[OmniOS-discuss] CIFS access denied to some users from AD - again

[Piotr Kaminski]

Hi Everybody,

I would like to refresh my post sent around 3 month ago. The issue still
persists...

What I've got is

  * Ubuntu 16.04 with Samba 4 as AD DC
  * OmniOSce CIFS server is joined to AD domain
  * Windows 10 Pro joined to AD domain
  * and some more client computers joined

I do AD administration from Win10 with RSAT. I've created a lot of
accounts for employees.

PROBLEM: Some users are denied access to OmniOSce shares while other
users can connect without problems. I would like to stress: the issue is
present only with OmniOS shares. Users ARE authorised thru AD DC.

  * There is ACL rule for a "employees" AD group allowing access for the
    members,
  * there are about 20 members and only a few of them have problem,
  * problematic accounts CAN  connect to another Windows machine via RDP
    and are authorized by AD DC (I even changed passwords to check and
    still can connect with the new passwords),
  * problematic accounts cannot access the CIFS share from OmniIOSce server.

When I try to access the server from Ubuntu machine I get the following
with "good_user":

    $ smbclient -U test26 -L //omnios
    Enter test26's password: 
    Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native SMB service]

    	Sharename       Type      Comment
    	---------       ----      -------
    	public          Disk      
    	c$              Disk      Default Share
    	test1           Disk      
    	test2           Disk      
    	ipc$            IPC       Remote IPC
    	test            Disk      
    Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native SMB service]

    	Server               Comment
    	---------            -------

    	Workgroup            Master
    	---------            -------

and with "bad_user" I get

    # smbclient -U bad_user -L //omnios
    Enter bad_user's password: 
    session setup failed: NT_STATUS_ACCESS_DENIED

The same results are obtained from Windows machine with  "net view
\\omnios"   command

  * When I log in to Windows machine with "bad user" I can log in
    properly but "net view" command produces error 53.
  * When I log in to the same Windows machine with "good user", I can
    list shares with "net view" command.

I cannot see any difference between the users. They are members of the
same AD groups. They were created one by one.

As a workaround I can disable problematic accounts, create new accounts
and they work as a charm. But that is just a temporary  workaround.

Can the issue be related to SID numbers? Maybe OmniOS does not like some
of them?

I have the following ID mappings on OmniOS:

# idmap list
add     winuser:administrator at local.domain_name.net  unixuser:root
add     wingroup:administrators at local.domain_name.net        unixgroup:root
add -d  winuser:*@local.domain_name.net      unixuser:domain_name

The issue drives me crazy. Any help or thoughts appreciated.

Regards,

-- 
Piotr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20180825/4803560d/attachment.html>