I’ve created a share on a member server and created a share “Installers” and assigned the owner as “root” and the group “Computer Admins” to it as base directory owner and group. It is impossible to connect to this group despite making myself a member of the “Computer Admins” group. I am connecting from a Mac OS X 10.12.6 client computer bound to the UCS AD DC. My default group for the user is “Domain Users” and then I belong to a number of other groups that I have created which includes the aforementioned “Computer Admins”. I have reviewed all posts here about it as well as the documentation.
I have tried force user and force group (both together and separately)
I have tried making myself the directory owner
I have tried setting and removing ACLs from the base directory
Nothing is working and I always get a, “You don’t have enough permissions” error on the client computer. I don’t understand why something like a simple share should be so difficult to mount.
We need some more details. Please log in on the member server via SSH and post the output of the file /etc/samba/shares.conf.d/<your-share-name>.conf (replace <your-share-name> appropriately, of course).
Please also post the output of getfacl /path/to/the/shared/directory
The second command will ask for a password. Use the same password you’re using for logging in at the Univention Management Console (the domain administrator’s password). The second command should also give you a shell-like file transfer tool; its prompt will be smb: \>. You can get out of that with quit or pressing Ctrl+d.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (groups univention corporate server)
Advancement Disk
Installers Disk
Server Comment
--------- -------
Workgroup Master
--------- -------
SKAGGSCATHOLICC AD
This means that the share is present and that you may access it with the domain admin’s credentials. Now try accessing the same share from a client, e.g. a Mac or a Windows machine, and use the same credentials: SKAGGSCATHOLICC\administrator as the user name and the password you’ve typed when connecting with smbclient.
The mac isn’t giving me the option because it is bound. It tries to use the username of the logged in currently
mount -v -t smbfs //groups.skaggscatholiccenter.org/Installers ~/Installers
Password for groups.skaggscatholiccenter.org:
mount_smbfs: server rejected the connection: Authentication error
When I try through the “Connect to Server” dialog
And when I connect…
To which I tried without the “smb:” and used //groups.sk… and that turned into smb:////groups.sk… when it tried to connect So I tried backslashes \\groups.sk… and it was a different error about the server not existing but still an error. I tried with no slashes or smb: and it was the same error as before. I have also tried cifs:// with no luck either.
The error message “URLs with the type ‘smb:’ are not supported” seems to hint that the file sharing support is not installed. See e.g. this article how to install it. As I don’t have a mac myself I cannot verify if that’s the actual problem, but the linked article talks about using smb: URLs after installing that software component, so…
Can you connect to other shares from your Mac? Do you have any non-Mac machine that you can test connecting to the newly-created Installers share with?
Nope. That is not the answer. Sharing obviously works because all of our Macs can connect to UCS servers for samba home shares just fine. I can connect to an old mac server running samba shares so it seems by process of elimination that the fault is with the UCS server. When it was installed I joined this groups server as a “Member Server” and with “File and print” services.
I’m trying to piece together your setup from your answers. You seem to be saying that the server with the “installers” share is a new server? That you’ve never had a successful connection with from a Mac? What about that “Advancement” share; can you connect to that one?
And again my question, can you try connecting to the “installers” share from a non-Mac client, please?
Yes the setup is a new UCS server that is just serving group share points. And correct that I’ve never had a successful connection on that new server. Our old Mac server which was also using samba was able to successfully share to hundreds of clients. I’ve tried from several of my clients and none of them can connect even with the UCS domain admin user “administrator”
As for the smb: error I traced that back to the manual section 3.2.4 where it talks about altering the mac /etc/auto_master file and adding /etc/auto_custom. Once I reset those files to pre UCS suggestions I only got the “permission denied” error. Those alterations also prohibited me from mounting any other hard drives even when directly connected via USB or Thunderbolt connections.
I was going to look for a way to maybe specify an earlier version of the SMB protocol like SMB1 to test but all the clients connect to the home share servers just fine. Just not this group server.
Oh and yes I can connect to the Installers share from a windows computer but only with the UCS AD Administrator login, I cannot connect with my credentials. When using mine I get an access denied error.
Alright, all the behavior you’re describing is rather unusual. At this point I recommend you re-join the affected server again (which won’t destroy data, but it will copy LDAP content, certificates, re-create the server’s account in the LDAP etc.). First remove the machine account from the LDAP in the UMC. Next execute univention-join on the affected server and use administrator with the corresponding password as the credentials. After the (hopefully) successful join reboot the server.
Next you may have to re-create the share in the UMC as you did remove the server’s machine account earlier. Or at least check if the share definition is still present in LDAP and that the server it is set to appear on is correct.
Now check the output of smbclient -NL $(hostname) on the affected server. If the output contains the share, then try connecting.
Before you reinstall it, please post the output of the following command from both the problematic server and from the server providing the home share that works fine:
Ok reinstall didn’t work either. Is there something funny about fstab and group shares? My raid volumes on my other servers for network homes work fine with defaults,user_xattr. Ive tried those options and variations on other as well but when the group share is on the raid volume it fails to mount. If I move it to a local folder on the boot drive it works fine. Currently using defaults,acl,user_xattr to no avail either.
ls -l of / output
drwxr-xr-x 3 root nogroup 4096 Aug 30 08:04 groups
drwx------ 15 root root 4096 Aug 19 11:39 grpshares
“groups” is the local folder on the boot drive
“grpshares” is the raid volume I’m trying to use for group shares.
I was able to mount one of my shares by chgrp to “nogroup” on the “grpshares” directory and setting permissions to 755 like the “groups” directory.
Yeah well, that’s Unix 101. If a parent directory is inaccessible to a user, then permissions on sub-directory don’t even come into play. The user needs at least directory traversal permission (the x bit on a directory) on parent directories.
