Problem:
user1 can map 6 shares normally. Another share, homedir, is mapped
but gets the error message that "Windows cannot access \samba\homedir:
You do not have permission to access \samba\homedir."
user2 can map 5 shares normally, but the 6th share and homedir
are mapped but get the error message that
"Windows cannot access \samba[homedir|staff]:
You do not have permission to access \samba[homedir|staff]."
Both users have identical group memberships in both the Windows AD and linux NIS.
This problem occurs on Windows 7 and 10, macOS, and linux using smb:.
Other users have different combinations of what works and what doesn't and
they are in the correct groups for the shares they are trying to map.
In all cases, the homedir is mapped but not accessible. The homedirs have
permissions 700. I can map the share and look into it only if "other" has rxw
access, namely 707. I can also edit, create, and save files, but only if "other" is rwx. Even 007 works. This is not a useful setting for a private home directory.
I've tried force user = %U and valid users = %U to no avail. I've also tried valid users = DOMAIN\%S (with the correct domain name).
Another samba server which runs a very old version of samba (4.05, downloaded and compiled from samba.org and installed with default locations) which does not use winbindd (or sssd) does work in all cases.
The problem samba server in question was able to map all the shares with proper permissions a couple of weeks ago, but somehow lost the ability to do so even though no changes were made to the samba configuration or to the Windows Domain Controller during that time. Restarting services and rebooting the samba server and domain controller did not fix the problem.
I need to be able to use a modern version of samba, not 4.05 which I compiled myself from samba.org, and it needs to be able to map shares and see the permissions from NIS and the ZFS file shares.
Here is the setup:
File servers (all are on the same subnet, and no software firewalls): FreeBSD 12 (NSFv4) with ZFS
This is where all file shares and home directories are.
aclmode = discard
aclinherit = restricted
(these are the default settings)
Logon server for linux machines: Solaris SunOS 5.8 running NIS The NIS realm is DEPT
Samba Server: Scientific Linux 7.6 running Samba 4.8.3 (acquired from the SL repositories via yum install samba) set up as a Member Server of our domain (BIO) selinux is turned off It is joined to the domain and kinit and klist show that tokens are being issued.
[root@samba ~]# kinit user1@BIO.DEPT.WISC.EDU
Password for luser1@BIO.DEPT.WISC.EDU:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user1@BIO.DEPT.WISC.EDU
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/BIO.DEPT.WISC.EDU@BIO.DEPT.WISC.EDU
renew until 05/02/2019 17:40:02
It is running smbd, nmbd, and winbindd
wbinfo -ug shows the users and groups from the AD server wbinfo -n username shows the AD SID for the user wbinfo -D BIO shows the correct info for the AD domain
Windows Domain Controller Servers: Windows 2008 R2 and Windows 2012
The same usernames exist in both NIS and AD
Configuration files on the samba server:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
In /etc/samba/smbshares.conf the homedir section is
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm gives:
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BIO.DEPT.WISC.EDU = {
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
}
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077
