[Samba] AW: AW: Samba ignores groups for ACL !
Neuwald, Björn
Neuwald at medianet.freinet.de
Mon Oct 9 08:10:42 GMT 2006
Hi,
First of all, thx for fast answering.
> I hope that the above commands are really right, because you
said folder_a but the name of the folder is "folderA".
Sorry, the commands are right :)
> The all other things include the groupmaps?
What do you mean... when i uses the command "./net groupmap list",
i get the following back
#Administrators (S-1-5-32-544) -> NTBV+mn_alle
#root (S-1-5-21-3454502962-1315390950-1018511800-1001) -> root
#Users (S-1-5-32-545) -> BUILTIN+users
There is my smb.conf:
----------------------------------------------------------------
# Samba config file created using SWAT
# from 172.16.121.150 (172.16.121.150)
# Date: 2006/10/09 08:59:49
[global]
display charset = UTF-8
workgroup = NTBV
realm = XXX.TEST.DE
interfaces = 172.16.203.144
security = ADS
client schannel = No
password server = pwserver.xxx.de
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 2
log file = /usr/local/samba/var/log.%m
ldap ssl = no
idmap uid = 5000-100000000
idmap gid = 5000-100000000
template homedir = /usr/local/samba/%D/%U
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
[all]
comment = Testverzeichnis
path = /export/home/all
valid users = @domain+group_office
admin users = domain+admin
read only = No
----------------------------------------------------------------
And here is the log-file entry (level 2 log). this appears when i
want to enter the folder in my share:
(the folder named "test" has an acl-group named "NTBV+mn_alle" with
rwx where the win-user is member of)
----------------------------------------------------------------
[2006/10/09 09:09:40, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
----------------------------------------------------------------
At last, i found something out.
When i configure in AD on my win2003 machine the win-user,
i set the group which i used for the acl-permission on my folder
as primary-group, it will work. i can access.
I tested it with other users. the same thing.
So, i think samba will ignore the other groups (secondary) where the user
is member of. samba only are interested in the primary-group.
Is this a bug?
I Hope u can help me ;) thx
Ciao, Björn
PS: Here is a part of a level 5 log:
-----------------------------------------------------------------------------------
[2006/10/09 09:21:07, 3] smbd/process.c:check_reload(1340)
Printcap cache time expired.
[2006/10/09 09:21:07, 3] printing/pcap.c:pcap_cache_reload(117)
reloading printcap cache
[2006/10/09 09:21:07, 5] printing/print_svid.c:sysv_cache_reload(46)
reloading sysv printcap cache
[2006/10/09 09:21:08, 3] printing/print_svid.c:sysv_cache_reload(72)
No Printers found!!!
[2006/10/09 09:21:08, 3] printing/pcap.c:pcap_cache_reload(223)
reload status: error
[2006/10/09 09:21:08, 3] printing/pcap.c:pcap_cache_reload(117)
reloading printcap cache
[2006/10/09 09:21:08, 5] printing/print_svid.c:sysv_cache_reload(46)
reloading sysv printcap cache
[2006/10/09 09:21:08, 3] printing/print_svid.c:sysv_cache_reload(72)
No Printers found!!!
[2006/10/09 09:21:08, 3] printing/pcap.c:pcap_cache_reload(223)
reload status: error
[2006/10/09 09:21:08, 3] smbd/process.c:process_smb(1110)
Transaction 3164 of length 142
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(478)
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(488)
size=138
smb_com=0xa2
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=55303
smb_tid=2
smb_pid=1676
smb_uid=101
smb_mid=8451
smt_wct=24
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]=57054 (0xDEDE)
smb_vwv[ 2]=13312 (0x3400)
smb_vwv[ 3]= 4096 (0x1000)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]= 256 (0x100)
smb_vwv[ 8]= 4096 (0x1000)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 0 (0x0)
smb_vwv[12]= 0 (0x0)
smb_vwv[13]= 0 (0x0)
smb_vwv[14]= 0 (0x0)
smb_vwv[15]= 768 (0x300)
smb_vwv[16]= 0 (0x0)
smb_vwv[17]= 256 (0x100)
smb_vwv[18]= 0 (0x0)
smb_vwv[19]= 256 (0x100)
smb_vwv[20]= 65 (0x41)
smb_vwv[21]= 512 (0x200)
smb_vwv[22]= 0 (0x0)
smb_vwv[23]= 0 (0x0)
smb_bcc=55
[2006/10/09 09:21:08, 3] smbd/process.c:switch_message(914)
switch message SMBntcreateX (pid 7548) conn 0x3cabd0
[2006/10/09 09:21:08, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (5000, 5006) - sec_ctx_stack_ndx = 0
[2006/10/09 09:21:08, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-8915387-465392698-1831341646-7629
contains 42 SIDs
SID[ 0]: S-1-5-21-8915387-465392698-1831341646-7629
SID[ 1]: S-1-5-21-8915387-465392698-1831341646-2886
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-8915387-465392698-1831341646-2818
SID[ 6]: S-1-5-21-8915387-465392698-1831341646-5711
SID[ 7]: S-1-5-21-8915387-465392698-1831341646-2859
SID[ 8]: S-1-5-21-8915387-465392698-1831341646-4004
SID[ 9]: S-1-5-21-8915387-465392698-1831341646-513
SID[ 10]: S-1-5-21-8915387-465392698-1831341646-8134
SID[ 11]: S-1-5-21-8915387-465392698-1831341646-9220
SID[ 12]: S-1-5-21-8915387-465392698-1831341646-9726
SID[ 13]: S-1-5-21-8915387-465392698-1831341646-8204
SID[ 14]: S-1-5-21-8915387-465392698-1831341646-9228
SID[ 15]: S-1-5-21-8915387-465392698-1831341646-7996
SID[ 16]: S-1-5-21-8915387-465392698-1831341646-8091
SID[ 17]: S-1-5-21-8915387-465392698-1831341646-5107
SID[ 18]: S-1-5-21-8915387-465392698-1831341646-2846
SID[ 19]: S-1-5-21-8915387-465392698-1831341646-2390
SID[ 20]: S-1-5-21-8915387-465392698-1831341646-8609
SID[ 21]: S-1-5-21-8915387-465392698-1831341646-9591
SID[ 22]: S-1-5-21-8915387-465392698-1831341646-9158
SID[ 23]: S-1-5-21-8915387-465392698-1831341646-8512
SID[ 24]: S-1-5-21-8915387-465392698-1831341646-9842
SID[ 25]: S-1-5-21-8915387-465392698-1831341646-9836
SID[ 26]: S-1-5-21-8915387-465392698-1831341646-9877
SID[ 27]: S-1-5-21-8915387-465392698-1831341646-9820
SID[ 28]: S-1-5-21-8915387-465392698-1831341646-9088
SID[ 29]: S-1-5-21-8915387-465392698-1831341646-6557
SID[ 30]: S-1-5-21-8915387-465392698-1831341646-9775
SID[ 31]: S-1-5-21-8915387-465392698-1831341646-9639
SID[ 32]: S-1-5-21-8915387-465392698-1831341646-5560
SID[ 33]: S-1-5-21-8915387-465392698-1831341646-9140
SID[ 34]: S-1-5-21-8915387-465392698-1831341646-9764
SID[ 35]: S-1-5-21-8915387-465392698-1831341646-9087
SID[ 36]: S-1-5-21-8915387-465392698-1831341646-2082
SID[ 37]: S-1-5-21-8915387-465392698-1831341646-9846
SID[ 38]: S-1-5-21-8915387-465392698-1831341646-9848
SID[ 39]: S-1-5-21-8915387-465392698-1831341646-9118
SID[ 40]: S-1-5-21-8915387-465392698-1831341646-9910
SID[ 41]: S-1-5-32-545
SE_PRIV 0x0 0x0 0x0 0x0
[2006/10/09 09:21:08, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 5000
Primary group is 5006 and contains 38 supplementary groups
Group[ 0]: 5001
Group[ 1]: 5002
Group[ 2]: 5003
Group[ 3]: 5004
Group[ 4]: 5005
Group[ 5]: 5006
Group[ 6]: 5007
Group[ 7]: 5008
Group[ 8]: 5009
Group[ 9]: 5010
Group[ 10]: 5011
Group[ 11]: 5012
Group[ 12]: 5013
Group[ 13]: 5014
Group[ 14]: 5000
Group[ 15]: 5015
Group[ 16]: 5016
Group[ 17]: 5017
Group[ 18]: 5018
Group[ 19]: 5019
Group[ 20]: 5020
Group[ 21]: 5021
Group[ 22]: 5022
Group[ 23]: 5023
Group[ 24]: 5024
Group[ 25]: 5025
Group[ 26]: 5026
Group[ 27]: 5027
Group[ 28]: 5028
Group[ 29]: 5029
Group[ 30]: 5030
Group[ 31]: 5031
Group[ 32]: 5032
Group[ 33]: 5033
Group[ 34]: 5034
Group[ 35]: 5035
Group[ 36]: 5036
Group[ 37]: 5944
[2006/10/09 09:21:08, 5] smbd/uid.c:change_to_user(260)
change_to_user uid=(0,5000) gid=(0,5006)
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "AZUBISUN/ALL"
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = AZUBISUN/ALL, dirpath = , start = AZUBISUN/ALL
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(295)
Intermediate not found AZUBISUN
[2006/10/09 09:21:08, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: AZUBISUN/ALL does not exist.
[2006/10/09 09:21:08, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: AZUBISUN does not exist.
[2006/10/09 09:21:08, 3] smbd/msdfs.c:dfs_redirect(435)
dfs_redirect: Not redirecting azubisun/all/AZUBISUN/ALL.
[2006/10/09 09:21:08, 3] smbd/msdfs.c:dfs_redirect(439)
dfs_redirect: Path converted to non-dfs path AZUBISUN/ALL
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "AZUBISUN/ALL"
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = AZUBISUN/ALL, dirpath = , start = AZUBISUN/ALL
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(295)
Intermediate not found AZUBISUN
[2006/10/09 09:21:08, 3] smbd/error.c:error_packet(146)
error packet at smbd/nttrans.c(647) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_PATH_NOT_FOUND
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(478)
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(488)
size=35
smb_com=0xa2
smb_rcls=58
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=2
smb_pid=1676
smb_uid=101
smb_mid=8451
smt_wct=0
smb_bcc=0
[2006/10/09 09:21:08, 3] smbd/process.c:process_smb(1110)
Transaction 3165 of length 154
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(478)
[2006/10/09 09:21:08, 5] lib/util.c:show_msg(488)
size=150
smb_com=0xa2
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=55303
smb_tid=2
smb_pid=1676
smb_uid=101
smb_mid=8515
smt_wct=24
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]=57054 (0xDEDE)
smb_vwv[ 2]=16384 (0x4000)
smb_vwv[ 3]= 5632 (0x1600)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]=35072 (0x8900)
smb_vwv[ 8]= 512 (0x200)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 0 (0x0)
smb_vwv[12]= 0 (0x0)
smb_vwv[13]=32768 (0x8000)
smb_vwv[14]= 0 (0x0)
smb_vwv[15]= 768 (0x300)
smb_vwv[16]= 0 (0x0)
smb_vwv[17]= 256 (0x100)
smb_vwv[18]= 0 (0x0)
smb_vwv[19]=16384 (0x4000)
smb_vwv[20]= 65 (0x41)
smb_vwv[21]= 512 (0x200)
smb_vwv[22]= 0 (0x0)
smb_vwv[23]= 768 (0x300)
smb_bcc=67
[2006/10/09 09:21:08, 3] smbd/process.c:switch_message(914)
switch message SMBntcreateX (pid 7548) conn 0x3cabd0
[2006/10/09 09:21:08, 4] smbd/uid.c:change_to_user(176)
change_to_user: Skipping user change - already user
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "AZUBISUN/ALL/TEST2"
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = AZUBISUN/ALL/TEST2, dirpath = , start = AZUBISUN/ALL/TEST2
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(295)
Intermediate not found AZUBISUN
[2006/10/09 09:21:08, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: AZUBISUN/ALL/TEST2 does not exist.
[2006/10/09 09:21:08, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: AZUBISUN/ALL does not exist.
[2006/10/09 09:21:08, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: AZUBISUN does not exist.
[2006/10/09 09:21:08, 3] smbd/msdfs.c:dfs_redirect(435)
dfs_redirect: Not redirecting azubisun/all/AZUBISUN/ALL/TEST2.
[2006/10/09 09:21:08, 3] smbd/msdfs.c:dfs_redirect(439)
dfs_redirect: Path converted to non-dfs path AZUBISUN/ALL/TEST2
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "AZUBISUN/ALL/TEST2"
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = AZUBISUN/ALL/TEST2, dirpath = , start = AZUBISUN/ALL/TEST2
[2006/10/09 09:21:08, 5] smbd/filename.c:unix_convert(295)
Intermediate not found AZUBISUN
[2006/10/09 09:21:08, 3] smbd/error.c:error_packet(146)
error packet at smbd/nttrans.c(647) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_PATH_NOT_FOUND
________________________________
Von:
Gesendet: Freitag, 29. September 2006 15:30
An: 'samba at lists.samba.org'
Betreff: AW:Samba ignores groups for ACL !
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/26/2006 09:25 AM, Neuwald escreveu:
> Hello, i hope u guys can help me.
Let's try. :)
> This is the first time I write to the list. Sorry about my
> english...
No problem.
> i got a solaris 10 machine and installed "samba 3.0.2.3c" with
> "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6".
Just for the sake of logs, it is 3.0.23c and 2.3.21.
> i configured kerberos and all the other things. all good.
The all other things include the groupmaps?
> i added the samba-server (solaris10) to a active directory domain.
> with "kinit ...." and then "net ads join" and so on.
> all worked good.
Ok, so you samba server is a Member Server of an AD.
<http://groups.google.de/group/linux.samba/browse_thread/thread/416855c6cd2e079f/70a0bdb6961903ce?hide_quotes=no#msg_70a0bdb6961903ce>
- Zitierten Text ausblenden -
- Zitierten Text anzeigen -
> then i configured my smb.conf via swat-websoncole.
> i created a share that was named "all".
> i added in swat to the "valid users"-option the AD-Group
> "MyDomain\group_alpha".
> After this i mounted the share on my Windows-Xp machine.
> The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
> all good.
> i can access an create folders .....
> Now i created on my solaris-machine in my Samba-Share-folder "all"
> 2 Folders.
> Folders: Permissions Owner Acl
> 1. "folderA" with rwxrwx--- root root group: group_beta:rwx
> 2. "folderB" with rwxrwx--- root root group: group_gama:rwx
> after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a"
> the group "group_beta" to the first folder.
> The Same i did with the folder "folderB", i added the group "group_gama"
> (rwx).
I hope that the above commands are really right, because you
said folder_a but the name of the folder is "folderA".
> Now, i am at the windows machine, my user "winuser" mountet the Samba
> Share.
> So, "winuser" is a member of the valid share user group "group_alpha",
> all AD-users are members of this group.
> On the two other folders in the share i added permissions for two
> other groups.
> So, i as "winuser" should have rights to read,write,execute the
> "folderA", because "winuser" is a also a member of "group_beta"
> but i dont have permissions for "folderB".
> my Problem is now that i can not enter and "folderA" and "folderB"!
> (windows-prompt : i dont have permissions for this..)
Ok, we will need the smb.conf and a log when you are trying
to access the share (increase the loglevel/debuglevel, please).
> The same scenario with adding "users" directly without "group" is
> working.
Sounds like an ACL problem with regards to groups from AD.
> So i think that samba ignores my supplementary groups for acl!!!
Maybe...
> i googel'ed a lot for this problem, but no solution.
> Help me ;)
> Ciao, Björn
Kind regards,
- --
Felipe Augusto van de Wiel <fel... <http://groups.google.de/groups/unlock?msg=70a0bdb6961903ce&hl=de&_done=/group/linux.samba/browse_thread/thread/416855c6cd2e079f/70a0bdb6961903ce%3Flnk%3Dst%26q%3DSamba%2Bignores%2Bgroups%2Bfor%2BACL%26rnum%3D1%26hl%3Dde> @paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ <http://www.google.com/url?sa=D&q=http://www.paranacidade.org.br/> Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org <http://www.google.com/url?sa=D&q=http://enigmail.mozdev.org>
iD8DBQFFHR6sCj65ZxU4gPQRApJTAJ9Gff10PCewAgb0Sj1NBfqga2vmdACfeb8A
GN3eJRmcWXcdgn3jMhKD8Cw=
=xxbW
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba <https://lists.samba.org/mailman/listinfo/samba>
________________________________
Von: neuwald at medianet.freinet.de <mailto:neuwald at medianet.freinet.de>
Gesendet: Montag, 26. September 2006 14:40
An: 'samba at lists.samba.org'
Betreff: Samba ignores groups for ACL !
Hello, i hope u guys can help me.
This is the first time I write to the list. Sorry about my english...
i got a solaris 10 machine and installed "samba 3.0.2.3c" with "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6".
i configured kerberos and all the other things. all good.
i added the samba-server (solaris10) to a active directory domain.
with "kinit ...." and then "net ads join" and so on.
all worked good.
then i configured my smb.conf via swat-websoncole.
i created a share that was named "all".
i added in swat to the "valid users"-option the AD-Group "MyDomain\group_alpha".
After this i mounted the share on my Windows-Xp machine.
The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
all good.
i can access an create folders .....
Now i created on my solaris-machine in my Samba-Share-folder "all" 2 Folders.
Folders: Permissions Owner Acl
1. "folderA" with rwxrwx--- root root group: group_beta:rwx
2. "folderB" with rwxrwx--- root root group: group_gama:rwx
after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a" the group "group_beta" to the first folder.
The Same i did with the folder "folderB", i added the group "group_gama" (rwx).
Now, i am at the windows machine, my user "winuser" mountet the Samba Share.
So, "winuser" is a member of the valid share user group "group_alpha", all AD-users are members of this group.
On the two other folders in the share i added permissions for two other groups.
So, i as "winuser" should have rights to read,write,execute the "folderA", because "winuser" is a also a member of "group_beta" but i dont have permissions for "folderB".
my Problem is now that i can not enter and "folderA" and "folderB"!
(windows-prompt : i dont have permissions for this..)
The same scenario with adding "users" directly without "group" is working.
So i think that samba ignores my supplementary groups for acl!!!
i googel'ed a lot for this problem, but no solution.
Help me ;)
Ciao, Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba <http://www.google.com/url?sa=D&q=https://lists.samba.org/mailman/listinfo/samba>
More information about the samba
mailing list