We recently upgraded our Zentyal 3.3 server to 5.1 It was an upgrade process via software updates menu. The samba version were 4.1.3 and now it's 4.6.7
After the upgrade I noticed that nobody can access the samba shares from windows. It has a DC role, but also many file shares are configured fro the end users. The sysvol share is working fine, users are able to authenticate, GPO are working too but the shares isn't. The error message is access denied. The only way to access them is if I set the "admin users" in smb.conf to the desire group or user. But this bring me a new problem, because every user will be able to access every folder, even if they don't have access to is.
Finally I found a new "solution": If I set an AD user to access the share, then it's working correctly. But if I set an AD group, then it's failing. The AD groups are existing, and i verified that with several commands. The group memberships are also correct, so i can see perfectly that I'm member of those groups.
Another thing, which may or my not be important: The folder where the users write is mounted through iSCSI to another folder, then hard linket to /home directory. Previously it the data was directly there, but through the Zentyal upgrade process, we moved the data elsewhere (500 GB)
I searched for solution for over a day, but so far no luck. According to the samba.log when I trying to access the shares, and using group permissions:
[2018/11/02 20:22:57.348766, 3, pid=2560, effective(0, 0), real(0, 0)] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp) string_to_sid: SID @Domain Users is not in a valid format
[2018/11/02 23:23:55.424532, 3] ../source3/smbd/service.c:102(set_current_service) chdir (/home/samba/shares/iktato_uj) failed, reason: Permission denied [2018/11/02 23:23:55.424574, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2449 [2018/11/02 23:23:55.427243, 3] ../source3/smbd/service.c:102(set_current_service) chdir (/home/samba/shares/iktato_uj) failed, reason: Permission denied
An example from shares.conf to a share that i'm trying to acccess:
[Iktato_uj]
comment = Iktato_uj
path = /home/samba/shares/iktato_uj
browseable = yes
force create mode = 0660
force directory mode = 0660
valid users = @"Iktato", "molehand"
read list =
write list = @"Iktato", "molehand"
admin users =
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
Here is the output from samba-tool testparm
# Global parameters [global]
bind interfaces only = Yes
interfaces = lo ens36
netbios name = GAMESZSRV2
realm = BVDOM.LOCAL
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Zentyal Server
workgroup = BVDOM
log file = /var/log/samba/samba.log
log level = 3
max log size = 100000
map to guest = Bad User
server role = active directory domain controller
server signing = if_required
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
idmap_ldb:use rfc2307 = yes
drs:max object sync = 1200
dsdb:schema update allowed = yes
server role check:inhibit = yes
comment =
include = /etc/samba/shares.conf
[homes]
comment = Saját könyvtárak
path = /home/%S
browseable = No
create mask = 0611
directory mask = 0711
read only = No
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
[Vendeg]
comment = Vendeg
path = /home/samba/shares/vendeg
admin users = "@All domain users" "@Domain Admins"
force create mode = 0660
force directory mode = 0660
valid users = "@All domain users" "@Domain Admins" "@All domain users" "@Domain Admins"
write list = "@All domain users" "@Domain Admins"
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[muszak]
comment = Muszak
path = /home/samba/shares/muszak
admin users = @Muszak
force create mode = 0660
force directory mode = 0660
valid users = @Muszak @Muszak
write list = @Muszak
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Vezetes]
comment = Vezetés
path = /home/samba/shares/vezetes
admin users = @Vezetes
force create mode = 0660
force directory mode = 0660
valid users = @Vezetes @Vezetes
write list = @Vezetes
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Domain users]
comment = Domain users
path = /home/samba/shares/users
admin users = "@Domain Userek"
force create mode = 0660
force directory mode = 0660
valid users = "@Domain Userek" "@Domain Userek"
write list = "@Domain Userek"
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Berlemeny]
comment = Bérlemény
path = /home/samba/shares/berlemeny
admin users = @Berlemeny
force create mode = 0660
force directory mode = 0660
valid users = @Berlemeny @Berlemeny
write list = @Berlemeny
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Szamvitel]
comment = Számvitel
path = /home/samba/shares/szamvitel
admin users = @Szamvitel
force create mode = 0660
force directory mode = 0660
valid users = @Szamvitel @Szamvitel
write list = @Szamvitel
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Iktato]
comment = Iktató
path = /home/samba/shares/iktato
admin users = @Iktato
force create mode = 0660
force directory mode = 0660
valid users = @Iktato @Iktato
write list = @Iktato
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[HR]
comment = HR
path = /home/samba/shares/hr
admin users = @hr1
force create mode = 0660
force directory mode = 0660
valid users = @hr1 @hr1
write list = @hr1
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[intezmenyi]
comment = intézmények abevjava
path = /home/samba/shares/intezmenyi
admin users = @anyk
force create mode = 0660
force directory mode = 0660
valid users = @anyk @anyk
write list = @anyk
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Próba]
comment = teszt
path = /home/samba/shares/proba
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[Iktato_uj]
comment = Iktato_uj
path = /home/samba/shares/iktato_uj
force create mode = 0660
force directory mode = 0660
valid users = @Iktato molehand
write list = @Iktato molehand
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
[netlogon]
path = /var/lib/samba/sysvol/bvdom.local/scripts
browseable = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
smb.conf output
[global]
workgroup = bvdom
realm = BVDOM.LOCAL
netbios name = gameszsrv2
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
interfaces = lo,ens36
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/bvdom.local/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
I also tried a few methods with unix permissions, stb, but no luck. It seems to me that it's not able to recognize the AD groups, when i want to use them to access shares.
So to summarize:
User ACL are working, group doesn't
UPDATE: I tried to create a new share to another folder then the mounted iscsi and smb access worked perfectly. So I checked again the unix permissions and modified one from the iscsi mount. After I modified the acl and made myself the owner of a folder I was able to access it from the network and modify the ACL from windows. So it seems like it's a simple file system permission problem, nothing more. I hope i can make it work for the other shares too
I appreciate any solution or tip. Thank you.
