-   Linux - Enterprise (
-   -   Permission Problem on a Samba3 Share in a Samba4 Domain. (

varouj 12-27-2012 02:34 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
Hello everyone
I have reached the end of my rope and desperately need help.
I have recently installed two Samba4 Active Directory Domain Controllers which are working perfectly, and I have joined a Samba3 Server to this domain and everything went well. I can authenticate users on samba3 server and can see all the groups in the domain. The problem I am having is accessing the share that I have created on the Samba3 server. I can see the Share from windows XP or Windows 7 box but when I try to Access is I get “Access Denied” When I look at the security tab of the Share from any of the Windows PCs, I can see the “Domain Admins” and the Owner listed but the permissions are blank and when I try to set the permissions I get “Access Denied”. Kinit and Klist work fine. The ntp is set correctly and the server and domain controller times are identical.

Here are my configuration files and commands that I have ran.

[root@Samba3 ~]# cat /etc/krb5.conf
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
kdc =
default_domain = DOMAIN.COMPANY.COM
profile = /etc/krb5kdc/kdc.conf
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba3 samba-ad

[root@Samba3 ~]# cat /etc/samba/smb.conf
netbios name = Samba3
workgroup = DOMAIN
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+vavanessians"
admin users = "DOMAIN+vavanessians"

passwd: compat winbind
shadow: compat
group: compat winbind

[root@Samba3 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
auth sufficient nullok try_first_pass
auth sufficient use_first_pass
auth sufficient cached_login use_first_pass
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore]
account sufficient [default = bad success=ok user_unknown=ignore] cached_login use_first_pass
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient cached_login use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional
session required use_first_pass

Here is the result of the commands that I ran:

l[root@Samba3 ~]# ls -ld /data
drwxrwxrwx+ 2 vavanessians domain admins 4096 Dec 21 11:05 /data

[root@Samba3 ~]# getfacl /data
getfacl: Removing leading '/' from absolute path names
# file: data
# owner: vavanessians
# group: domain\040admins

[root@Samba3 ~]# wbinfo -u

[root@Samba3 ~]# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users

[root@localhost ~]# ssh vavanessians@samba3
vavanessians@samba3's password:
Last login: Thu Dec 27 09:58:54 2012 from 192.1681.1.145
Could not chdir to home directory /home/vavanessians: No such file or directory

[root@Samba3 ~]# wbinfo --group-info="Domain Admins"
domain admins:*:605:vavanessians,enaja,fsalam,administrator

Any help is greatly appreciated.

Ser Olmy 12-27-2012 02:43 PM

Perhaps a silly question, but have you mounted the file system with ACL support enabled? This is not the default on all distributions, and getfacl/setfacl works anyway if the file system itself supports ACLs, but the ACL is not actually enforced.

varouj 12-27-2012 03:59 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
Thank you for your quick reply. The Distribution I am Using is CentOS 6.3 and I have enable acl in /etc/fstab.

[root@Samba3 ~]# mount
/dev/mapper/vg_samba3-lv_root on / type ext4 (rw,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_samba3-lv_usr on /usr type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /root/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev)

I am puzzeled as everything seems to work except permissions.

Ser Olmy 12-27-2012 04:12 PM

Don't you need extended attributes (xattr) as well on a file system hosting a Samba share?

varouj 12-27-2012 05:06 PM

Permission Problem on a Samba3 Share in a Samba4 Domain.
Once again, thanks for your quick response. I added the user_xattr to the file system, but still had the same problem. However, your suggestions led me to look at the selinux. selinux seems to be the problem, I changed its settings from "enforcing" to "disabled" and it seems to have fixed the problem. I wonder if there is a way to around this?

Thanks again for you timely help.

All times are GMT -5. The time now is 05:05 PM.