Samba with Active Directory - shares are readonly, NT_STATUS_MEDIA_WRITE_PROTECTED

Posted by froh42 on Server Fault See other posts from Server Fault or by froh42
Published on 2010-12-20T02:10:04Z Indexed on 2011/01/05 11:55 UTC
Read the original article Hit count: 264

I've set a samba server that seems to work, all shares are seemingly exported as readonly, however. The machine is called "lx". When I'm on lx I can run the following command:

froh@lx:~$ smbclient //lx/export -UAdministrator 
Enter Administrator's password:  
Domain=[CUSTOMER] OS=[Unix] Server=[Samba 3.5.4] 
smb: \> mkdir wrzlbrmpf 
NT_STATUS_MEDIA_WRITE_PROTECTED making remote directory \wrzlbrmpf
smb: \> ls
  .                                   D        0  Fri Dec  3 19:04:20 2010
  ..                                  D        0  Sun Nov 28 01:32:37 2010
  zork                                D        0  Fri Dec  3 18:53:33 2010
  bar                                 D        0  Sun Nov 28 23:52:43 2010
  ork                                          1  Fri Dec  3 18:53:02 2010
  foo                                          1  Sun Nov 28 23:52:41 2010
  gaga                                D        0  Fri Dec  3 19:04:20 2010

How can I troubleshoot this?


What I did:

First I set up a fresh install of Ubuntu 10.10 x64.

Second I got kerberos working with the following krb5.conf file:

[libdefaults]
        ticket_lifetime = 24000
        clock_skew = 300
        default_realm = CUSTOMER.LOCAL

[realms]
    CUSTOMER.LOCAL = {
        kdc = SB4.customer.local:88
        admin_server = SB4.customer.local:464
        default_domain = CUSTOMER.LOCAL
    }


[domain_realm]
        .customer.local = CUSTOMER.LOCAL
        customer.local = CUSTOMER.LOCAL

#[login]
#       krb4_convert = true
#       krb4_get_tickets = false

I also added winbind to group, passwd and shadow in nsswitch.conf.

Seemingly Kerberos works:

root@lx:~# net ads testjoin Join is OK root@lx:~# wbinfo -a 'Administrator%MYSECRETPASSWORD' plaintext password authentication succeeded challenge/response password authentication succeeded

wbinfo -u and wbinfo -g also spit out a list of users and a list of groups respectiveley. I noted that domain accounts did NOT include a domain and they are in german (as on the SBS 2003 that is the domain server). So I get a "Domänenbenutzer" in wbinfo -u's output not a "CUSTOMER+Domain User" or something similar.

I'm not sure anymore what I did to the PAM configuration, but here is what I currently have:

root@lx:/etc/pam.d# cat samba 
@include common-auth
@include common-account
@include common-session-noninteractive
root@lx:/etc/pam.d# grep -ve '^#' common-auth 

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
root@lx:/etc/pam.d# grep -ve '^#' common-account 

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so 
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so 
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000
root@lx:/etc/pam.d# grep -ve '^#' common-session-noninteractive 

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so 
session optional                        pam_winbind.so 

At some point I joined the linux box into the AD domain.

After (manually) creating a home directory on the linux box I can log in using the Adminstrator user with the password taken from AD.

Now I run samba with the following setup:

[global]
        netbios name = LX
        realm = CUSTOMER.LOCAL
        workgroup = CUSTOMER
        security = ADS
        encrypt passwords = yes
        password server = 192.168.20.244     #IP des Domain Controllers
        os level = 0
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        preferred master = no
        winbind separator = +
        dns proxy = no
        wins proxy = no
#       client NTLMv2 auth = Yes
        log level = 2
        logfile = /var/log/samba/log.smbd.%U
        template homedir = /home/%U
        template shell = /bin/bash

[export]
        path = /mnt/sdc1/export
        read only = No
        public = Yes

Currently I don't care whether export is exported to everyone or just one user, I want to see somebody WRITING to that directory before I start fiddling with the authentication settings. (Who may access it).

As mentioned, accessing the share from smbclient results in this NT_STATUS_MEDIA_WRITE_PROTECTED .

Accessing it from windows shows ACLs that look correct (The user may write) - but it does not work, I can only read files not write.

The directory to be exported looks like this:

root@lx:/etc/pam.d# ls -ld /mnt/
drwxr-xr-x 5 root root 4096 2010-11-28 01:29 /mnt/
root@lx:/etc/pam.d# ls -ld /mnt/sdc1/
drwxr-xr-x 4 froh froh 4096 2010-11-28 01:32 /mnt/sdc1/
root@lx:/etc/pam.d# ls -ld /mnt/sdc1/export/
drwxrwxrwx+ 5 administrator domänen-admins 4096 2010-12-03 19:04 /mnt/sdc1/export/
root@lx:/etc/pam.d# getfacl /mnt/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: mnt/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root@lx:/etc/pam.d# getfacl /mnt/sdc1/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: mnt/sdc1/
# owner: froh
# group: froh
user::rwx
group::r-x
other::r-x

root@lx:/etc/pam.d# getfacl /mnt/sdc1/export/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: mnt/sdc1/export/
# owner: administrator
# group: domänen-admins
user::rwx
group::rwx
group:domänen-admins:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:domänen-admins:rwx
default:mask::rwx
default:other::rwx

My, oh my what am I overlooking? What am I to blind to see?

© Server Fault or respective owner

Related posts about active-directory

Related posts about samba

  • Unable to connect to Samba printer

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I have a headless Ubuntu 12.04 server for files and printers. It shares files via Samba just fine. However, the HP PSC-750xi connected to the server via USB is not accessible from my Ubuntu 12.04 laptop. I can browse for it in the Printing control panel, but any attempt to authenticate my ID to the… >>> More

  • Samba folder is gone

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I seem to have some issues sharing folders from my Ubuntu 12.04 machine to a Win7 machine. After playing around with the settings, I decided to revert to Samba's original setting by reinstalling it: sudo apt-get purge samba sudo rm -rf /etc/samba/ /etc/default/samba sudo apt-get install samba just… >>> More

  • Samba on OS X 10.6.4

    as seen on Server Fault - Search for 'Server Fault'
    I just updated from 10.6.3 to 10.6.4, and now my Samba shares won't mount and won't allow access into the directories. In the logs, I've started to get the following errors, any idea what might have gone wrong? 2010/06/25 15:54:27, 0, pid=13848] /SourceCache/samba/samba-235.4/samba/source/passdb/secrets… >>> More

  • OpenLDAP and Samba, can't log onto Samba share from Windows

    as seen on Server Fault - Search for 'Server Fault'
    The former jackass IT-guy that I'm taking over for had a Samba share setup on a Fedora server that uses our OpenLDAP server to authenticate users who want to log in from Windows. We recently added a new employee and I jumped through the LDAP hoops to add them to the system. However, I can't seem… >>> More

  • Windows 7 Samba issue

    as seen on Server Fault - Search for 'Server Fault'
    We have a strange samba issue affecting only one user. Our samba setup is as follow : Red Hat Enterprise Linux Server release 5.4 (Tikanga) - Samba Server Samba version 3.0.33-3.14.el5 - Samba version Domain Controller WIN2008R2 Standard -… >>> More