups running both of those commands.
 
Old 02-10-2014, 04:02 PM   #9
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Just another quick update. I enabled the settings below in my smb.conf restarted samba and winbind and now when I run getent passwd and getent group I now see AD users and AD groups. Getting closer!

winbind enum users = yes
winbind enum groups = yes
 
Old 02-10-2014, 04:07 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
That should take care of share level authentication/authorization.

How about the underlying file system? Are ACLs and Extended Attributes enabled? Samba requires both.
 
Old 02-10-2014, 04:19 PM   #11
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
That should take care of share level authentication/authorization.

How about the underlying file system? Are ACLs and Extended Attributes enabled? Samba requires both.
hhhhmmmm how do I find this out?
 
Old 02-10-2014, 04:48 PM   #12
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Running mount with no parameters should tell you. If the file system isn't mounted with the "acl" and "xattr" parameters, you'll need to add them to /etc/fstab and do a mount -o remount <path>.
 
Old 02-10-2014, 04:54 PM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
You may have already done this, but you might have to check the SELinux boolean values (there is more than one availble) allowing Samba to export files.
 
Old 02-10-2014, 04:58 PM   #14
Rusty Shackleford
LQ Newbie
 
Registered: Feb 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
You may have already done this, but you might have to check the SELinux boolean values (there is more than one availble) allowing Samba to export files.
I haven't done anything with SElinux yet as this is a system I inherited that had winbind up and running already.

Anything in particular I should look at?
 
Old 02-10-2014, 05:18 PM   #15
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
My current list (Fedora) is:
Code:
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
The only one I have enabled is the "samba_enable_home_dirs" which allows Windows users to use home directories for storage. But if that is disabled, and samba_export_all_rw is off, then you will not be able to create files.

Other directories need a different thing - a security label that permits samba to export (the type is samba_share_t). The information about that should be in the man pages (try "man samba_selinux", it should be in section 8).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't Authenticate with winbind to view Samba shares on XP fmcp Linux - Server 0 04-24-2009 02:20 PM
accessing samba shares from windows xubuntu_idiot Linux - Software 1 09-05-2006 01:25 PM
Difficulty accessing SAMBA shares Tsarok Slackware 1 08-30-2005 10:16 PM
Winbind Samba - Access Denied Shares Wylz Linux - Software 3 10-06-2004 05:30 AM
Accessing Samba Shares The_Q DamnSmallLinux 2 02-05-2004 05:36 AM


All times are GMT -5. The time now is 02:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration