LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-15-2015, 08:33 AM   #1
TCAS
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Rep: Reputation: Disabled
Unhappy Samba AD authentication grants access for all the users


Hi,

I have a strange issue with samba 4.1.17 on Debian 8

One of my 40 servers grants access to all the local shared folders with only one authentication.

Every user has a personnal folder + access to a common folder

For example : Folder_1 for User_1@MYDOM.LAN, Folde_2 for User_2@MYDOM.LAN and so on. There is also a common folder to all the users.

The problem is that when i authenticat whith user_X credentials, samba allows me to access to all the other folders.

FYI all my Debian servers are joind to a 2003 Server PDC and the problem is with only one of my Debian servers.

wbinfo -u -g : ok
getent passwd group : ok

Thanks and sorry for my English.
 
Old 10-16-2015, 05:27 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,661

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
You might check the configuration. If only one server is doing it, compare the configuration used on it with one from one of the other servers.
 
Old 10-16-2015, 05:46 AM   #3
TCAS
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Hi jpollard,

Indeed but the problem is that the configuration is 100 similar on all servers. The only diffrence between them is the server name and the share names. I did just a copy and past then changed the server name and shars befor joining AD.

I noticed that i can authenticate with user_2 credentials to access folder_1 wich belongs to user_1. I tried to put a wrong password to test if samba is realy asking AD for autorisation or not and it works perfectly.

Thanks again.

Regards.

Last edited by TCAS; 10-16-2015 at 05:49 AM.
 
Old 10-16-2015, 07:26 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,661

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
It sounds like the there is a list of users for the share, not a single user - or an accidental group account.

By default most linux systems will create a user with automatic group membership with the same name... So an unintended "@username" would become a group reference; and if that "username" group had more than one entry then two (or more) users would be granted access.
 
Old 10-16-2015, 08:40 AM   #5
TCAS
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Hi jpollard,

here's part of my smb.conf to help you understand


[global]
workgroup = MYDOM
security = ads
password server = server.mydom.lan
max log size = 50
name resolve order = bcast, host, lmhosts
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
template shell = /bin/bash
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
idmap config * : range = 1000-990000
idmap config * : backend = tdbsam
netbios name = server39
realm = mydom.lan
log level = 5
winbind use default domain = yes
template homedir = /home/D/%U
client use spnego = yes

[User1]
write list = user1
comment = any thing
valid users = user1
path = /partages/users/folder1/
writeable = yes


[User2]
write list = user2
comment = any thing
valid users = user2
path = /partages/users/folder2/
writeable = yes

[User3]
write list = user3
comment = any thing
valid users = user3
path = /partages/users/folder3/
writeable = yes

[Common]
comment = Common
path = /partages/commun/
users = @GP-USERS
write list = @GP-USERS
read only = no


The @GP-USERS group contains user1, user2, user3 ...

As i explained earlier, user1 can access to folder2 and folder3 even if i defined that he can only access to folder1 and common folder.

Thanks again for your help.
 
Old 10-16-2015, 08:57 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,661

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
To me, that looks valid.

Now it would look like having to verify that the user maps (or identification) on the server matches the others... It wouldn't help to have the two users with the UIDs for instance.
 
Old 10-16-2015, 09:29 AM   #7
TCAS
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Can you please explain what do you mean by ( It wouldn't help to have the two users with the UIDs for instance )

Don't forget that the same conf works fine on the other servers

Regards.
 
Old 10-16-2015, 09:49 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,661

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
If the two users on the server have the same UID, then the mapping of the remote user would get the same access rights, no matter what the configuration was.

I will admit, it has been a while since I've done any Samba support, but something is causing the two users to get the same access rights.
 
Old 10-16-2015, 10:04 AM   #9
TCAS
LQ Newbie
 
Registered: Oct 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
The users in fact are 5. They have been created on the DC and have different username and password and the problem is that user1 can access to folder5 wich belongs to user5 and user2 can access to folder1 and folder2 ...

for me, ther is a cross credential, i mean if userX is authenticated than he is free to brows all the the other protected folders.

thanks for your help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba and Active Directory: New Users unable to access shares, old users are fine Jelorian Linux - General 2 05-08-2014 06:35 PM
Cannot access Samba shares - using AD authentication, CentOS 6.0 rothlis Linux - Server 2 08-22-2011 11:31 AM
Unable to see shares on samba server - no authentication access desired (open access) neoelf Linux - Networking 1 06-14-2009 03:18 PM
Samba access by Windows users locking out directory access with Konqueror harry_fine SUSE / openSUSE 1 12-18-2004 05:33 AM
MySQL user access and grants tuka Linux - Software 0 08-20-2003 07:18 AM


All times are GMT -5. The time now is 08:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration