[Samba] Samba ADS: kerberos logins seems to give users different
rights/group memberships
Ferdinand Hagethorn
hagethorn at stone-it.com
Mon Mar 8 09:59:00 GMT 2004
Hi all,
I'm having some very weird issues with some users in a
Samba ADS configuration. (:: kerberos logins seems to give
users different rights/group memberships ::)
Sysinfo:
OS: Debian 3.0 + some backports packages
Kernel: 2.4.24-1-686-smp (from backports.org)
Samba: 3.0.2a (from debian packages fetched from samba)
Filesystem: ext3 (no acl patches or acl support)
Configuration description:
--------------------------
Samba ADS configuration
Windows 2000 DC
Situation description:
----------------------
We have a share with in it a directory:
//fileserver/export/biz/public
Unix rights on the biz share: 0755 (rwxr-xr-x)
Unix rights on the public directory are: 2770 (rwxrws---)
We have a set of users, each is member of the group biz-pub
biz-pub is defined in the Windows DC.
Now the case:
For some users it is not possible to open the public directory
when logged on to the samba server with kerberos identification.
Example output:
# smbclient //fileserver/export -U peter
Password: *****
smb: \> cd biz
smb: \> ls
// lists contents correctly
smb: \> cd biz
// lists contents correctly
smb: \biz\> cd biz
smb: \biz\public\> ls
// lists contents correctly
smb: \biz\public\> put file
// uploads the issue file correctly
This is all okay
Now we log in using kerberos authentification, first get a ticket:
# kinit peter at DOM.COM
# Password: *****
Now log in with this ticket:
# smbclient //fileserver/export -U peter -k
smb: \> cd biz
smb: \biz\> ls
// lists contents correctly
smb: \biz\> cd public
smb: \biz\public\> ls
NT_STATUS_ACCESS_DENIED listing \biz\public\*
This also applies to all the clients (w2k/wxp/w2003) which log in to the
domain
So what is happening here? Manual user+pass login works,
but a kerberos login does but gives the user different
group memberships ???
Note 1: nsswitch.conf is configured correctly and works 100%
(tested with 'id peter' and 'getent passwd/group -s winbindd')
No ncd is running!
Note 2: This behaviour only applies to a few users.
Thanks in advance,
Ferdinand
-----
## smb.conf file contents follows:
[global]
workgroup = DOM
realm = DOM.COM
netbios name = FILESERVER
security = ADS
syslog = 0
log file = /var/log/samba/log.%m
printcap name = cups
os level = 10
preferred master = No
local master = No
domain master = No
idmap uid = 10000-60000
idmap gid = 10000-60000
template homedir = /cluster/homes/homedirs/%U
winbind separator = +
winbind use default domain = Yes
printing = cups
printer admin = Administrator, @"Domain Admins"
log level = 0
[export]
comment = Export share
path = /cluster/data/export
admin users = @"Domain Admins"
read only = No
create mask = 0660
directory mask = 2770
-----
More information about the samba
mailing list