Samba4 File Share Access issue wrong group

Discussion in 'Server Operation' started by DantePasquale, Feb 3, 2014.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Hi,

    I'm running Ubuntu 12.04 server with Samba4 setup as a DomainController - following the OpenChange Cookbook. Everything works, except for file shares not using the user's group. All users view via smbstatus -v show group 'users' no matter what AD group they are in.

    I've also setup the box to use LDAP authentication using nslcd via nsswitch.conf and using kerberos, but it doesn't matter what, the smbstatus shows group 'users' (gid=100) for all users.

    Here's my smb.conf:

    Code:
    cat /usr/local/samba/etc/smb.conf 
    # Global parameters
    [global]
    	### Configuration required by OpenChange server ###
    	dcerpc endpoint servers = +epmapper, +mapiproxy
    	dcerpc_mapiproxy:server = true
    	dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
    	### Configuration required by OpenChange server ###
    
    	workgroup = SFPI-TEST
    	realm = SFPI-TEST.local
    	netbios name = OPENCHANGEDEV
    	server role = active directory domain controller
    	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    
    [netlogon]
    	path = /usr/local/samba/var/locks/sysvol/sfpi-test.local/scripts
    	read only = No
    
    [sysvol]
    	path = /usr/local/samba/var/locks/sysvol
    	read only = No
    
    [Homes]
         path = /var/openchange/users/%U
         read only = no
    [IT]
         path = /var/openchange/IT
         preserve case = yes
         browseable = yes 
         read only = no
         hide special files = yes
         valid users = DanteBell,KateL
    [Profiles]
        path = /var/openchange/Profiles
        read only = no
    Connection using smbclient:

    Code:
    smbclient -d3 -U DanteBell%PASSWORD -W SFPI-TEST //192.168.4.110/IT
    
    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
    Processing section "[global]"
    added interface eth0 ip=fe80::de0e:a1ff:fe93:7b12%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
    added interface eth0 ip=192.168.4.222 bcast=192.168.7.255 netmask=255.255.252.0
    Client started (version 3.6.3).
    Connecting to 192.168.4.110 at port 445
    Doing spnego session setup (blob length=112)
    got OID=1.2.840.48018.1.2.2
    got OID=1.2.840.113554.1.2.2
    got OID=1.3.6.1.4.1.311.2.2.10
    got [email protected]_ignore
    Got challenge flags:
    Got NTLMSSP neg_flags=0x60898215
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088215
    NTLMSSP Sign/Seal - Initialising with flags:
    Got NTLMSSP neg_flags=0x60088215
    Domain=[SFPI-TEST] OS=[Unix] Server=[Samba 4.1.0]
    smb: \> dir
      .                                   D        0  Thu Jan 23 13:46:42 2014
      ..                                  D        0  Fri Jan 31 11:40:15 2014
      3C16685_User_Guide.pdf              A  1803778  Thu Aug 25 13:28:01 2011
    
    		46802 blocks of size 1048576. 44365 blocks available
    Total bytes listed: 1803778
    smb: \> getfacl 3C16685_User_Guide.pdf
    # file: \3C16685_User_Guide.pdf
    # owner: 3000000
    # group: 3000017
    user::rwx
    group::r-x
    group:100:r-x
    group:3000000:rwx
    mask::rwx
    other::r-x
    smb: \> mkdir test
    smb: \> cd test
    dos_clean_name [\test\]
    unix_clean_name [\test\]
    smb: \test\> mput *.txt
    Put file 20130517-catalyst-3560-show-run-working.txt? y
    
    

    smbstatus while connected above:

    Code:
    /usr/local/samba/bin/smbstatus -v
    using configfile = /usr/local/samba/etc/smb.conf
    
    Samba version 4.1.0
    PID     Username      Group         Machine                        
    -------------------------------------------------------------------
    6768      DanteBell     [B]users[/B]         192.168.4.222 (ipv4:192.168.4.222:39713)
    Opened /usr/local/samba/var/lock/connections.tdb
    
    Service      pid     machine       Connected at
    -------------------------------------------------------
    IT           6768   192.168.4.222  Mon Feb  3 14:30:21 2014
    
    No locked files

    samba-tool listmembers of group "Unix Administrators":
    Code:
    PYTHONPATH=$PYTHONPATH /usr/local/samba/bin/samba-tool group listmembers "Unix Administrators"
    KateL
    DanteBell
    $64144BC-BE25C09EDAD68F17
    /etc/nsswitch.conf:
    Code:
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    
    passwd:         compat ldap
    group:          compat ldap
    shadow:         compat ldap
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
    networks:       files
    
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis
    I can dump the LDAP/LDB and that looks fine, too! but I won't put that here since it's too big, but here's the command I utilized:

    Code:
    LDB_MODULES_PATH="/usr/local/samba/lib/ldb" /usr/local/samba/bin/ldbsearch -H ldap://openchangedev:389 -k yes -b dc=sfpi-test,dc=local cn='DanteBell'

    Not sure what else to check. I've also verified using wbinfo sid-to-group,etc and that all looks OK.
     

Share This Page