moreover all shared files are owned by local user nobody and all shares have option force user nobody. See a share config example: [Staff] comment = Staff DAI path = /samba/shares/DAI/groups/dip_staff shadow:format = %Y-%m-%d_%H.%M.%S--5d shadow:sort = desc shadow:snapdir = /samba/shares/DAI/.zfs/snapshot shadow:basedir = /samba/shares/DAI shadow:localtime = yes valid users = @dai_dip_staff_ro,@dai_dip_staff_rw write list = @dai_dip_staff_rw force user = nobody force group = dai_quota
---------------------------------------------------------------- *«L'immaginazione è più importante della conoscenza.» - Albert Einstein.* *Alberto M.Fiaschi* *http://it.linkedin.com/pub/alberto-fiaschi <http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5> * 2018-01-23 17:22 GMT+01:00 alberto fiaschi <[email protected]>: > > > > > 2018-01-23 13:25 GMT+01:00 Andreas Hasenack <[email protected]>: > >> Thanks for filing this bug in Ubuntu. >> >> When the problem occurs, does the command "id <user>" show the correct >> group membership info for the affected <user>? >> >> yes : id show all groups > >> Do you have any sort of NSS caching service running, like nscd? If yes, >> you should perhaps disable it. >> >> yes but the problem happens randomly on users and groups present in LDAP > and not changed for a long time > > -- >> You received this bug notification because you are subscribed to the bug >> report. >> https://bugs.launchpad.net/bugs/1743354 >> >> Title: >> samba with backend ldap: can not access share or file even if user is >> authorized : NT_STATUS_ACCESS_DENIED >> >> Status in samba package in Ubuntu: >> New >> >> Bug description: >> Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu . >> Is some days that users can not access some files although the user has >> all the rights. >> As a solution I have to do a cmod a +rwx on the files involved. >> now it occurs that users authorized to a new shared folder can not use >> it.(attach log file) >> User a.fiaschi is in group dirsan_Rifiuti_rw but get >> NT_STATUS_ACCESS_DENIED >> share config is >> >> [Rifiuti] >> comment = Rifiuti >> path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti >> #*********** ZFS snapshot >> #vfs objects = shadow_copy2 >> shadow:format = %Y-%m-%d_%H.%M.%S--5d >> shadow:sort = desc >> shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot >> shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan >> shadow:localtime = yes >> #******* snapshot end ************* >> valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw >> write list = @dirsan_Rifiuti_rw >> force user = nobody >> force group = dirsan_quota >> #_______ FINE AUTO ADD Rifiuti ________ >> >> ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti >> drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 >> /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti >> >> >> >> smbldap-groupshow dirsan_Rifiuti_rw >> dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi, >> dc=aop,dc=int >> objectClass: top,posixGroup,sambaGroupMapping >> cn: dirsan_Rifiuti_rw >> gidNumber: 6490 >> sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981 >> sambaGroupType: 2 >> displayName: dirsan_Rifiuti_rw >> memberUid: a.ciucci,m.dalco,a.fiaschi >> >> >> >> global config : >> # This is the main Samba configuration file. You should read the >> # smb.conf(5) manual page in order to understand the options listed >> # here. Samba has a huge number of configurable options (perhaps too >> # many!) most of which are not shown in this example >> # >> # For a step to step guide on installing, configuring and using samba, >> # read the Samba-HOWTO-Collection. This may be obtained from: >> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf >> # >> # Many working examples of smb.conf files can be found in the >> # Samba-Guide which is generated daily and can be downloaded from: >> # http://www.samba.org/samba/docs/Samba-Guide.pdf >> # >> # Any line which starts with a ; (semi-colon) or a # (hash) >> # is a comment and is ignored. In this example we will use a # >> # for commentry and a ; for parts of the config file that you >> # may wish to enable >> # >> # NOTE: Whenever you modify this file you should run the command >> "testparm" >> # to check that you have not made any basic syntactic errors. >> # >> #======================= Global Settings ============================== >> ======= >> [global] >> >> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH >> workgroup = AOUP >> SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER >> # server string is the equivalent of the NT Description field >> server string = AOUPSRV file server >> # OTTIMIZZAZIONI latenza ipv4 .... >> #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE >> #socket options = IPTOS_LOWDELAY TCP_NODELAY >> kernel oplocks = yes >> #in ascolto solo su interfaccia/ip impostati >> #bind interfaces only = yes >> #interfaces = 127.0.0.1/8 172.24.81.0/24 >> #per sicurezza contro man in the middle >> server signing = mandatory >> # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia >> autenticazione facilmente crackabile >> #ntlm auth = no >> #---- >> netbios name = zfs-cis >> #passdb backend = ldapsam:ldap://ldap.aop.int/ >> #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"; >> #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap:// >> ldap.aop.int/" >> passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ >> ldap://172.29.10.180/ ldap://172.29.10.181/"; >> #unix soket su /var/run/ldapi >> #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/ >> client NTLMv2 auth = yes >> client lanman auth = no >> #----ESSENZIALE PER win8 map to guest = Bad User >> #map to guest = Bad User >> ##----ESSENZIALE PER win8 map to guest = Bad User >> # >> >> #TEST ----------------------- >> >> >> # END TEST ------------------- >> >> >> restrict anonymous = 2 >> map to guest = never >> usershare allow guests = no >> #posix locking = No >> log file = /var/log/samba/%I.log >> >> #log level = 255 >> log level = 1 auth:2 passdb:2 idmap:2 >> >> hide dot files = yes >> max log size = 5000 >> time server = Yes >> deadtime = 25 >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> local master =yes >> logon script = logon.bat >> #ldap ssl = start tls >> ldap ssl = off >> ldap admin dn = cn=manager,dc=aop,dc=int >> ldap delete dn = Yes >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Users >> ldap machine suffix = ou=Computers >> ldap passwd sync = Yes >> add user script = /usr/sbin/smbldap-useradd -m >> add group script = /usr/sbin/smbldap-groupadd -p >> add user to group script = /usr/sbin/smbldap-groupmod -m >> delete user from group script = /usr/sbin/smbldap-groupmod -x >> set primary group script = /usr/sbin/smbldap-usermod -g >> add machine script = /usr/sbin/smbldap-useradd -w >> passwd program = /usr/sbin/smbldap-passwd %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n >> *all*authentication*tokens*updated* >> ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int >> ldap user suffix = ou=Users >> create mask = 0777 >> directory mask = 0777 >> nt acl support = No >> case sensitive = No >> # disabilito supporto stampanti >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> #wins server = 172.29.10.128 >> wins support = yes >> >> wins proxy = yes >> dns proxy = yes >> debug uid = yes >> ####### provo a levare smb ports = 139 >> >> #OTTIMIZZAZIONE IO >> min receivefile size = 16384 >> use sendfile = true >> strict allocate = Yes >> aio read size = 16384 >> aio write size = 16384 >> write cache size = 65536 >> # fine--------OTTIMIZZAZIONE IO >> >> map hidden = no >> map system = no >> map archive = no >> map readonly = no >> store dos attributes = yes >> >> strict locking = no >> follow symlinks = yes >> unix extensions = yes >> >> #unix charset = utf-8 >> #dos charset = cp1250 >> >> dos charset = 850 >> unix charset = ISO8859-1 >> >> >> # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3 >> #smb ports = 139 >> #aggiunta per provare uso di criptazione per client da windows 8 in su >> .... >> # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!! >> >> smb encrypt = desired >> #smb encrypt = off >> ## ************************************************************ >> ******************************** >> ## ************************************************************ >> ******************************** >> ## ************************************************************ >> ******************************** >> # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip >> #Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no >> non c'è nome netbios >> #server min protocol = NT1 >> # >> #server max protocol = NT1 >> #client ipc max protocol = NT1 >> ## ************************************************************ >> ******************************** >> >> >> >> # test hide share seza diritti con secureshare >> #vfs objects = acl_xattr >> #map acl inherit = yes >> >> #fine test hide share ------------------------------- >> >> >> #*********** ZFS snapshot >> #vfs objects = shadow_copy2 >> #shadow:format = %Y-%m-%d_%H.%M.%S--8d >> #shadow:sort = desc >> #shadow:snapdir = /samba/share/.zfs/snapshot >> #shadow:basedir = /samba/share >> #shadow:localtime = yes >> #******* snapshot end ************* >> >> #access based share enum = yes >> >> vfs objects = shadow_copy2 >> >> #*********** PER AUDIT ****************************** >> ************************* >> #vfs objects = full_audit vfs shadow_copy2 >> #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P >> >> >> #full_audit:success = chflags chmod chown close connect >> disconnect lock mkdir mknod open opendir read rename rmdir >> write unlink pread pwrite >> #full_audit:success = all >> #full_audit:failure = chdir chflags chmod chown closedir >> connect fchmod fchown lock mkdir mknod open opendir pwrite >> read removexattr rename rmdir write unlink >> #full_audit:facility = LOCAL6 >> #full_audit:priority = DEBUG >> >> #*********** FINE PER AUDIT ****************************** >> ******************** >> include = /samba/servers_config/%i >> >> #####include = /etc/samba/servers/ALL_CONF >> >> To manage notifications about this bug go to: >> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354 >> /+subscriptions >> > > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743354 Title: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
