[Samba] Group member can not delete files - only dir (775) owner can

Thu Aug 21 13:24:45 GMT 2008

Hi there,

I have a problem I can not solve myself.
I have samba 3.0.28 installed on a Ubuntu 8.0.4 server.
Samba is a member of AD. Authentication is kerberos, user- / group ids are
handled by nis (Windows 2008 SFU / NIS Server).

My Samba config:

[global]
	write list = admin,rado, at Administratoren
	deny hosts = 0.0.0.0/0.0.0.0
	client schannel = No
	allow hosts = localhost, 192.168.1.0/255.255.252.0
	netbios name = HORST
	printing = bsd
	delete readonly = yes
	invalid users = root
	local master = No
	workgroup = COCON
	debug level = 3
	os level = 10
	printcap name = /dev/null
	security = ads
	usershare allow guests = Yes
	disable spoolss = yes
	max log size = 1000
	directory mode = 775
	log level = 2
	log file = /var/log/samba/log.%m
	load printers = no
	profile acls = Yes
	socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
	wins server = 192.168.1.112
	client use spnego = yes
	interfaces = 192.168.1.0/255.255.252.0 eth0
	idmap backend = ad
	realm = COCON.INT
	server string = %h server (Samba, Ubuntu)
	wide links = no
	password server = 192.168.1.112
	valid users = @sambauser, at Administratoren
	create mode = 664
	syslog = 0
	preferred master = no
	panic action = /usr/share/samba/panic-action %d
	bind interfaces only = Yes
	dos filemode = yes
	nt acl support = yes
	map acl inherit = yes 

[homes]
	browseable = yes
	writeable = yes
	path = /home/%U
	create mask = 0600
	comment = Home Shares
	directory mask = 0700
	valid users = %S, at chef
	available = yes
	force user = %S

[SVS]
	comment = SVS packages
	path = /opt/svs

Everything works well except for the fact, that group members who are not
the owner of a folder can not delete/rename files in that folder.

root at horst:/opt# ls -l
...
drwxrwxr-x 10 admin         Administratoren 12288 2008-08-21 14:49 svs
...

root at horst:/opt/svs# ls -l
...
-rw-rw-rw- 1 rado Administratoren        77 2008-08-17 18:05 test.txt
...

root at horst:/var/log/samba# getent group | grep rado
Administratoren::10001:scense,rado,Administrator,admin
sambauser::10004:ute,rado,jutta,connyie,bernd,anne
chef::10005:rado,connyie

Although /opt/svs has the dir mask of 775 and I (rado) am a member of
Administratoren I can not rename/delete test.txt.
I can create new files/folders and edit files owned by admin, so the group
mapping (AD to Samba) works.

The logfile says 'NT_STATUS_ACCESS_DENIED' but I don't know why. Maybe the
AD-Server only shows the first group (sambauser) membership when asked for
the file deletion ? How can I investigate this ?

Can anybody pls help ?

Thanks, Rado

Logfile:
...
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (10000, 10004) - sec_ctx_stack_ndx = 0
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3304)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3355)
  call_trans2qfilepathinfo test.txt (fnum = -1) level=1004 call=5
total_data=0
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59067 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/dosmode.c:unix_mode(142)
  unix_mode(test.txt) returning 0664
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 2] smbd/open.c:open_file(391)
  rado opened file test.txt read=No write=No (numopen=1)
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59068 of length 76
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3244)
  call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3355)
  call_trans2qfilepathinfo test.txt (fnum = 6669) level=1006 call=7
total_data=0
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59069 of length 120
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2setfilepathinfo(5831)
  call_trans2setfilepathinfo(8) test.txt (fnum 6669) info_level=1004
totdata=40
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59070 of length 45
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBclose (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/reply.c:reply_close(3338)
  close fd=-1 fnum=6669 (numopen=1)
[2008/08/21 15:15:56, 2] smbd/close.c:close_normal_file(406)
  rado closed file test.txt (numopen=0) NT_STATUS_OK
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59071 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(250)
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-10000
  se_access_check: also S-1-22-2-10004
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-22-2-10001
  se_access_check: also S-1-22-2-10005
[2008/08/21 15:15:56, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59072 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(250)
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-10000
  se_access_check: also S-1-22-2-10004
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-22-2-10001
  se_access_check: also S-1-22-2-10005
[2008/08/21 15:15:56, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59073 of length 104
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2findfirst(1704)
  call_trans2findfirst: dirtype = 16, maxentries = 1366,
close_after_first=1, close_if_end = 2 requires_resume_key = 4 level = 0x104,
max_data_bytes = 16384
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [./] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: ./ reduced to /opt/svs
[2008/08/21 15:15:56, 3] smbd/dir.c:dptr_create(515)
  creating new dirptr 256 for path ./, expect_close = 1
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
  Transaction 59074 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
  switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/dosmode.c:unix_mode(142)
  unix_mode(test.txt) returning 0664
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
  reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
  reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 2] smbd/open.c:open_file(391)
  rado opened file test.txt read=Yes write=No (numopen=1)
[2008/08/21 15:15:56, 3] smbd/oplock_linux.c:linux_set_kernel_oplock(180)
  linux_set_kernel_oplock: got kernel oplock on file test.txt, dev = ca03,
inode = 8650754, file_id = 4069
[2008/08/21 15:15:57, 3] smbd/process.c:process_smb(1069)
  Transaction 59075 of length 148
[2008/08/21 15:15:57, 3] smbd/process.c:switch_message(927)
  switch message SMBtrans2 (pid 26522) conn 0x8480850
[2008/08/21 15:15:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (10000, 10004) - sec_ctx_stack_ndx = 0
[2008/08/21 15:15:57, 3] smbd/trans2.c:call_trans2findfirst(1704)
...
-- 
View this message in context: http://www.nabble.com/Group-member-can-not-delete-files---only-dir-%28775%29-owner-can-tp19088730p19088730.html
Sent from the Samba - General mailing list archive at Nabble.com.