enterprise-support team mailing list archive

Thread
Date
[Bug 1743354] [NEW] samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: alberto fiaschi <alberto.fiaschi@xxxxxxxxx>
Date: Mon, 15 Jan 2018 11:03:53 -0000
Reply-to: Bug 1743354 <1743354@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
Is some days that users can not access some files although the user has all the rights.
As a solution I have to do a cmod a +rwx on the files involved.
now it occurs that users authorized to a new shared folder can not use it.(attach log file)
User a.fiaschi is in group dirsan_Rifiuti_rw but get  NT_STATUS_ACCESS_DENIED
share config is

[Rifiuti]
comment = Rifiuti
path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
#***********  ZFS snapshot
#vfs objects = shadow_copy2
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
shadow:localtime = yes
#******* snapshot end *************
valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
write list  = @dirsan_Rifiuti_rw
force user = nobody
force group = dirsan_quota
#_______ FINE AUTO ADD Rifiuti ________

ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti


 smbldap-groupshow dirsan_Rifiuti_rw
dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
objectClass: top,posixGroup,sambaGroupMapping
cn: dirsan_Rifiuti_rw
gidNumber: 6490
sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
sambaGroupType: 2
displayName: dirsan_Rifiuti_rw
memberUid: a.ciucci,m.dalco,a.fiaschi


global config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba, 
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the 
# Samba-Guide which is generated daily and can be downloaded from: 
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = AOUP
SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
# server string is the equivalent of the NT Description field
server string =  AOUPSRV file server
# OTTIMIZZAZIONI latenza ipv4 ....
#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
#socket options = IPTOS_LOWDELAY TCP_NODELAY 
kernel oplocks = yes 
#in ascolto solo su interfaccia/ip impostati
#bind interfaces only = yes
#interfaces = 127.0.0.1/8 172.24.81.0/24 
#per sicurezza contro man in the middle
 server signing = mandatory
# SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
#ntlm auth = no
#----
netbios name = zfs-cis
#passdb backend = ldapsam:ldap://ldap.aop.int/
#passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/";  
#passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/";
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/";
#unix soket su /var/run/ldapi
#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
client NTLMv2 auth = yes
client lanman auth = no
#----ESSENZIALE PER win8 map to guest = Bad User
#map to guest = Bad User
##----ESSENZIALE PER win8 map to guest = Bad User
#

#TEST -----------------------


# END TEST -------------------


restrict anonymous = 2
map to guest = never
usershare allow guests = no
#posix locking = No
log file = /var/log/samba/%I.log

#log level = 255
log level = 1 auth:2 passdb:2  idmap:2

hide dot files = yes
max log size = 5000
time server = Yes
deadtime = 25
domain logons = Yes
os level = 65
preferred master = Yes
domain master =  Yes
local master =yes
logon script = logon.bat
#ldap ssl = start tls
ldap ssl = off
ldap admin dn = cn=manager,dc=aop,dc=int
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p
add user to group script = /usr/sbin/smbldap-groupmod -m
delete user from group script = /usr/sbin/smbldap-groupmod -x
set primary group script = /usr/sbin/smbldap-usermod -g
add machine script = /usr/sbin/smbldap-useradd -w
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
ldap user suffix = ou=Users
create mask = 0777
directory mask = 0777
nt acl support = No
case sensitive = No
# disabilito supporto stampanti
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#wins server = 172.29.10.128
wins support = yes

wins proxy = yes
dns proxy = yes
debug uid = yes
####### provo a levare smb ports = 139

#OTTIMIZZAZIONE IO
min receivefile size = 16384
use sendfile = true
strict allocate = Yes
aio read size       = 16384 
aio write size      = 16384
write cache size = 65536
# fine--------OTTIMIZZAZIONE IO

map hidden           = no
map system           = no
map archive          = no
map readonly         = no
store dos attributes = yes

strict locking = no
follow symlinks = yes
unix extensions = yes

#unix charset = utf-8
#dos charset = cp1250

dos charset = 850
unix charset = ISO8859-1


# DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
#smb ports = 139
#aggiunta per provare uso di criptazione per client da windows 8 in su ....
# SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!

smb encrypt = desired
#smb encrypt = off
## ********************************************************************************************
## ********************************************************************************************
## ********************************************************************************************
# DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip 
#Aggiunto per ora per WINDOWS 10  forzo uso vecchio protocollo se no non c'è nome netbios 
#server min protocol = NT1
#             
#server max protocol = NT1
#client ipc max protocol = NT1
## ********************************************************************************************


# test hide share  seza diritti con secureshare
#vfs objects = acl_xattr
#map acl inherit = yes

#fine test hide share -------------------------------


#***********  ZFS snapshot
#vfs objects = shadow_copy2
#shadow:format = %Y-%m-%d_%H.%M.%S--8d
#shadow:sort = desc
#shadow:snapdir = /samba/share/.zfs/snapshot
#shadow:basedir = /samba/share
#shadow:localtime = yes
#******* snapshot end *************

#access based share enum = yes

vfs objects = shadow_copy2

#*********** PER AUDIT *******************************************************
#vfs objects = full_audit vfs  shadow_copy2
#full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P


#full_audit:success =   chflags  chmod  chown  close    connect  disconnect    lock   mkdir  mknod  open  opendir   read   rename   rmdir     write unlink pread pwrite
#full_audit:success = all
#full_audit:failure = chdir  chflags  chmod  chown    closedir  connect    fchmod  fchown    lock    mkdir  mknod  open  opendir  pwrite  read  removexattr  rename    rmdir    write unlink
#full_audit:facility = LOCAL6
#full_audit:priority = DEBUG

#*********** FINE PER AUDIT **************************************************
include = /samba/servers_config/%i

 #####include = /etc/samba/servers/ALL_CONF

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "log file loglevel=255 error NT_STATUS_ACCESS_DENIED for user autorized"
   https://bugs.launchpad.net/bugs/1743354/+attachment/5037279/+files/172.30.10.176.log

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1743354

Title:
   samba with backend ldap: can not access share or file even if user is
  authorized : NT_STATUS_ACCESS_DENIED

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions