Samba setup, what am I doing wrong?

L

L0ns2019-10-11 12:32:13

linux

L0ns, 2019-10-11 12:32:13

Colleagues, help me understand the logic of Samba+AD access rights.
Input :
Domain: xdev.local
Linux-SRV: xs-monitoring
In AD I created a user XDEV\supporter which I included in the XDEV\Monitoring group (+ the default group XDEV\Domain Users )
On the Centos 7 xs-monitoring server there is a /mnt folder /share which I make public over the network in order to upload information from windows wheelbarrows that are in the XDEV domain.
Folder permissions:

chown dadm:'Domain Users' /mnt/share
chmod 0770 /mnt/share

[[email protected] mnt]# ls -l
total 0
drwxrwx---+ 2 dadm domain users 6 Oct 11 12:08 share

samba config /etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
#--authconfig--start-line--

# Generated by authconfig on 2019/10/10 10:22:28
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = XDEV
   password server = xdc01.xdev.local
   realm = XDEV.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
;       workgroup = SAMBA
;       security = user

        passdb backend = tdbsam

;       printing = cups
;       printcap name = cups
;       load printers = yes
;       cups options = raw

load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
domain master = no
local master = no
preferred master = no
os level = 1
log level = 3
log file = /var/log/samba/log.%m

[share]
        path = /mnt/share
        writeable = yes
        browsable = yes
#Ограничивает список пользователей, которые имеют право подключаться
        valid users = "@XDEV\Domain Admins" "@XDEV\Monitoring"
        write list  = "@XDEV\Monitoring"
       admin users = "@XDEV\Domain Admins"
#Маска для созданных файлов
        create mask = 0777
#Маска для созданных папок
        directory mask = 0777

The problem is, under the dadm user (aka owner), I have write permissions and I can make edits, and under the supporter user, I have read-only rights, I can go into the folder, but nothing can be deleted or created in it. Under other users, for example, XDEV\manager, I can’t log in, although it’s strange, but it asks for a login / password, and does not beat it off with the words that there is no access.
Just as far as I understand the logic of granting rights to the folder with the chmod 0770 /mnt/share command , full access for the Owners, full access for the Group (in my case, Monitoring) and No access for other users.
And finally, the log from samba, actions: entering the share folder from windows cars and trying to create a folder:

[2019/10/11 12:25:34.775330,  3] ../source3/smbd/dir.c:662(dptr_create)
  creating new dirptr 0 for path ., expect_close = 0
[2019/10/11 12:25:34.775394,  3] ../source3/smbd/dir.c:1225(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found . fname=. (.)
[2019/10/11 12:25:34.775454,  3] ../source3/smbd/dir.c:1225(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
[2019/10/11 12:25:34.775537,  3] ../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:158
[2019/10/11 12:25:37.087212,  3] ../source3/smbd/service.c:1129(close_cnum)
  10.10.10.65 (ipv4:10.10.10.65:50797) closed connection to service IPC$
[2019/10/11 12:25:44.783785,  3] ../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at ../source3/smbd/smb2_create.c:296


[2019/10/11 12:25:44.790612,  2] ../source3/smbd/open.c:4043(open_directory)
  open_directory: unable to create New folder. Error was NT_STATUS_ACCESS_DENIED
[2019/10/11 12:25:44.790656,  3] ../source3/smbd/smb2_server.c:3190(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:296

Reply

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)

R

Radjah, 2019-10-11
@Radjah

valid users = "@XDEV\Domain Admins" "@XDEV\Monitoring"

Here, in theory, instead of a space, there should be a comma. At least Google displays this man https://smb-conf.ru/valid-users-s.html There, the items are separated by a comma.
There are commas here too.
https://www.samba.org/samba/docs/current/man-html/...

A

Alexander Chernykh, 2019-10-11
@sashkets

working version

valid users = @"DKC\domain admins" @"DKC\Backup Operators"

L

L0ns, 2019-10-11
@L0ns

Colleagues, thank you for your help. The problem was solved by recreating the folder /
mnt / share if you do chmod 0750 /mnt/share , then the rights of the user included in the Monitoring group will be read-only, even if you replace chown dadm:' Domain Users' /mnt/share with chown dadm:' Monitoring ' /mnt/share