Ubuntu
samba package

samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED

Bug #1743354 reported by alberto fiaschi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
Is some days that users can not access some files although the user has all the rights.
As a solution I have to do a cmod a +rwx on the files involved.
now it occurs that users authorized to a new shared folder can not use it.(attach log file)
User a.fiaschi is in group dirsan_Rifiuti_rw but get NT_STATUS_ACCESS_DENIED
share config is

[Rifiuti]
comment = Rifiuti
path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
#*********** ZFS snapshot
#vfs objects = shadow_copy2
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
shadow:localtime = yes
#******* snapshot end *************
valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
write list = @dirsan_Rifiuti_rw
force user = nobody
force group = dirsan_quota
#_______ FINE AUTO ADD Rifiuti ________

ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti

 smbldap-groupshow dirsan_Rifiuti_rw
dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
objectClass: top,posixGroup,sambaGroupMapping
cn: dirsan_Rifiuti_rw
gidNumber: 6490
sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
sambaGroupType: 2
displayName: dirsan_Rifiuti_rw
memberUid: a.ciucci,m.dalco,a.fiaschi

global config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = AOUP
SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
# server string is the equivalent of the NT Description field
server string = AOUPSRV file server
# OTTIMIZZAZIONI latenza ipv4 ....
#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
#socket options = IPTOS_LOWDELAY TCP_NODELAY
kernel oplocks = yes
#in ascolto solo su interfaccia/ip impostati
#bind interfaces only = yes
#interfaces = 127.0.0.1/8 172.24.81.0/24
#per sicurezza contro man in the middle
 server signing = mandatory
# SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile
#ntlm auth = no
#----
netbios name = zfs-cis
#passdb backend = ldapsam:ldap://ldap.aop.int/
#passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"
#passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"
#unix soket su /var/run/ldapi
#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/
client NTLMv2 auth = yes
client lanman auth = no
#----ESSENZIALE PER win8 map to guest = Bad User
#map to guest = Bad User
##----ESSENZIALE PER win8 map to guest = Bad User
#

#TEST -----------------------

# END TEST -------------------

restrict anonymous = 2
map to guest = never
usershare allow guests = no
#posix locking = No
log file = /var/log/samba/%I.log

#log level = 255
log level = 1 auth:2 passdb:2 idmap:2

hide dot files = yes
max log size = 5000
time server = Yes
deadtime = 25
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
local master =yes
logon script = logon.bat
#ldap ssl = start tls
ldap ssl = off
ldap admin dn = cn=manager,dc=aop,dc=int
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p
add user to group script = /usr/sbin/smbldap-groupmod -m
delete user from group script = /usr/sbin/smbldap-groupmod -x
set primary group script = /usr/sbin/smbldap-usermod -g
add machine script = /usr/sbin/smbldap-useradd -w
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int
ldap user suffix = ou=Users
create mask = 0777
directory mask = 0777
nt acl support = No
case sensitive = No
# disabilito supporto stampanti
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#wins server = 172.29.10.128
wins support = yes

wins proxy = yes
dns proxy = yes
debug uid = yes
####### provo a levare smb ports = 139

#OTTIMIZZAZIONE IO
min receivefile size = 16384
use sendfile = true
strict allocate = Yes
aio read size = 16384
aio write size = 16384
write cache size = 65536
# fine--------OTTIMIZZAZIONE IO

map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes

strict locking = no
follow symlinks = yes
unix extensions = yes

#unix charset = utf-8
#dos charset = cp1250

dos charset = 850
unix charset = ISO8859-1

# DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3
#smb ports = 139
#aggiunta per provare uso di criptazione per client da windows 8 in su ....
# SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!!

smb encrypt = desired
#smb encrypt = off
## ********************************************************************************************
## ********************************************************************************************
## ********************************************************************************************
# DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip
#Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non c'è nome netbios
#server min protocol = NT1
#
#server max protocol = NT1
#client ipc max protocol = NT1
## ********************************************************************************************

# test hide share seza diritti con secureshare
#vfs objects = acl_xattr
#map acl inherit = yes

#fine test hide share -------------------------------

#*********** ZFS snapshot
#vfs objects = shadow_copy2
#shadow:format = %Y-%m-%d_%H.%M.%S--8d
#shadow:sort = desc
#shadow:snapdir = /samba/share/.zfs/snapshot
#shadow:basedir = /samba/share
#shadow:localtime = yes
#******* snapshot end *************

#access based share enum = yes

vfs objects = shadow_copy2

#*********** PER AUDIT *******************************************************
#vfs objects = full_audit vfs shadow_copy2
#full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P

#full_audit:success = chflags chmod chown close connect disconnect lock mkdir mknod open opendir read rename rmdir write unlink pread pwrite
#full_audit:success = all
#full_audit:failure = chdir chflags chmod chown closedir connect fchmod fchown lock mkdir mknod open opendir pwrite read removexattr rename rmdir write unlink
#full_audit:facility = LOCAL6
#full_audit:priority = DEBUG

#*********** FINE PER AUDIT **************************************************
include = /samba/servers_config/%i

 #####include = /etc/samba/servers/ALL_CONF

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :
Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :

the problem occurs randomly so I think it's a race condition or so

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug in Ubuntu.

When the problem occurs, does the command "id <user>" show the correct group membership info for the affected <user>?

Do you have any sort of NSS caching service running, like nscd? If yes, you should perhaps disable it.

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote : Re: [Bug 1743354] Re: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED
Download full text (9.6 KiB)

2018-01-23 13:25 GMT+01:00 Andreas Hasenack <email address hidden>:

> Thanks for filing this bug in Ubuntu.
>
> When the problem occurs, does the command "id <user>" show the correct
> group membership info for the affected <user>?
>
> yes : id show all groups

> Do you have any sort of NSS caching service running, like nscd? If yes,
> you should perhaps disable it.
>
> yes but the problem happens randomly on users and groups present in LDAP
and not changed for a long time

--
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743354
>
> Title:
> samba with backend ldap: can not access share or file even if user is
> authorized : NT_STATUS_ACCESS_DENIED
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
> Is some days that users can not access some files although the user has
> all the rights.
> As a solution I have to do a cmod a +rwx on the files involved.
> now it occurs that users authorized to a new shared folder can not use
> it.(attach log file)
> User a.fiaschi is in group dirsan_Rifiuti_rw but get
> NT_STATUS_ACCESS_DENIED
> share config is
>
> [Rifiuti]
> comment = Rifiuti
> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> #*********** ZFS snapshot
> #vfs objects = shadow_copy2
> shadow:format = %Y-%m-%d_%H.%M.%S--5d
> shadow:sort = desc
> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
> shadow:localtime = yes
> #******* snapshot end *************
> valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
> write list = @dirsan_Rifiuti_rw
> force user = nobody
> force group = dirsan_quota
> #_______ FINE AUTO ADD Rifiuti ________
>
> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>
>
>
> smbldap-groupshow dirsan_Rifiuti_rw
> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=
> servizi,dc=aop,dc=int
> objectClass: top,posixGroup,sambaGroupMapping
> cn: dirsan_Rifiuti_rw
> gidNumber: 6490
> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
> sambaGroupType: 2
> displayName: dirsan_Rifiuti_rw
> memberUid: a.ciucci,m.dalco,a.fiaschi
>
>
>
> global config :
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of which are not shown in this example
> #
> # For a step to step guide on installing, configuring and using samba,
> # read the Samba-HOWTO-Collection. This may be obtained from:
> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
> #
> # Many working examples of smb.conf files can be found in the
> # Samba-Guide which is generated daily and can be downloaded from:
> # http://www.samba.org/samba/docs/Samba-Guide.pdf
> #
> # Any line which starts with a ; (semi-colon) or a # (hash)
> # i...

Read more...

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :
Download full text (10.7 KiB)

moreover all shared files are owned by local user nobody and all shares
have option force user nobody. See a share config example:
[Staff]
comment = Staff DAI
path = /samba/shares/DAI/groups/dip_staff
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/DAI/.zfs/snapshot
shadow:basedir = /samba/shares/DAI
shadow:localtime = yes
valid users = @dai_dip_staff_ro,@dai_dip_staff_rw
write list = @dai_dip_staff_rw
force user = nobody
force group = dai_quota

----------------------------------------------------------------

*«L'immaginazione è più importante della conoscenza.» - Albert Einstein.*

*Alberto M.Fiaschi*

*http://it.linkedin.com/pub/alberto-fiaschi
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5> *

2018-01-23 17:22 GMT+01:00 alberto fiaschi <email address hidden>:

>
>
>
>
> 2018-01-23 13:25 GMT+01:00 Andreas Hasenack <email address hidden>:
>
>> Thanks for filing this bug in Ubuntu.
>>
>> When the problem occurs, does the command "id <user>" show the correct
>> group membership info for the affected <user>?
>>
>> yes : id show all groups
>
>> Do you have any sort of NSS caching service running, like nscd? If yes,
>> you should perhaps disable it.
>>
>> yes but the problem happens randomly on users and groups present in LDAP
> and not changed for a long time
>
> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1743354
>>
>> Title:
>> samba with backend ldap: can not access share or file even if user is
>> authorized : NT_STATUS_ACCESS_DENIED
>>
>> Status in samba package in Ubuntu:
>> New
>>
>> Bug description:
>> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
>> Is some days that users can not access some files although the user has
>> all the rights.
>> As a solution I have to do a cmod a +rwx on the files involved.
>> now it occurs that users authorized to a new shared folder can not use
>> it.(attach log file)
>> User a.fiaschi is in group dirsan_Rifiuti_rw but get
>> NT_STATUS_ACCESS_DENIED
>> share config is
>>
>> [Rifiuti]
>> comment = Rifiuti
>> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>> #*********** ZFS snapshot
>> #vfs objects = shadow_copy2
>> shadow:format = %Y-%m-%d_%H.%M.%S--5d
>> shadow:sort = desc
>> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
>> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
>> shadow:localtime = yes
>> #******* snapshot end *************
>> valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
>> write list = @dirsan_Rifiuti_rw
>> force user = nobody
>> force group = dirsan_quota
>> #_______ FINE AUTO ADD Rifiuti ________
>>
>> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
>> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>>
>>
>>
>> smbldap-groupshow dirsan_Rifiuti_rw
>> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,
>> dc=aop,dc=int
>> objectClass: top,posixGroup,sambaGroupMapping
>> cn: dirsan_Rifiuti_rw
>> gidNumber: 6490
>> sambaSID: S-1-5-21-1146166...

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :

moreover all shared files are owned by local user nobody and all shares have option force user nobody. See a share config example:
[Staff]
comment = Staff DAI
path = /samba/shares/DAI/groups/dip_staff
shadow:format = %Y-%m-%d_%H.%M.%S--5d
shadow:sort = desc
shadow:snapdir = /samba/shares/DAI/.zfs/snapshot
shadow:basedir = /samba/shares/DAI
shadow:localtime = yes
valid users = @dai_dip_staff_ro,@dai_dip_staff_rw
write list = @dai_dip_staff_rw
force user = nobody
force group = dai_quota

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Are all your shares on zfs? Or, more importantly, all shares where this problem happens?

Do you have it happening on shares where there are no vfs modules being used?

Also, about my earlier question about the "id" command, I meant if the id <user> command correctly resolves the groups *at the time* the problem is happening, not in general.

And lastly but not least, do you think you could disable the nss caching for a while and see if the problem happens again? Or will that increase the load too much on your systems?

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :

2018-01-24 13:41 GMT+01:00 Andreas Hasenack <email address hidden>:

> Are all your shares on zfs? Or, more importantly, all shares where this
> problem happens?
>
>
all shares are on zfs

> Do you have it happening on shares where there are no vfs modules being
> used?
>
>
all shares use vfs modules

>
> Also, about my earlier question about the "id" command, I meant if the id
> <user> command correctly resolves the groups *at the time* the problem is
> happening, not in general.
>

yes i try id command at time of the problem and all groups were correctly
resolved .
Furthermore, access should not depend on the group since:
1) the owner of all files and folders is nobody
2) all shares use option force user nobody

>
> And lastly but not least, do you think you could disable the nss caching
> for a while and see if the problem happens again? Or will that increase
> the load too much on your systems?
>

It is a server in production that provides a truly critical file sharing
service. If it stops, the analysis laboratories and the ambulatories of the
entire hospital will stop. I do not feel like making such a change.

Alberto

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I wonder if this from the 4.3.12 release notes is relevant:

https://bugzilla.samba.org/show_bug.cgi?id=12172

   * BUG 12172: Fix access of snapshot folders via SMB1.

@alberto-fiaschi are you seeing this error when accessing the server via protocol SMB1?

I'll take a closer look at that bug.

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :
Download full text (10.1 KiB)

----------------------------------------------------------------

*«L'immaginazione è più importante della conoscenza.» - Albert Einstein.*

*Alberto M.Fiaschi*

*http://it.linkedin.com/pub/alberto-fiaschi
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5> *

2018-05-29 22:05 GMT+02:00 Andreas Hasenack <email address hidden>:

> I wonder if this from the 4.3.12 release notes is relevant:
>
> https://bugzilla.samba.org/show_bug.cgi?id=12172
>
> * BUG 12172: Fix access of snapshot folders via SMB1.
>
> @alberto-fiaschi are you seeing this error when accessing the server via
> protocol SMB1?
>
Yes. Unfortunately we still have about 2000 clients with windows xp.

But I can not verify if the situation described in the bug has occurred.
I doubt, because our average user is very obtuse and therefore usually
calls helpdesk to restore files

> I'll take a closer look at that bug.
>
> ** Bug watch added: Samba Bugzilla #12172
> https://bugzilla.samba.org/show_bug.cgi?id=12172
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743354
>
> Title:
> samba with backend ldap: can not access share or file even if user is
> authorized : NT_STATUS_ACCESS_DENIED
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
> Is some days that users can not access some files although the user has
> all the rights.
> As a solution I have to do a cmod a +rwx on the files involved.
> now it occurs that users authorized to a new shared folder can not use
> it.(attach log file)
> User a.fiaschi is in group dirsan_Rifiuti_rw but get
> NT_STATUS_ACCESS_DENIED
> share config is
>
> [Rifiuti]
> comment = Rifiuti
> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> #*********** ZFS snapshot
> #vfs objects = shadow_copy2
> shadow:format = %Y-%m-%d_%H.%M.%S--5d
> shadow:sort = desc
> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
> shadow:localtime = yes
> #******* snapshot end *************
> valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
> write list = @dirsan_Rifiuti_rw
> force user = nobody
> force group = dirsan_quota
> #_______ FINE AUTO ADD Rifiuti ________
>
> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>
>
>
> smbldap-groupshow dirsan_Rifiuti_rw
> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=
> servizi,dc=aop,dc=int
> objectClass: top,posixGroup,sambaGroupMapping
> cn: dirsan_Rifiuti_rw
> gidNumber: 6490
> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
> sambaGroupType: 2
> displayName: dirsan_Rifiuti_rw
> memberUid: a.ciucci,m.dalco,a.fiaschi
>
>
>
> global config :
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of whic...

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :

@ahasenack
Yes. Unfortunately we still have about 2000 clients with windows xp.
But I can not verify if the situation described in the bug has occurred.
I doubt, because our average user is very obtuse and therefore usually calls helpdesk to restore files

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

In another comment you said you had to chmod files so the user would get access, correct? Are you using, or relying on, posix ACLs? If yes, did you enable that support in the zfs datasets you are exporting?

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :
Download full text (10.3 KiB)

yes , give acccess to all solve the problem.
No i I do not use acl , ( for each shared folder two groups of users are
associated. A group for rw and one for ro . Groups used in samba [valid
users] and [ write list ]
in addition I force the creation of all ifle with the same owner and group
([force user] [force group ] )
Reading logs I thought it was related to acl, so I disabled them. Since I
disabled them, it seems to me that the problem has not occurred again.
(from pool history 2018-02-06.18:37:04 zfs set xattr=off pool_z2_samba )

But I think it is still to be considered a bug because my configuration
does not use acl

----------------------------------------------------------------

*«L'immaginazione è più importante della conoscenza.» - Albert Einstein.*

*Alberto M.Fiaschi*

*http://it.linkedin.com/pub/alberto-fiaschi
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5> *

2018-05-30 20:22 GMT+02:00 Andreas Hasenack <email address hidden>:

> In another comment you said you had to chmod files so the user would get
> access, correct? Are you using, or relying on, posix ACLs? If yes, did
> you enable that support in the zfs datasets you are exporting?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743354
>
> Title:
> samba with backend ldap: can not access share or file even if user is
> authorized : NT_STATUS_ACCESS_DENIED
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu .
> Is some days that users can not access some files although the user has
> all the rights.
> As a solution I have to do a cmod a +rwx on the files involved.
> now it occurs that users authorized to a new shared folder can not use
> it.(attach log file)
> User a.fiaschi is in group dirsan_Rifiuti_rw but get
> NT_STATUS_ACCESS_DENIED
> share config is
>
> [Rifiuti]
> comment = Rifiuti
> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> #*********** ZFS snapshot
> #vfs objects = shadow_copy2
> shadow:format = %Y-%m-%d_%H.%M.%S--5d
> shadow:sort = desc
> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot
> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan
> shadow:localtime = yes
> #******* snapshot end *************
> valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw
> write list = @dirsan_Rifiuti_rw
> force user = nobody
> force group = dirsan_quota
> #_______ FINE AUTO ADD Rifiuti ________
>
> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18
> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti
>
>
>
> smbldap-groupshow dirsan_Rifiuti_rw
> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=
> servizi,dc=aop,dc=int
> objectClass: top,posixGroup,sambaGroupMapping
> cn: dirsan_Rifiuti_rw
> gidNumber: 6490
> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981
> sambaGroupType: 2
> displayName: dirsan_Rifiuti_rw
> memberUid: a.ciucci,m.dalco,a.fiaschi
>
>
>
> global config :
> # This is the main Samba configuration f...

Revision history for this message
alberto fiaschi (alberto-fiaschi) wrote :

i have also 'nt acl support = No' in samba config

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.