Samba4 File Share Access issue wrong group

Discussion in 'Server Operation' started by DantePasquale, Feb 3, 2014.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter


    I'm running Ubuntu 12.04 server with Samba4 setup as a DomainController - following the OpenChange Cookbook. Everything works, except for file shares not using the user's group. All users view via smbstatus -v show group 'users' no matter what AD group they are in.

    I've also setup the box to use LDAP authentication using nslcd via nsswitch.conf and using kerberos, but it doesn't matter what, the smbstatus shows group 'users' (gid=100) for all users.

    Here's my smb.conf:

    cat /usr/local/samba/etc/smb.conf 
    # Global parameters
    	### Configuration required by OpenChange server ###
    	dcerpc endpoint servers = +epmapper, +mapiproxy
    	dcerpc_mapiproxy:server = true
    	dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
    	### Configuration required by OpenChange server ###
    	workgroup = SFPI-TEST
    	realm = SFPI-TEST.local
    	netbios name = OPENCHANGEDEV
    	server role = active directory domain controller
    	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    	path = /usr/local/samba/var/locks/sysvol/sfpi-test.local/scripts
    	read only = No
    	path = /usr/local/samba/var/locks/sysvol
    	read only = No
         path = /var/openchange/users/%U
         read only = no
         path = /var/openchange/IT
         preserve case = yes
         browseable = yes 
         read only = no
         hide special files = yes
         valid users = DanteBell,KateL
        path = /var/openchange/Profiles
        read only = no
    Connection using smbclient:

    smbclient -d3 -U DanteBell%PASSWORD -W SFPI-TEST //
    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
    Processing section "[global]"
    added interface eth0 ip=fe80::de0e:a1ff:fe93:7b12%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
    added interface eth0 ip= bcast= netmask=
    Client started (version 3.6.3).
    Connecting to at port 445
    Doing spnego session setup (blob length=112)
    got OID=1.2.840.48018.1.2.2
    got OID=1.2.840.113554.1.2.2
    got OID=
    got principal=not_defined_in_RFC4178@please_ignore
    Got challenge flags:
    Got NTLMSSP neg_flags=0x60898215
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088215
    NTLMSSP Sign/Seal - Initialising with flags:
    Got NTLMSSP neg_flags=0x60088215
    Domain=[SFPI-TEST] OS=[Unix] Server=[Samba 4.1.0]
    smb: \> dir
      .                                   D        0  Thu Jan 23 13:46:42 2014
      ..                                  D        0  Fri Jan 31 11:40:15 2014
      3C16685_User_Guide.pdf              A  1803778  Thu Aug 25 13:28:01 2011
    		46802 blocks of size 1048576. 44365 blocks available
    Total bytes listed: 1803778
    smb: \> getfacl 3C16685_User_Guide.pdf
    # file: \3C16685_User_Guide.pdf
    # owner: 3000000
    # group: 3000017
    smb: \> mkdir test
    smb: \> cd test
    dos_clean_name [\test\]
    unix_clean_name [\test\]
    smb: \test\> mput *.txt
    Put file 20130517-catalyst-3560-show-run-working.txt? y

    smbstatus while connected above:

    /usr/local/samba/bin/smbstatus -v
    using configfile = /usr/local/samba/etc/smb.conf
    Samba version 4.1.0
    PID     Username      Group         Machine                        
    6768      DanteBell     [B]users[/B] (ipv4:
    Opened /usr/local/samba/var/lock/connections.tdb
    Service      pid     machine       Connected at
    IT           6768  Mon Feb  3 14:30:21 2014
    No locked files

    samba-tool listmembers of group "Unix Administrators":
    PYTHONPATH=$PYTHONPATH /usr/local/samba/bin/samba-tool group listmembers "Unix Administrators"
    # /etc/nsswitch.conf
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    passwd:         compat ldap
    group:          compat ldap
    shadow:         compat ldap
    hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
    networks:       files
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    netgroup:       nis
    I can dump the LDAP/LDB and that looks fine, too! but I won't put that here since it's too big, but here's the command I utilized:

    LDB_MODULES_PATH="/usr/local/samba/lib/ldb" /usr/local/samba/bin/ldbsearch -H ldap://openchangedev:389 -k yes -b dc=sfpi-test,dc=local cn='DanteBell'

    Not sure what else to check. I've also verified using wbinfo sid-to-group,etc and that all looks OK.

Share This Page