Samba 4.8.3 homedirs can only be mapped and accessed if other = rwxLDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingSamba Permissions - I'm going to throw it!Can Samba “security = user” be used for guest share without Windows login prompt?Samba Ignoring POSIX ACLsLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyUsers can't access their samba shared homes from WindowsPossible to authenticate Samba via Kerberos but without domain-join?Fedora 21 as an AD member suddenly stopped workingAuth fail on Samba server with LDAP backendSet up Samba with Active Directory and local user authentication
How to pass hash as password to ssh server
Why symmetry transformations have to commute with Hamiltonian?
A factorization game
How can Internet speed be 10 times slower without a router than when using the same connection with a router?
Install LibreOffice-Writer Only not LibreOffice whole package
Find magical solution to magical equation
Dihedral group D4 composition with custom labels
How do I calculate how many of an item I'll have in this inventory system?
My first C++ game (snake console game)
Adding command shortcuts to /bin
How can I get people to remember my character's gender?
Handling Null values (and equivalents) routinely in Python
When an imagined world resembles or has similarities with a famous world
Should I mention being denied entry to UK due to a confusion in my Visa and Ticket bookings?
Kanji etymology of 毎?
Out of scope work duties and resignation
Should homeowners insurance cover the cost of the home?
Why does sound not move through a wall?
Is there a word that describes the unjustified use of a more complex word?
Where to draw the line between quantum mechanics theory and its interpretation(s)?
What do "Sech" and "Vich" mean in this sentence?
What is the closest airport to the center of the city it serves?
What is a common way to tell if an academic is "above average," or outstanding in their field? Is their h-index (Hirsh index) one of them?
How do LIGO and VIRGO know that a gravitational wave has its origin in a neutron star or a black hole?
Samba 4.8.3 homedirs can only be mapped and accessed if other = rwx
LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingSamba Permissions - I'm going to throw it!Can Samba “security = user” be used for guest share without Windows login prompt?Samba Ignoring POSIX ACLsLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyUsers can't access their samba shared homes from WindowsPossible to authenticate Samba via Kerberos but without domain-join?Fedora 21 as an AD member suddenly stopped workingAuth fail on Samba server with LDAP backendSet up Samba with Active Directory and local user authentication
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Problem:
user1 can map 6 shares normally. Another share, homedir, is mapped
but gets the error message that "Windows cannot access sambahomedir:
You do not have permission to access sambahomedir."
user2 can map 5 shares normally, but the 6th share and homedir
are mapped but get the error message that
"Windows cannot access samba[homedir|staff]:
You do not have permission to access samba[homedir|staff]."
Both users have identical group memberships in both the Windows AD
and linux NIS.
This problem occurs on Windows 7 and 10, macOS, and linux using smb:.
Other users have different combinations of what works and what doesn't and
they are in the correct groups for the shares they are trying to map.
In all cases, the homedir is mapped but not accessible. The homedirs have
permissions 700. I can map the share and look into it only if "other" has rxw
access, namely 707. I can also edit, create, and save files, but only if "other" is rwx. Even 007 works. This is not a useful setting for a private home directory.
I've tried force user = %U and valid users = %U to no avail. I've also tried
valid users = DOMAIN%S (with the correct domain name).
Another samba server which runs a very old version of samba (4.05, downloaded
and compiled from samba.org and installed with default locations) which does
not use winbindd (or sssd) does work in all cases.
The problem samba server in question was able to map all the shares with proper
permissions a couple of weeks ago, but somehow lost the ability to do so
even though no changes were made to the samba configuration or to the
Windows Domain Controller during that time.
Restarting services and rebooting the samba server and domain controller did
not fix the problem.
I need to be able to use a modern version of samba, not 4.05 which I compiled myself from samba.org, and it needs to be able to map shares and see the permissions from NIS and the ZFS file shares.
Here is the setup:
File servers (all are on the same subnet, and no software firewalls):
FreeBSD 12 (NSFv4) with ZFS
This is where all file shares and home directories are.
aclmode = discard
aclinherit = restricted
(these are the default settings)
Logon server for linux machines: Solaris SunOS 5.8 running NIS
The NIS realm is DEPT
Samba Server: Scientific Linux 7.6 running Samba 4.8.3
(acquired from the SL repositories via yum install samba)
set up as a Member Server of our domain (BIO)
selinux is turned off
It is joined to the domain and kinit and klist show that
tokens are being issued.
[root@samba ~]# kinit user1@BIO.DEPT.WISC.EDU
Password for luser1@BIO.DEPT.WISC.EDU:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user1@BIO.DEPT.WISC.EDU
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/BIO.DEPT.WISC.EDU@BIO.DEPT.WISC.EDU
renew until 05/02/2019 17:40:02
It is running smbd, nmbd, and winbindd
wbinfo -ug shows the users and groups from the AD server
wbinfo -n username shows the AD SID for the user
wbinfo -D BIO shows the correct info for the AD domain
Windows Domain Controller Servers: Windows 2008 R2 and Windows 2012
The same usernames exist in both NIS and AD
Configuration files on the samba server:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
In /etc/samba/smbshares.conf the homedir section is
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm gives:
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%uid
[realms]
BIO.DEPT.WISC.EDU =
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077
linux windows-server-2008-r2 permissions samba home-directory
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
add a comment |
Problem:
user1 can map 6 shares normally. Another share, homedir, is mapped
but gets the error message that "Windows cannot access sambahomedir:
You do not have permission to access sambahomedir."
user2 can map 5 shares normally, but the 6th share and homedir
are mapped but get the error message that
"Windows cannot access samba[homedir|staff]:
You do not have permission to access samba[homedir|staff]."
Both users have identical group memberships in both the Windows AD
and linux NIS.
This problem occurs on Windows 7 and 10, macOS, and linux using smb:.
Other users have different combinations of what works and what doesn't and
they are in the correct groups for the shares they are trying to map.
In all cases, the homedir is mapped but not accessible. The homedirs have
permissions 700. I can map the share and look into it only if "other" has rxw
access, namely 707. I can also edit, create, and save files, but only if "other" is rwx. Even 007 works. This is not a useful setting for a private home directory.
I've tried force user = %U and valid users = %U to no avail. I've also tried
valid users = DOMAIN%S (with the correct domain name).
Another samba server which runs a very old version of samba (4.05, downloaded
and compiled from samba.org and installed with default locations) which does
not use winbindd (or sssd) does work in all cases.
The problem samba server in question was able to map all the shares with proper
permissions a couple of weeks ago, but somehow lost the ability to do so
even though no changes were made to the samba configuration or to the
Windows Domain Controller during that time.
Restarting services and rebooting the samba server and domain controller did
not fix the problem.
I need to be able to use a modern version of samba, not 4.05 which I compiled myself from samba.org, and it needs to be able to map shares and see the permissions from NIS and the ZFS file shares.
Here is the setup:
File servers (all are on the same subnet, and no software firewalls):
FreeBSD 12 (NSFv4) with ZFS
This is where all file shares and home directories are.
aclmode = discard
aclinherit = restricted
(these are the default settings)
Logon server for linux machines: Solaris SunOS 5.8 running NIS
The NIS realm is DEPT
Samba Server: Scientific Linux 7.6 running Samba 4.8.3
(acquired from the SL repositories via yum install samba)
set up as a Member Server of our domain (BIO)
selinux is turned off
It is joined to the domain and kinit and klist show that
tokens are being issued.
[root@samba ~]# kinit user1@BIO.DEPT.WISC.EDU
Password for luser1@BIO.DEPT.WISC.EDU:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user1@BIO.DEPT.WISC.EDU
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/BIO.DEPT.WISC.EDU@BIO.DEPT.WISC.EDU
renew until 05/02/2019 17:40:02
It is running smbd, nmbd, and winbindd
wbinfo -ug shows the users and groups from the AD server
wbinfo -n username shows the AD SID for the user
wbinfo -D BIO shows the correct info for the AD domain
Windows Domain Controller Servers: Windows 2008 R2 and Windows 2012
The same usernames exist in both NIS and AD
Configuration files on the samba server:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
In /etc/samba/smbshares.conf the homedir section is
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm gives:
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%uid
[realms]
BIO.DEPT.WISC.EDU =
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077
linux windows-server-2008-r2 permissions samba home-directory
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
add a comment |
Problem:
user1 can map 6 shares normally. Another share, homedir, is mapped
but gets the error message that "Windows cannot access sambahomedir:
You do not have permission to access sambahomedir."
user2 can map 5 shares normally, but the 6th share and homedir
are mapped but get the error message that
"Windows cannot access samba[homedir|staff]:
You do not have permission to access samba[homedir|staff]."
Both users have identical group memberships in both the Windows AD
and linux NIS.
This problem occurs on Windows 7 and 10, macOS, and linux using smb:.
Other users have different combinations of what works and what doesn't and
they are in the correct groups for the shares they are trying to map.
In all cases, the homedir is mapped but not accessible. The homedirs have
permissions 700. I can map the share and look into it only if "other" has rxw
access, namely 707. I can also edit, create, and save files, but only if "other" is rwx. Even 007 works. This is not a useful setting for a private home directory.
I've tried force user = %U and valid users = %U to no avail. I've also tried
valid users = DOMAIN%S (with the correct domain name).
Another samba server which runs a very old version of samba (4.05, downloaded
and compiled from samba.org and installed with default locations) which does
not use winbindd (or sssd) does work in all cases.
The problem samba server in question was able to map all the shares with proper
permissions a couple of weeks ago, but somehow lost the ability to do so
even though no changes were made to the samba configuration or to the
Windows Domain Controller during that time.
Restarting services and rebooting the samba server and domain controller did
not fix the problem.
I need to be able to use a modern version of samba, not 4.05 which I compiled myself from samba.org, and it needs to be able to map shares and see the permissions from NIS and the ZFS file shares.
Here is the setup:
File servers (all are on the same subnet, and no software firewalls):
FreeBSD 12 (NSFv4) with ZFS
This is where all file shares and home directories are.
aclmode = discard
aclinherit = restricted
(these are the default settings)
Logon server for linux machines: Solaris SunOS 5.8 running NIS
The NIS realm is DEPT
Samba Server: Scientific Linux 7.6 running Samba 4.8.3
(acquired from the SL repositories via yum install samba)
set up as a Member Server of our domain (BIO)
selinux is turned off
It is joined to the domain and kinit and klist show that
tokens are being issued.
[root@samba ~]# kinit user1@BIO.DEPT.WISC.EDU
Password for luser1@BIO.DEPT.WISC.EDU:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user1@BIO.DEPT.WISC.EDU
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/BIO.DEPT.WISC.EDU@BIO.DEPT.WISC.EDU
renew until 05/02/2019 17:40:02
It is running smbd, nmbd, and winbindd
wbinfo -ug shows the users and groups from the AD server
wbinfo -n username shows the AD SID for the user
wbinfo -D BIO shows the correct info for the AD domain
Windows Domain Controller Servers: Windows 2008 R2 and Windows 2012
The same usernames exist in both NIS and AD
Configuration files on the samba server:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
In /etc/samba/smbshares.conf the homedir section is
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm gives:
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%uid
[realms]
BIO.DEPT.WISC.EDU =
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077
linux windows-server-2008-r2 permissions samba home-directory
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
Problem:
user1 can map 6 shares normally. Another share, homedir, is mapped
but gets the error message that "Windows cannot access sambahomedir:
You do not have permission to access sambahomedir."
user2 can map 5 shares normally, but the 6th share and homedir
are mapped but get the error message that
"Windows cannot access samba[homedir|staff]:
You do not have permission to access samba[homedir|staff]."
Both users have identical group memberships in both the Windows AD
and linux NIS.
This problem occurs on Windows 7 and 10, macOS, and linux using smb:.
Other users have different combinations of what works and what doesn't and
they are in the correct groups for the shares they are trying to map.
In all cases, the homedir is mapped but not accessible. The homedirs have
permissions 700. I can map the share and look into it only if "other" has rxw
access, namely 707. I can also edit, create, and save files, but only if "other" is rwx. Even 007 works. This is not a useful setting for a private home directory.
I've tried force user = %U and valid users = %U to no avail. I've also tried
valid users = DOMAIN%S (with the correct domain name).
Another samba server which runs a very old version of samba (4.05, downloaded
and compiled from samba.org and installed with default locations) which does
not use winbindd (or sssd) does work in all cases.
The problem samba server in question was able to map all the shares with proper
permissions a couple of weeks ago, but somehow lost the ability to do so
even though no changes were made to the samba configuration or to the
Windows Domain Controller during that time.
Restarting services and rebooting the samba server and domain controller did
not fix the problem.
I need to be able to use a modern version of samba, not 4.05 which I compiled myself from samba.org, and it needs to be able to map shares and see the permissions from NIS and the ZFS file shares.
Here is the setup:
File servers (all are on the same subnet, and no software firewalls):
FreeBSD 12 (NSFv4) with ZFS
This is where all file shares and home directories are.
aclmode = discard
aclinherit = restricted
(these are the default settings)
Logon server for linux machines: Solaris SunOS 5.8 running NIS
The NIS realm is DEPT
Samba Server: Scientific Linux 7.6 running Samba 4.8.3
(acquired from the SL repositories via yum install samba)
set up as a Member Server of our domain (BIO)
selinux is turned off
It is joined to the domain and kinit and klist show that
tokens are being issued.
[root@samba ~]# kinit user1@BIO.DEPT.WISC.EDU
Password for luser1@BIO.DEPT.WISC.EDU:
[root@samba ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user1@BIO.DEPT.WISC.EDU
Valid starting Expires Service principal
04/25/2019 17:40:08 04/26/2019 03:40:08 krbtgt/BIO.DEPT.WISC.EDU@BIO.DEPT.WISC.EDU
renew until 05/02/2019 17:40:02
It is running smbd, nmbd, and winbindd
wbinfo -ug shows the users and groups from the AD server
wbinfo -n username shows the AD SID for the user
wbinfo -D BIO shows the correct info for the AD domain
Windows Domain Controller Servers: Windows 2008 R2 and Windows 2012
The same usernames exist in both NIS and AD
Configuration files on the samba server:
/etc/samba/smb.conf:
[global]
log level = 2
realm = BIO.DEPT.WISC.EDU
server string = Samba Server Version %v
netbios name = SAMBA
workgroup = BIO
security = ADS
password server = ad1.bio.dept.wisc.edu
domain master = No
local master = No
os level = 0
preferred master = No
machine password timeout = 0
disable spoolss = Yes
load printers = No
printcap name = /dev/null
template shell = /usr/bin/bash
# trying to set homedir location
template homedir = /ua/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind rpc only = Yes
winbind use default domain = Yes
idmap config BIO: range = 40000-50000
idmap config BIO: backend = rid
# tried backend = ad and it didn't work either
idmap config BIO: default = yes
idmap config * : range = 100000-299999
idmap config * : backend = tdb
log file = /var/log/samba/log_%m_%a_%R
max log size = 50
follow symlinks = yes
unix extensions = no
wide links = yes
inherit acls = yes
map acl inherit = yes
short preserve case = yes
preserve case = yes
oplocks = False
level2 oplocks = False
posix locking = no
include = /etc/samba/smbshares.conf
In /etc/samba/smbshares.conf the homedir section is
[homedir]
comment = Home Directories
path = %H
browseable = No
read only = No
public = no
writable = yes
guest ok = no
printable = no
Testparm gives:
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
# there is currently nothing in the below directory
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BIO.DEPT.WISC.EDU
default_ccache_name = KEYRING:persistent:%uid
[realms]
BIO.DEPT.WISC.EDU =
kdc = xxx.xxx.xxx.xxx:88
# admin_server = xxx.xxx.xxx.xxx:749
default_domain = BIO.DEPT.WISC.EDU
[domain_realm]
xxx.xxx.xxx.xxx = BIO.DEPT.WISC.EDU
bio.dept.wisc.edu = BIO.DEPT.WISC.EDU
/etc/nsswitch.conf:
passwd: files winbind nis
shadow: files nis
group: files winbind nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam_access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add pam_winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# add winbind
auth sufficient pam_winbind.so cached_login use_first_pass
# add pam-access.so
account required pam_access.so
# account required pam_unix.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# add winbind
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
# add pam_succeed for user ingroup
account requisite pam_succeed_if.so user ingroup [sysadmins]
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
# add winbind
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/security/pam_winbind.conf:
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = yes
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependent on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
/etc/pam.d/sshd:
#%PAM-1.0
# PAM configuration for the sshd service
#
#auth
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# Add winbind
auth sufficient /lib64/security/pam_winbind.so try_first_pass
# account
account required pam_nologin.so
account include password-auth
# Add winbind
account sufficient /lib64/security/pam_winbind.so
# password
password include password-auth
password required pam_unix.so no_warn try_first_pass
# Add windbind
password sufficient /lib64/security/pam_winbind.so no_warn try_first_pass
# session
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# Add winbind
session required /lib64/security/pam_mkhomedir.so debug skel=/etc/skel umask=0077
linux windows-server-2008-r2 permissions samba home-directory
linux windows-server-2008-r2 permissions samba home-directory
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
asked Apr 26 at 4:53
J. LewisJ. Lewis
111
111
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964675%2fsamba-4-8-3-homedirs-can-only-be-mapped-and-accessed-if-other-rwx%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964675%2fsamba-4-8-3-homedirs-can-only-be-mapped-and-accessed-if-other-rwx%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
