Hi Alexander,
Finally succeeded to make it work with the following configuration on the
freeipa server.
[global]
workgroup = MYDOMAIN.LOCAL
netbios name = MYSERVER
realm = MYDOMAIN.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
max log size = 100000
log file = /var/log/samba/log.%m
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
smb ports = 139 445
log level = 10
[scratch]
path = /data/scratch
comment = Scratch shared files
read only = no
browseable = yes
guest ok = no
create mask = 0644
I commented out the following from the global section:
;passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
;disable spoolss = yes
;ldapsam:trusted = yes
;ldap ssl = off
;ldap suffix = dc=mydomain,dc=local
;ldap user suffix = cn=users,cn=accounts
;ldap group suffix = cn=groups,cn=accounts
;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
The smbstatus below shows several '.' as well as a file that I'm accessing.
Samba version 4.9.4
PID Username Group Machine
Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
23252 beauduin mydomain 10.0.21.247 (ipv4:10.0.21.247:39798)
SMB3_02 - partial(AES-128-CMAC)
23253 baina mydomain 10.0.21.251 (ipv4:10.0.21.251:62736)
SMB3_02 - partial(AES-128-CMAC)
Service pid Machine Connected at
Encryption Signing
---------------------------------------------------------------------------------------------
scratch 23252 10.0.21.247 Wed Mar 13 10:16:14 AM 2019 CET
- -
scratch 23253 10.0.21.251 Wed Mar 13 10:16:17 AM 2019 CET
- -
public 23252 10.0.21.247 Wed Mar 13 10:16:21 AM 2019 CET
- -
Locked files:
Pid Uid DenyMode Access R/W Oplock
SharePath Name Time
--------------------------------------------------------------------------------------------------
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/public . Wed Mar 13 10:16:21 2019
23252 1010 DENY_WRITE 0x120089 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23252 1010 DENY_NONE 0x120080 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23252 1010 DENY_NONE 0x120089 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23253 1011 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:16 2019
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:20 2019
23253 1011 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:16 2019
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:22 2019
23252 1010 DENY_NONE 0x1000a0 RDONLY NONE
/data/scratch . Wed Mar 13 10:19:24 2019
Also, when i check in the properties, tab "security" in windows, of a file
in the freeipa server's share /data/scratch, the SIDs of user and group are
not resolved.
My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Thank you.
Regards,
F
On Tue, Mar 12, 2019 at 7:44 PM Alexander Bokovoy <[email protected]>
wrote:
> On ti, 12 maalis 2019, fujisan wrote:
> >This is strange as /data and /tmp are 2 partitions on my server and
> scratch
> >is a directory in /data
> >
> >/dev/mapper/fedora-data 2832342640 946566920 1741877916 36% /data
> >/dev/mapper/fedora-tmp 153769424 61780 145826940 1% /tmp
> >
> ># ls -l /data/
> >total 52
> >drwxrwx---. 5 root staff 4096 Mar 11 13:02 scratch
> >
> >There is absolutely no symlink involved here.
> That's what the log tells, I'm not inventing anything here. :)
>
> >Locked files:
> >Pid Uid DenyMode Access R/W Oplock
> >SharePath Name Time
>
> >--------------------------------------------------------------------------------------------------
> >20533 1011 DENY_NONE 0x100081 RDONLY NONE
> >/data/scratch . Tue Mar 12 18:29:06 2019
> >20533 1011 DENY_NONE 0x100081 RDONLY NONE
> >/data/scratch . Tue Mar 12 18:29:06 2019
> Note this '.' file? This is what smbd complaints about.
>
> As far as the rest of configuration is concerned, it seems that you are
> using NTLMSSP to login to smbd and it works. Also, since smbd is able to
> pull the data from LDAP, its own cifs/... principal for
> /etc/samba/samba.keytab is just fine.
>
>
>
> >Regards
> >F
> >
> >On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy <[email protected]>
> >wrote:
> >
> >> On ti, 12 maalis 2019, fujisan wrote:
> >> >I added a share in smb.conf.regedit then I imported the file with net
> conf
> >> >import smb.conf.regedit .
> >> >I send you another tar file at your email.
> >> >
> >> >Regards
> >> >F
> >> >
> >> ># net conf list
> >> >
> >> >[global]
> >> > workgroup = MYDOMAIN.LOCAL
> >> > netbios name = MYSERVER
> >> > realm = MYDOMAIN.LOCAL
> >> > kerberos method = dedicated keytab
> >> > dedicated keytab file = /etc/samba/samba.keytab
> >> > create krb5 conf = no
> >> > security = user
> >> > domain master = yes
> >> > domain logons = yes
> >> > max log size = 100000
> >> > log file = /var/log/samba/log.%m
> >> > passdb backend =
> >> >ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
> >> > disable spoolss = yes
> >> > ldapsam:trusted = yes
> >> > ldap ssl = off
> >> > ldap suffix = dc=mydomain,dc=local
> >> > ldap user suffix = cn=users,cn=accounts
> >> > ldap group suffix = cn=groups,cn=accounts
> >> > ldap machine suffix = cn=computers,cn=accounts
> >> > rpc_server:epmapper = external
> >> > rpc_server:lsarpc = external
> >> > rpc_server:lsass = external
> >> > rpc_server:lsasd = external
> >> > rpc_server:samr = external
> >> > rpc_server:netlogon = external
> >> > rpc_server:tcpip = yes
> >> > rpc_daemon:epmd = fork
> >> > rpc_daemon:lsasd = fork
> >> > log level = 10
> >> >
> >> >[scratch]
> >> > path = /data/scratch
> >> > comment = Scratch shared files
> >> > create mask = 0644
> >> > invalid users = opera
> >>
> >> Thanks. However, Samba says /data/scratch is a symlink to /tmp which is
> >> outside of the share and therefore fails:
> >>
> >> [2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023),
> >> real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name)
> >> check_reduced_name: Bad access attempt: . is a symlink outside the
> share
> >> path
> >> conn_rootdir =/data/scratch
> >> resolved_name=/tmp
> >> [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023),
> >> real(1024, 0)] ../source3/smbd/filename.c:1271(check_name)
> >> check_name: name . failed with NT_STATUS_ACCESS_DENIED
> >>
> >> May be you can try with /data/scratch not being a symlink. Samba is
> >> pretty serious on not allowing wide symlinks by default.
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
