Re: [Samba] Samba Permissions

2012-12-09 Thread Baird, Josh
Sorry for the top post.

If I only wanted to use ACLs to control access, and not Samba as indicated in 
my OP, should I use "security = share" mode?

Thanks.

-Original Message-
From: TAKAHASHI Motonobu [mailto:mo...@monyo.com] 
Sent: Sunday, December 09, 2012 2:20 AM
To: Baird, Josh
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba Permissions

From: "Baird, Josh" 
Date: Fri, 7 Dec 2012 20:58:22 +

> I thought I had this working correctly, but sometimes it randomly breaks.
> Here is an example of a share's configuration:
> 
> [testshare]
>   comment = Test Share
>   path = /test/testshare
>   writeable = yes
>   create mask = 770
>   directory mask = 770

You may want to add "force group = DOMAIN\testgroup".

> if the share's directory has the following permissions:
> 
> drwxrwx--- 2 root   DOMAIN\testgroup 4096 Dec  7 14:54 testshare
> 
> Then, anyone in the "DOMAIN\testgroup" should have read/write access 
> to the share, correct?

Basically yes. In my env, those settings work correctly.

DOMAIN\testuser, a member of DOMAIN\testgroup can write to the share. The owner 
group of written file is "DOMAIN\domain users", testuser's primary group.

---
TAKAHASHI Motononu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba Permissions

2012-12-07 Thread Baird, Josh
Hi,

I have a case where I only want to restrict access to SMB shares via filesystem 
permissions (and POSIX ACLs).  Therefore, I do not want Samba to verify 
security in any way at the SMB level.  If the filesystem/ACL permissions allow 
access to the shared directory, so should Samba.  If the filesystem does not 
allow access to the filesystem, Samba should deny as well.

I thought I had this working correctly, but sometimes it randomly breaks.  Here 
is an example of a share's configuration:

[testshare]
  comment = Test Share
  path = /test/testshare
  writeable = yes
  create mask = 770
  directory mask = 770

if the share's directory has the following permissions:

drwxrwx--- 2 root   DOMAIN\testgroup 4096 Dec  7 14:54 testshare

Then, anyone in the "DOMAIN\testgroup" should have read/write access to the 
share, correct?  Instead, when I try to access the share, I get prompted for 
credentials, and then get denied.  The following error is displayed in SMB logs:

==> /var/log/samba/___172.26.103.175.log <==
[2012/12/07 14:57:18.622794,  1] 
auth/auth_util.c:848(create_token_from_username)
  lookup_name_smbconf for DOMAIN\testuser failed

DOMAIN\testuser is a member of DOMAIN\testgroup.

Any help would be greatly appreciated!

Thanks,

Josh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] grant windows group share permission

2012-11-16 Thread Baird, Josh
It's easiest to tell samba to allow everyone access to the share, and use ACL's 
on the Linux filesystem to restrict access.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of lst_ho...@kwsoft.de
Sent: Friday, November 16, 2012 8:55 AM
To: samba@lists.samba.org
Subject: [Samba] grant windows group share permission

Hello

i like to give a windows group (W2K3-AD) permissions to use a share read/write 
on a Samba domain member server. Therefore if have added the Samba server to 
the domain without problem and created a share like this:

[bild]
comment = Some Comment
path = /data/bild
admin users = root
force user = smbuser
force group = sambashare
valid users = DOMAIN\w-user1 @DOMAIN\w-group1
guest ok = no
read only = no
writeable = yes
browseable = yes

The windows domain user "w-user1" work as it should, but no member of the 
windows group "w-group1" can access the share. If have also tried mapping the 
windows group to the Unix group "sambashare" with "username map" but always get 
access denied eg. asked for a windows user.

Can please someone give a hint how to grant access for a windows group without 
adding/removing the members to a Unix group?

Many Thanks

Andi

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Samba 3.5 w/ Active Directory Share Authentication

2012-10-16 Thread Baird, Josh
Hi,

I'm attempting to configure Samba 3.5 to authenticate share access via Active 
Directory.  I do not wish to authenticate system users against AD, only Samba 
shares.  I have successfully joined the server to the AD domain, with a few 
errors:

$ net join -W buildel664 -U jbadmin
Enter jbadmin's password:
Using short domain name -- NA
Joined 'BUILDEL664' to realm 'na.blah.lan'
[2012/10/16 14:50:36.636201,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password BUILDEL664$@NA.FOLLETT.LAN failed: Client not found 
in Kerberos database
DNS Update for buildel664.corp.xxx.com failed: ERROR_DNS_GSS_ERROR
DNS update failed!

I can't seem to figure out what is causing these errors, but the domain join is 
successful.  I am able to successfully enumerate groups and users using "wbinfo 
-g" and "wbinfo -u," although "getent passwd" only returns local users.  I am 
not sure if this is a problem or not.  While "wbinfo -g" does work, it does not 
return a listing that includes smb.conf's "winbind separator."  According to 
docs that I have found, wbinfo should output this separator.  

When I try to assign domain users/groups to a samba share  I get an error in 
Samba's logs that the user is not valid.

My smb.conf:

workgroup = NA
   realm = NA.XXX.LAN
   security = ads
   template shell = /bin/false
   winbind use default domain = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   idmap uid = 1000-5000 # increased for larger AD environments
   idmap gid = 1000-5000 # increased for larger AD environments
   encrypt passwords = yes

server string = Samba Server Version %v

# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 500

os level = 20
preferred master = no
dns proxy = no

load printers = no
cups options = raw

[adauth]
comment = Testing
path=/adauth
create mask = 0660
directory mask = 770
writeable = yes
browseable = yes
valid users = +"NA+jbadmin"
guest ok = no

Any ideas how to further troubleshoot?

Thanks,

Josh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Winbind/ntlm_auth issues

2012-07-19 Thread Baird, Josh
Andrew,

I think you nailed it.  I was running 3.0 from RHEL5.  I'm seeing much more 
promising results so far with 3.6.  

Thanks,

Josh

From: Andrew Bartlett [abart...@samba.org]
Sent: Thursday, July 19, 2012 5:25 PM
To: Baird, Josh
Cc: samba@lists.samba.org
Subject: Re: [Samba] Winbind/ntlm_auth issues

On Thu, 2012-07-19 at 15:11 +0000, Baird, Josh wrote:
> Hi,
>
> I'm struggling to get squid+ntlm_auth working correctly.  I have successfully 
> joined the domain, and I am able to successfully enumerate groups and users 
> using wbinfo.  I can also successfully run "wbinfo -a."
>
> However, once I configure Squid to use ntlm_auth per:
>
> auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
>
> .. Squid does not authenticate and prompts me for credentials.  My domain 
> credentials do not work, and this is displayed in Samba/WB's log:
>
> [2012/07/19 09:58:14, 0] 
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
>   winbindd_pam_auth_crap: invalid password length 24/336
>
> Does anyone have any ideas on what is causing this?  I apologize that this 
> message is Squid-related, but I can't seem to find any answers elsewhere.

This looks like a Samba issue to me.  Try a much more recent version of
Samba.  I see code in current master for a BIG_NTLMV2_BLOB that smells
exactly like what you have here.  Long domain names are padding out one
of the response values (the 336) and going over an internal arbitrary
limit that shouldn't have been there.

The fix is in:

commit 9264f4891484b0316e8e574e256ca0b0a5e9f007
Author: Günther Deschner 
Date:   Tue Sep 1 11:58:05 2009 +0200

wbclient: Fix Bug #6680: always activate handling of large (> 256
byte) ntlmv2
blobs in wbcAuthenticateUserEx().

Guenther


Andrew Bartlett

--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Winbind/ntlm_auth issues

2012-07-19 Thread Baird, Josh
Hi,

I'm struggling to get squid+ntlm_auth working correctly.  I have successfully 
joined the domain, and I am able to successfully enumerate groups and users 
using wbinfo.  I can also successfully run "wbinfo -a."  

However, once I configure Squid to use ntlm_auth per:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--debug-level=10 --nt-response
auth_param ntlm children 5
auth_param ntlm keep_alive on

.. Squid does not authenticate and prompts me for credentials.  My domain 
credentials do not work, and this is displayed in Samba/WB's log:

[2012/07/19 09:58:14, 0] 
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
  winbindd_pam_auth_crap: invalid password length 24/336

Does anyone have any ideas on what is causing this?  I apologize that this 
message is Squid-related, but I can't seem to find any answers elsewhere.

Thanks,

Josh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba