Bug #1997
Samba share connection error NT_STATUS_ACCESS_DENIED
Status: | CLOSED | Start date: | 06/05/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 06/06/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-samba | |||
Target version: | v6.4-beta2 | |||
Security class: | Resolution: | |||
Affected version: | v6.4-beta1 | NEEDINFO: | No |
Description
This is a puzzling problem, quite difficult to reproduce.
- On a clean NethServer 6.4 beta1 installation, upgrade core packages and install nethserver-ibays and nethserver-samba packages.
- On server-manager, configure samba with PDC role.
- Create a group (
group1
) and a user (user1
), member of the group - Create an ibay, say
share1
- Set group1 as group owner of share1, with write permissions.
- Connect to the ibay
$ smbclient //server/share1 -U user1 smb:> ls <NT_STATUS_ACCESS_DENIED error>
Some times the problem disappears after a winbindd
restart, or after a wbinfo
query.
Associated revisions
/etc/samba/smb.conf (10global): idmap configuration for local domain. Refs #1997
/etc/samba/smb.conf template (10global): disable nss idmap backend if ServerRole is ADS. Refs #1997
/etc/smb.conf template (10global): extend idmap_nss range for local domain from id 0 to 9999. Refs #1997
History
#1 Updated by Davide Principi about 8 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.4-beta2
- % Done changed from 0 to 20
- Estimated time set to 6.00
I've increased samba log verbosity, by passing "-d 10" flags at daemons startup: In /etc/sysconfig/samba
# Options to smbd SMBDOPTIONS="-D -d 10" # Options to nmbd NMBDOPTIONS="-D" # Options for winbindd WINBINDOPTIONS="-d 10"
The access is denied because a wrong SID/gid mapping occurs. The idmap ldap backend allocates a new gid but is expected to use group1
gid.
In smb.conf
idmap config * : range = 50000-100000 idmap config * : backend = ldap ...
If winbindd is stopped the problem disappears. This is an idmap misconfiguration.
#2 Updated by Davide Principi about 8 years ago
- Due date set to 06/06/2013
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- Start date set to 06/05/2013
- % Done changed from 20 to 30
#3 Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
Added a idmap_nss
backend configuration. The idmap_nss manpage is a bit obscure, I can't figure if this solution works with ADS role.
Test case
Followed bug description: with the associated changeset the problem does not appear with WS and PDC role.
ADS role must be tested.
#4 Updated by Davide Principi about 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 80
In nethserver-testing
: nethserver-samba-1.3.1-1.ns6.noarch.rpm
#5 Updated by Davide Principi about 8 years ago
- Status changed from ON_QA to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 80 to 30
Davide Principi wrote:
ADS role must be tested.
ADS does not work: nss
backend must be disabled when ServerRole
is ADS.
#6 Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
#7 Updated by Davide Principi about 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 80
In nethserver-testing
:
nethserver-samba-1.3.2-1.ns6.noarch.rpm
#8 Updated by Giacomo Sanchietti about 8 years ago
- Assignee set to Giacomo Sanchietti
#9 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 80 to 100
Test access for local user giacomo.
ADS mode¶
[root@test ~]# smbclient //localhost/share1 -U TEST/giacomo Enter TEST/giacomo's password: Domain=[NSRV1] OS=[Unix] Server=[Samba 3.6.9-151.el6] smb: \> ls . D 0 Thu Jul 25 10:05:14 2013 .. D 0 Thu Jul 25 10:05:14 2013 52412 blocks of size 131072. 40251 blocks available smb: \>
PDC mode¶
[root@test ~]# smbclient //localhost/share1 -U giacomo Enter giacomo's password: Domain=[NSRV2] OS=[Unix] Server=[Samba 3.6.9-151.el6] smb: \> ls . D 0 Thu Jul 25 10:05:14 2013 .. D 0 Thu Jul 25 10:05:14 2013 52412 blocks of size 131072. 40248 blocks available smb: \>
Standalone mode¶
[root@test ~]# smbclient //localhost/share1 -U giacomo Enter giacomo's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6] smb: \> ls . D 0 Thu Jul 25 10:05:14 2013 .. D 0 Thu Jul 25 10:05:14 2013 52412 blocks of size 131072. 40248 blocks available smb: \> exit
The users can also always access using SSH.
No problems found.
Marking as VERIFIED.
#10 Updated by Davide Principi about 8 years ago
- Status changed from VERIFIED to CLOSED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 90 to 100
Moved to nethserver-updates repository