Bug #1997

Samba share connection error NT_STATUS_ACCESS_DENIED

Added by Davide Principi about 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:06/05/2013
Priority:NormalDue date:06/06/2013
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.4-beta2
Security class: Resolution:
Affected version:v6.4-beta1 NEEDINFO:No

Description

This is a puzzling problem, quite difficult to reproduce.

  • On a clean NethServer 6.4 beta1 installation, upgrade core packages and install nethserver-ibays and nethserver-samba packages.
  • On server-manager, configure samba with PDC role.
  • Create a group (group1) and a user (user1), member of the group
  • Create an ibay, say share1
  • Set group1 as group owner of share1, with write permissions.
  • Connect to the ibay
       $ smbclient //server/share1 -U user1
smb:> ls
<NT_STATUS_ACCESS_DENIED error>

Some times the problem disappears after a winbindd restart, or after a wbinfo query.

Associated revisions

Revision 512c2f3f
Added by Davide Principi about 8 years ago

/etc/samba/smb.conf (10global): idmap configuration for local domain. Refs #1997

Revision f8648bdd
Added by Davide Principi about 8 years ago

/etc/samba/smb.conf template (10global): disable nss idmap backend if ServerRole is ADS. Refs #1997

Revision ea6e0bed
Added by Davide Principi about 8 years ago

/etc/smb.conf template (10global): extend idmap_nss range for local domain from id 0 to 9999. Refs #1997

History

#1 Updated by Davide Principi about 8 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.4-beta2
  • % Done changed from 0 to 20
  • Estimated time set to 6.00

I've increased samba log verbosity, by passing "-d 10" flags at daemons startup: In /etc/sysconfig/samba

# Options to smbd
SMBDOPTIONS="-D -d 10" 
# Options to nmbd
NMBDOPTIONS="-D" 
# Options for winbindd
WINBINDOPTIONS="-d 10"

The access is denied because a wrong SID/gid mapping occurs. The idmap ldap backend allocates a new gid but is expected to use group1 gid.

In smb.conf 

    idmap config * : range = 50000-100000
    idmap config * : backend = ldap
    ...

If winbindd is stopped the problem disappears. This is an idmap misconfiguration.

#2 Updated by Davide Principi about 8 years ago

  • Due date set to 06/06/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 06/05/2013
  • % Done changed from 20 to 30

#3 Updated by Davide Principi about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

Added a idmap_nss backend configuration. The idmap_nss manpage is a bit obscure, I can't figure if this solution works with ADS role.

Test case

Followed bug description: with the associated changeset the problem does not appear with WS and PDC role.

ADS role must be tested.

#4 Updated by Davide Principi about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 80

In nethserver-testing: nethserver-samba-1.3.1-1.ns6.noarch.rpm

#5 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 80 to 30

Davide Principi wrote:

ADS role must be tested.

ADS does not work: nss backend must be disabled when ServerRole is ADS.

#6 Updated by Davide Principi about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

#7 Updated by Davide Principi about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 80

In nethserver-testing:
nethserver-samba-1.3.2-1.ns6.noarch.rpm

#8 Updated by Giacomo Sanchietti about 8 years ago

  • Assignee set to Giacomo Sanchietti

#9 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 80 to 100

Test access for local user giacomo.

ADS mode

[root@test ~]# smbclient //localhost/share1 -U TEST/giacomo
Enter TEST/giacomo's password: 
Domain=[NSRV1] OS=[Unix] Server=[Samba 3.6.9-151.el6]
smb: \> ls
  .                                   D        0  Thu Jul 25 10:05:14 2013
  ..                                  D        0  Thu Jul 25 10:05:14 2013

        52412 blocks of size 131072. 40251 blocks available
smb: \>

PDC mode

[root@test ~]# smbclient //localhost/share1 -U giacomo
Enter giacomo's password: 
Domain=[NSRV2] OS=[Unix] Server=[Samba 3.6.9-151.el6]
smb: \> ls
  .                                   D        0  Thu Jul 25 10:05:14 2013
  ..                                  D        0  Thu Jul 25 10:05:14 2013

        52412 blocks of size 131072. 40248 blocks available
smb: \>

Standalone mode

[root@test ~]# smbclient //localhost/share1 -U giacomo
Enter giacomo's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6]
smb: \> ls
  .                                   D        0  Thu Jul 25 10:05:14 2013
  ..                                  D        0  Thu Jul 25 10:05:14 2013

        52412 blocks of size 131072. 40248 blocks available
smb: \> exit

The users can also always access using SSH.

No problems found.

Marking as VERIFIED.

#10 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF