Public bug reported: Ubuntu 16.04.3 LTS -Version 4.3.11-Ubuntu . Is some days that users can not access some files although the user has all the rights. As a solution I have to do a cmod a +rwx on the files involved. now it occurs that users authorized to a new shared folder can not use it.(attach log file) User a.fiaschi is in group dirsan_Rifiuti_rw but get NT_STATUS_ACCESS_DENIED share config is
[Rifiuti] comment = Rifiuti path = /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti #*********** ZFS snapshot #vfs objects = shadow_copy2 shadow:format = %Y-%m-%d_%H.%M.%S--5d shadow:sort = desc shadow:snapdir = /samba/shares/Dirsanitaria/groups/dirsan/.zfs/snapshot shadow:basedir = /samba/shares/Dirsanitaria/groups/dirsan shadow:localtime = yes #******* snapshot end ************* valid users = @dirsan_Rifiuti_ro,@dirsan_Rifiuti_rw write list = @dirsan_Rifiuti_rw force user = nobody force group = dirsan_quota #_______ FINE AUTO ADD Rifiuti ________ ls -ald /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti drwxrwxrwx 2 nobody dirsan_quota 3 gen 15 11:18 /samba/shares/Dirsanitaria/groups/dirsan/groups/Rifiuti smbldap-groupshow dirsan_Rifiuti_rw dn: cn=dirsan_Rifiuti_rw,ou=Groups,ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int objectClass: top,posixGroup,sambaGroupMapping cn: dirsan_Rifiuti_rw gidNumber: 6490 sambaSID: S-1-5-21-1146166441-2403190732-1965087569-13981 sambaGroupType: 2 displayName: dirsan_Rifiuti_rw memberUid: a.ciucci,m.dalco,a.fiaschi global config : # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # For a step to step guide on installing, configuring and using samba, # read the Samba-HOWTO-Collection. This may be obtained from: # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf # # Many working examples of smb.conf files can be found in the # Samba-Guide which is generated daily and can be downloaded from: # http://www.samba.org/samba/docs/Samba-Guide.pdf # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH workgroup = AOUP SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER # server string is the equivalent of the NT Description field server string = AOUPSRV file server # OTTIMIZZAZIONI latenza ipv4 .... #socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE #socket options = IPTOS_LOWDELAY TCP_NODELAY kernel oplocks = yes #in ascolto solo su interfaccia/ip impostati #bind interfaces only = yes #interfaces = 127.0.0.1/8 172.24.81.0/24 #per sicurezza contro man in the middle server signing = mandatory # SAREBBE DA ATTIVARE MA CI SONO VECCHIE MACCHINE disablito vecchia autenticazione facilmente crackabile #ntlm auth = no #---- netbios name = zfs-cis #passdb backend = ldapsam:ldap://ldap.aop.int/ #passdb backend = ldapsam:"ldap://172.29.10.51/ ldap://172.29.10.52/"; #passdb backend = ldapsam:"ldapi://%2fvar%2frun%2fldapi/ ldap://ldap.aop.int/"; passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://ldap.aop.int/ ldap://172.29.10.180/ ldap://172.29.10.181/"; #unix soket su /var/run/ldapi #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldapi/ client NTLMv2 auth = yes client lanman auth = no #----ESSENZIALE PER win8 map to guest = Bad User #map to guest = Bad User ##----ESSENZIALE PER win8 map to guest = Bad User # #TEST ----------------------- # END TEST ------------------- restrict anonymous = 2 map to guest = never usershare allow guests = no #posix locking = No log file = /var/log/samba/%I.log #log level = 255 log level = 1 auth:2 passdb:2 idmap:2 hide dot files = yes max log size = 5000 time server = Yes deadtime = 25 domain logons = Yes os level = 65 preferred master = Yes domain master = Yes local master =yes logon script = logon.bat #ldap ssl = start tls ldap ssl = off ldap admin dn = cn=manager,dc=aop,dc=int ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap machine suffix = ou=Computers ldap passwd sync = Yes add user script = /usr/sbin/smbldap-useradd -m add group script = /usr/sbin/smbldap-groupadd -p add user to group script = /usr/sbin/smbldap-groupmod -m delete user from group script = /usr/sbin/smbldap-groupmod -x set primary group script = /usr/sbin/smbldap-usermod -g add machine script = /usr/sbin/smbldap-useradd -w passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* ldap suffix = ou=aoup,ou=samba,ou=servizi,dc=aop,dc=int ldap user suffix = ou=Users create mask = 0777 directory mask = 0777 nt acl support = No case sensitive = No # disabilito supporto stampanti load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes #wins server = 172.29.10.128 wins support = yes wins proxy = yes dns proxy = yes debug uid = yes ####### provo a levare smb ports = 139 #OTTIMIZZAZIONE IO min receivefile size = 16384 use sendfile = true strict allocate = Yes aio read size = 16384 aio write size = 16384 write cache size = 65536 # fine--------OTTIMIZZAZIONE IO map hidden = no map system = no map archive = no map readonly = no store dos attributes = yes strict locking = no follow symlinks = yes unix extensions = yes #unix charset = utf-8 #dos charset = cp1250 dos charset = 850 unix charset = ISO8859-1 # DA LEVARE PER WINDOWS 10 ed utilizzo di SMB2 e SMB3 #smb ports = 139 #aggiunta per provare uso di criptazione per client da windows 8 in su .... # SE PESA SU CPU DA LEVARE !!!!!!!!!!!!!!!!!!!!!!!!!!! smb encrypt = desired #smb encrypt = off ## ******************************************************************************************** ## ******************************************************************************************** ## ******************************************************************************************** # DA RIMETTERE SE NON VA CON WINDOWS 10 filtro ip #Aggiunto per ora per WINDOWS 10 forzo uso vecchio protocollo se no non c'è nome netbios #server min protocol = NT1 # #server max protocol = NT1 #client ipc max protocol = NT1 ## ******************************************************************************************** # test hide share seza diritti con secureshare #vfs objects = acl_xattr #map acl inherit = yes #fine test hide share ------------------------------- #*********** ZFS snapshot #vfs objects = shadow_copy2 #shadow:format = %Y-%m-%d_%H.%M.%S--8d #shadow:sort = desc #shadow:snapdir = /samba/share/.zfs/snapshot #shadow:basedir = /samba/share #shadow:localtime = yes #******* snapshot end ************* #access based share enum = yes vfs objects = shadow_copy2 #*********** PER AUDIT ******************************************************* #vfs objects = full_audit vfs shadow_copy2 #full_audit:prefix = ___@@@sTrAuDitL1n3€€€£___%T|%i|%U|%I|%P #full_audit:success = chflags chmod chown close connect disconnect lock mkdir mknod open opendir read rename rmdir write unlink pread pwrite #full_audit:success = all #full_audit:failure = chdir chflags chmod chown closedir connect fchmod fchown lock mkdir mknod open opendir pwrite read removexattr rename rmdir write unlink #full_audit:facility = LOCAL6 #full_audit:priority = DEBUG #*********** FINE PER AUDIT ************************************************** include = /samba/servers_config/%i #####include = /etc/samba/servers/ALL_CONF ** Affects: samba (Ubuntu) Importance: Undecided Status: New ** Attachment added: "log file loglevel=255 error NT_STATUS_ACCESS_DENIED for user autorized" https://bugs.launchpad.net/bugs/1743354/+attachment/5037279/+files/172.30.10.176.log -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1743354 Title: samba with backend ldap: can not access share or file even if user is authorized : NT_STATUS_ACCESS_DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1743354/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
