[Samba] samba-3.4.7 & access to share from win7

Linda Walsh samba at tlinx.org
Mon Oct 31 14:01:08 MDT 2011 

viktor ruhle wrote:

> Hello list,
> I have tried rather much (forums, google) and trying this as the last option. The problem is that

 > one is not able to access "group" samba shares from windows 7 machines, 
 > everything ok from win-ts-2003 & xp machines. Every user belongs to his
 > primary group defined in samba+openldap pdc. If they want to access the
 > share named according to their primary group (with permissions
 > rwxrwx---), they only get "acces denied" error, I can't understand why
 > it works from win-XP,2003 but not from win 7 .... other shares
 > ("homefolders" - rwx------ and "common shares" - rwxrwxrwx) work without
 > problem ....

---
Lots of things changed in win7...you say 'group' access''ok..

So that means the NT clients have to know a user is in group 'x',
(likely meaning it needs to be propagated from a samba acting s
a domain controller).

If not, how would the client know the user is in the group that has 
access?  I.e. it would deny access before ever trying access on the
net, I'd think.


If you want to maintain group acccess, you might want to use
'force groupmode', instead of or in addition to the masks...the masks
are bitwise-AND masks, (they can strip off stuff, but they won't turn it on).

I assume each user is in their own group -- like andre is in group andre
bib in group bib, helse in group helse...etc...is it set to be their
primary group?  (shouldn't be necessary, but another thing to try
when you can't figure out why things are broken)...;-)

When you look at the properties of one of those dirs from
Winclient, what do you see for the property list?   Does it make
sense"  I.e.
root: full,
group xxx: full  or what?

There's only 1 place i know of to set a Win7's primary group.

And that's from the User control panel -- control panel user 
accounts/manage user accounts...there you will see the option to set
only 1 group/login.  That one group, I think, gets equated to the
primary group (but it's a weak association, since windows doesn't
have the concept of a primary group AFAIK).


The log at the end doesn't give much to go on, BUT the failure of
the IPC at the very beginning might have been an attempt by windows
to find out what groups the user was in -- if that failed, then it
can't get those, and group access wouldn't work...


Sorry, not much to go on, but maybe gives you some ideas?

-l

> 
> I have tried this (*) as well but still no luck ...
> 
> (*)
> Control Panel - Administrative Tools - Local Security Policy
> Local Policies - Security Options
> Network security: LAN Manager authentication level
> Send LM & NTLM responses
> Minimum session security for NTLM SSP
> Disable Require 128-bit encryption 
> -------------------------------------------------------------------------------------------------------------
> samba version - samba-3.4.7
> distro - ubuntu 10.04 server edition
> kernel - 2.6.32-28-generic
> 
> relevant part from smb.conf
> 
> [grupper]
>    path = /home/grupper
>    comment = Velg din gruppe
>    writable = yes
>    browseable = yes
>    create mask = 0770
>    directory mask = 0770
> 
> root at samba3:/home/grupper# ls -la
> total 56
> drwxr-xr-x 14 root root   4096 2011-04-06 16:02 .
> drwxr-xr-x  8 root root   4096 2011-05-25 15:42 ..
> drwxrwx---  2 root andre  4096 2011-04-06 16:02 andre
> drwxrwx---  2 root bib    4096 2011-04-06 16:01 bib
> drwxrwx---  2 root helse  4096 2011-04-06 16:02 helse
> drwxrwx---  2 root ikt    4096 2011-04-06 16:01 ikt
> drwxrwx--- 14 root kassen 4096 2011-06-27 12:00 kassen
> drwxrwx---  2 root kirke  4096 2011-04-06 16:02 kirke
> drwxrwx---  2 root ntk    4096 2011-06-27 14:21 ntk
> drwxrwx---  2 root ord    4096 2011-04-06 16:02 ord
> drwxrwx--- 70 root pro    4096 2011-06-27 22:21 pro
> drwxrwx---  2 root sad    4096 2011-04-06 16:01 sad
> drwxrwx---  2 root sko    4096 2011-04-06 16:01 sko
> drwxrwx---  2 root sosial 4096 2011-04-06 16:02 sosial
> 
> something from logs (hopefully relevent) when a win 7 machine tries to access one of above mentioned shares:
> [2011/07/08 15:52:25,  3] smbd/error.c:60(error_packet_set)
>   error packet at smbd/ipc.c(527) cmd=37 (SMBtrans) NT_STATUS_NOT_SUPPORTED
> [2011/07/08 15:52:25,  3] smbd/process.c:1459(process_smb)
>   Transaction 62 of length 88 (0 toread)
> [2011/07/08 15:52:25,  3] smbd/process.c:1273(switch_message)
>   switch message SMBtrans2 (pid 1961) conn 0x7f2b102aaed0
> [2011/07/08 15:52:25,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (10200, 10002) - sec_ctx_stack_ndx = 0
> [2011/07/08 15:52:25,  3] smbd/trans2.c:3956(call_trans2qfilepathinfo)
>   call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
> [2011/07/08 15:52:25,  3] smbd/vfs.c:865(check_reduced_name)
>   reduce_name [sad] [/home/grupper]
> [2011/07/08 15:52:25,  3] smbd/vfs.c:974(check_reduced_name)
>   reduce_name: sad reduced to /home/grupper/sad
> [2011/07/08 15:52:25,  3] smbd/trans2.c:4070(call_trans2qfilepathinfo)
>   call_trans2qfilepathinfo sad (fnum = -1) level=1004 call=5 total_data=0
> [2011/07/08 15:52:25,  3] smbd/process.c:1459(process_smb)
>   Transaction 63 of length 88 (0 toread)
> [2011/07/08 15:52:25,  3] smbd/process.c:1273(switch_message)
>   switch message SMBtrans2 (pid 1961) conn 0x7f2b102aaed0
> [2011/07/08 15:52:25,  3] smbd/trans2.c:3956(call_trans2qfilepathinfo)
>   call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1005
> [2011/07/08 15:52:25,  3] smbd/vfs.c:865(check_reduced_name)
>   reduce_name [sad] [/home/grupper]
> 
> Thank you in advance for hint ...
> 
> Regards kuda
> 
>

More information about the samba mailing list