Hi Alexander,
Finally succeeded to make it work with the following configuration on the
freeipa server.
[global]
workgroup = MYDOMAIN.LOCAL
netbios name = MYSERVER
realm = MYDOMAIN.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
max log size = 100000
log file = /var/log/samba/log.%m
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
smb ports = 139 445
log level = 10
[scratch]
path = /data/scratch
comment = Scratch shared files
read only = no
browseable = yes
guest ok = no
create mask = 0644
I commented out the following from the global section:
;passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
;disable spoolss = yes
;ldapsam:trusted = yes
;ldap ssl = off
;ldap suffix = dc=mydomain,dc=local
;ldap user suffix = cn=users,cn=accounts
;ldap group suffix = cn=groups,cn=accounts
;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
The smbstatus below shows several '.' as well as a file that I'm accessing.
Samba version 4.9.4
PID Username Group Machine
Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
23252 beauduin mydomain 10.0.21.247 (ipv4:10.0.21.247:39798)
SMB3_02 - partial(AES-128-CMAC)
23253 baina mydomain 10.0.21.251 (ipv4:10.0.21.251:62736)
SMB3_02 - partial(AES-128-CMAC)
Service pid Machine Connected at
Encryption Signing
---------------------------------------------------------------------------------------------
scratch 23252 10.0.21.247 Wed Mar 13 10:16:14 AM 2019 CET
- -
scratch 23253 10.0.21.251 Wed Mar 13 10:16:17 AM 2019 CET
- -
public 23252 10.0.21.247 Wed Mar 13 10:16:21 AM 2019 CET
- -
Locked files:
Pid Uid DenyMode Access R/W Oplock
SharePath Name Time
--------------------------------------------------------------------------------------------------
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/public . Wed Mar 13 10:16:21 2019
23252 1010 DENY_WRITE 0x120089 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23252 1010 DENY_NONE 0x120080 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23252 1010 DENY_NONE 0x120089 RDONLY LEASE(RWH)
/data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019
23253 1011 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:16 2019
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:20 2019
23253 1011 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:16 2019
23252 1010 DENY_NONE 0x100081 RDONLY NONE
/data/scratch . Wed Mar 13 10:16:22 2019
23252 1010 DENY_NONE 0x1000a0 RDONLY NONE
/data/scratch . Wed Mar 13 10:19:24 2019
Also, when i check in the properties, tab "security" in windows, of a file
in the freeipa server's share /data/scratch, the SIDs of user and group are
not resolved.
My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Thank you.
Regards,
F
On Tue, Mar 12, 2019 at 7:44 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ti, 12 maalis 2019, fujisan wrote:
>This is strange as /data and /tmp are 2 partitions on my server and
scratch
>is a directory in /data
>
>/dev/mapper/fedora-data 2832342640 946566920 1741877916 36% /data
>/dev/mapper/fedora-tmp 153769424 61780 145826940 1% /tmp
>
># ls -l /data/
>total 52
>drwxrwx---. 5 root staff 4096 Mar 11 13:02 scratch
>
>There is absolutely no symlink involved here.
That's what the log tells, I'm not inventing anything here. :)
>Locked files:
>Pid Uid DenyMode Access R/W Oplock
>SharePath Name Time
>--------------------------------------------------------------------------------------------------
>20533 1011 DENY_NONE 0x100081 RDONLY NONE
>/data/scratch . Tue Mar 12 18:29:06 2019
>20533 1011 DENY_NONE 0x100081 RDONLY NONE
>/data/scratch . Tue Mar 12 18:29:06 2019
Note this '.' file? This is what smbd complaints about.
As far as the rest of configuration is concerned, it seems that you are
using NTLMSSP to login to smbd and it works. Also, since smbd is able to
pull the data from LDAP, its own cifs/... principal for
/etc/samba/samba.keytab is just fine.
>Regards
>F
>
>On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>wrote:
>
>> On ti, 12 maalis 2019, fujisan wrote:
>> >I added a share in smb.conf.regedit then I imported the file with net
conf
>> >import smb.conf.regedit .
>> >I send you another tar file at your email.
>> >
>> >Regards
>> >F
>> >
>> ># net conf list
>> >
>> >[global]
>> > workgroup = MYDOMAIN.LOCAL
>> > netbios name = MYSERVER
>> > realm = MYDOMAIN.LOCAL
>> > kerberos method = dedicated keytab
>> > dedicated keytab file = /etc/samba/samba.keytab
>> > create krb5 conf = no
>> > security = user
>> > domain master = yes
>> > domain logons = yes
>> > max log size = 100000
>> > log file = /var/log/samba/log.%m
>> > passdb backend =
>> >ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
>> > disable spoolss = yes
>> > ldapsam:trusted = yes
>> > ldap ssl = off
>> > ldap suffix = dc=mydomain,dc=local
>> > ldap user suffix = cn=users,cn=accounts
>> > ldap group suffix = cn=groups,cn=accounts
>> > ldap machine suffix = cn=computers,cn=accounts
>> > rpc_server:epmapper = external
>> > rpc_server:lsarpc = external
>> > rpc_server:lsass = external
>> > rpc_server:lsasd = external
>> > rpc_server:samr = external
>> > rpc_server:netlogon = external
>> > rpc_server:tcpip = yes
>> > rpc_daemon:epmd = fork
>> > rpc_daemon:lsasd = fork
>> > log level = 10
>> >
>> >[scratch]
>> > path = /data/scratch
>> > comment = Scratch shared files
>> > create mask = 0644
>> > invalid users = opera
>>
>> Thanks. However, Samba says /data/scratch is a symlink to /tmp which is
>> outside of the share and therefore fails:
>>
>> [2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023),
>> real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name)
>> check_reduced_name: Bad access attempt: . is a symlink outside the
share
>> path
>> conn_rootdir =/data/scratch
>> resolved_name=/tmp
>> [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023),
>> real(1024, 0)] ../source3/smbd/filename.c:1271(check_name)
>> check_name: name . failed with NT_STATUS_ACCESS_DENIED
>>
>> May be you can try with /data/scratch not being a symlink. Samba is
>> pretty serious on not allowing wide symlinks by default.
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland