2018-01-23 13:25 GMT+01:00 Andreas Hasenack <[email protected]>: > Thanks for filing this bug in Ubuntu. > > When the problem occurs, does the command "id <user>" show the correct > group membership info for the affected <user>? > > yes : id show all groups
> Do you have any sort of NSS caching service running, like nscd? If yes, > you should perhaps disable it. > > yes but the problem happens randomly on users and groups present in LDAP and not changed for a long time -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1743354 > > Title: > samba with backend ldap: can not access share or file even if user is > authorized : NT_STATUS_ACCESS_DENIED > > Status in samba package in Ubuntu: > New > > Bug description: > Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu . > Is some days that users can not access some files although the user has > all the rights. > As a solution I have to do a cmod a +rwx on the files involved. > now it occurs that users authorized to a new shared folder can not use > it.(attach log file) > User a.fiaschi is in group dirsan_Rifiuti_rw but get > NT_STATUS_ACCESS_DENIED > share config is > > [Rifiuti] > comment = Rifiuti > path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti > #*********** ZFS snapshot > #vfs objects = shadow_copy2 > shadow:format = %Y-%m-%d_%H.%M.%S--5d > shadow:sort = desc > shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot > shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan > shadow:localtime = yes > #******* snapshot end ************* > valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw > write list = @dirsan_Rifiuti_rw > force user = nobody > force group = dirsan_quota > #_______ FINE AUTO ADD Rifiuti ________ > > ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti > drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 > /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti > > > > smbldap-groupshow dirsan_Rifiuti_rw > dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou= > servizi,dc=aop,dc=int > objectClass: top,posixGroup,sambaGroupMapping > cn: dirsan_Rifiuti_rw > gidNumber: 6490 > sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981 > sambaGroupType: 2 > displayName: dirsan_Rifiuti_rw > memberUid: a.ciucci,m.dalco,a.fiaschi > > > > global config : > # This is the main Samba configuration file. You should read the > # smb.conf(5) manual page in order to understand the options listed > # here. Samba has a huge number of configurable options (perhaps too > # many!) most of which are not shown in this example > # > # For a step to step guide on installing, configuring and using samba, > # read the Samba-HOWTO-Collection. This may be obtained from: > # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > # > # Many working examples of smb.conf files can be found in the > # Samba-Guide which is generated daily and can be downloaded from: > # http://www.samba.org/samba/docs/Samba-Guide.pdf > # > # Any line which starts with a ; (semi-colon) or a # (hash) > # is a comment and is ignored. In this example we will use a # > # for commentry and a ; for parts of the config file that you > # may wish to enable > # > # NOTE: Whenever you modify this file you should run the command > "testparm" > # to check that you have not made any basic syntactic errors. > # > #======================= Global Settings ============================== > ======= > [global] > > # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > workgroup = AOUP > SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER > # server string is the equivalent of the NT Description field > server string = AOUPSRV file server > # OTTIMIZZAZIONI latenza ipv4 .... > #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > #socket options = IPTOS_LOWDELAY TCP_NODELAY > kernel oplocks = yes > #in ascolto solo su interfaccia/ip impostati > #bind interfaces only = yes > #interfaces = 127.0.0.1/8 172.24.81.0/24 > #per sicurezza contro man in the middle > server signing = mandatory > # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia > autenticazione facilmente crackabile > #ntlm auth = no > #---- > netbios name = zfs-cis > #passdb backend = ldapsam:ldap://ldap.aop.int/ > #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"; > #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap:// > ldap.aop.int/" > passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap:// > 172.29.10.180/ ldap://172.29.10.181/"; > #unix soket su /var/run/ldapi > #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/ > client NTLMv2 auth = yes > client lanman auth = no > #----ESSENZIALE PER win8 map to guest = Bad User > #map to guest = Bad User > ##----ESSENZIALE PER win8 map to guest = Bad User > # > > #TEST ----------------------- > > > # END TEST ------------------- > > > restrict anonymous = 2 > map to guest = never > usershare allow guests = no > #posix locking = No > log file = /var/log/samba/%I.log > > #log level = 255 > log level = 1 auth:2 passdb:2 idmap:2 > > hide dot files = yes > max log size = 5000 > time server = Yes > deadtime = 25 > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > local master =yes > logon script = logon.bat > #ldap ssl = start tls > ldap ssl = off > ldap admin dn = cn=manager,dc=aop,dc=int > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Users > ldap machine suffix = ou=Computers > ldap passwd sync = Yes > add user script = /usr/sbin/smbldap-useradd -m > add group script = /usr/sbin/smbldap-groupadd -p > add user to group script = /usr/sbin/smbldap-groupmod -m > delete user from group script = /usr/sbin/smbldap-groupmod -x > set primary group script = /usr/sbin/smbldap-usermod -g > add machine script = /usr/sbin/smbldap-useradd -w > passwd program = /usr/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int > ldap user suffix = ou=Users > create mask = 0777 > directory mask = 0777 > nt acl support = No > case sensitive = No > # disabilito supporto stampanti > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > #wins server = 172.29.10.128 > wins support = yes > > wins proxy = yes > dns proxy = yes > debug uid = yes > ####### provo a levare smb ports = 139 > > #OTTIMIZZAZIONE IO > min receivefile size = 16384 > use sendfile = true > strict allocate = Yes > aio read size = 16384 > aio write size = 16384 > write cache size = 65536 > # fine--------OTTIMIZZAZIONE IO > > map hidden = no > map system = no > map archive = no > map readonly = no > store dos attributes = yes > > strict locking = no > follow symlinks = yes > unix extensions = yes > > #unix charset = utf-8 > #dos charset = cp1250 > > dos charset = 850 > unix charset = ISO8859-1 > > > # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3 > #smb ports = 139 > #aggiunta per provare uso di criptazione per client da windows 8 in su > .... > # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!! > > smb encrypt = desired > #smb encrypt = off > ## ************************************************************ > ******************************** > ## ************************************************************ > ******************************** > ## ************************************************************ > ******************************** > # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip > #Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non > c'è nome netbios > #server min protocol = NT1 > # > #server max protocol = NT1 > #client ipc max protocol = NT1 > ## ************************************************************ > ******************************** > > > > # test hide share seza diritti con secureshare > #vfs objects = acl_xattr > #map acl inherit = yes > > #fine test hide share ------------------------------- > > > #*********** ZFS snapshot > #vfs objects = shadow_copy2 > #shadow:format = %Y-%m-%d_%H.%M.%S--8d > #shadow:sort = desc > #shadow:snapdir = /samba/share/.zfs/snapshot > #shadow:basedir = /samba/share > #shadow:localtime = yes > #******* snapshot end ************* > > #access based share enum = yes > > vfs objects = shadow_copy2 > > #*********** PER AUDIT ****************************** > ************************* > #vfs objects = full_audit vfs shadow_copy2 > #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P > > > #full_audit:success = chflags chmod chown close connect > disconnect lock mkdir mknod open opendir read rename rmdir > write unlink pread pwrite > #full_audit:success = all > #full_audit:failure = chdir chflags chmod chown closedir connect > fchmod fchown lock mkdir mknod open opendir pwrite read > removexattr rename rmdir write unlink > #full_audit:facility = LOCAL6 > #full_audit:priority = DEBUG > > #*********** FINE PER AUDIT ****************************** > ******************** > include = /samba/servers_config/%i > > #####include = /etc/samba/servers/ALL_CONF > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/ > 1743354/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743354 Title: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
