[Samba] Can't get permission on a share to work problem with groups
Chan Min Wai
dcmwai at gmail.com
Sun Feb 9 03:04:37 MST 2014
Dear Horace,
Just wonder if this share server is also a DC?
also if your getent passwd "usersname" would work?
On Sun, Feb 9, 2014 at 5:01 PM, Horace <mailinglist at lhplan.tk> wrote:
> On 2014-01-24 18:10, me at electronico.nc wrote:
>
>> Le 25/01/2014 08:05, Horace a écrit :
>>
>>> Hello,
>>>
>>> 1. I have created a directory /srv/samba4/Public Applications.
>>> 2. I created a group 'Domain Admins' with gid 1003
>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>> 4. I created a share
>>> [Public Applications]
>>> read list = @ACCOUNTSAD\"Domain Users"
>>> write list = @"Domain Admins"
>>> comment = Public Applications
>>> path = /srv/samba4/Public Applications
>>> #admin users = @"Domain Admins"
>>> 5. wbinfo --group-info 'Domain Admins'
>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>
>>> Debug level
>>> # Debug logging information
>>> #log level = 10
>>> log level = 3
>>> #log file = /var/log/samba.log.%m
>>> #max log size = 50
>>> debug timestamp = yes
>>> syslog only = yes
>>>
>>>
>>> As anyone can see, I like Domain Admins read write access and Domain
>>> Users read access only. For whatever reason, when I access the share
>>> \\PDC-S2\Public Applications and try to create a folder, I get Permission
>>> denied.
>>>
>>> I have tailed both syslog's and log.smbd and there is NO relevant
>>> information regarding why this is failing.
>>>
>>> Am I doing something wrong here ?
>>>
>> Not sure if it's relevent, but I never use shares with space in
>> filename, so you don't have to double-quote them.
>> This avoids lot of errors.
>> Nicolas
>>
>
> I followed your suggestion and set path to path = /srv/samba4/Public_Applications,
> that resolve some annoying errors. However, I am still getting ACCESS
> DENIED, if you take at the logs below:
>
> [2014/02/09 03:46:03.001182, 4, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/02/09 03:46:03.001309, 5, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:127(token_contains_name)
> Domain Admins is a None, expected a group
> [2014/02/09 03:46:03.001393, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:215(user_ok_token)
> User ACCOUNTSAD\lutchy.horace not in 'valid users'
> [2014/02/09 03:46:03.001474, 2, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:418(create_connection_session_info)
> user 'ACCOUNTSAD\lutchy.horace' (from session setup) not permitted to
> access this share (Public Applications)
> [2014/02/09 03:46:03.001564, 1, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:550(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2014/02/09 03:46:03.001655, 5, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
> check lock order 1 for /usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
> [2014/02/09 03:46:03.001738, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
> lock order: 1:/usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
> 2:<none> 3:<none>
> [2014/02/09 03:46:03.001827, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
> Locking key 96AE9D8A
> [2014/02/09 03:46:03.001920, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
> Allocated locked data 0x0xb8ec2290
> [2014/02/09 03:46:03.002025, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
> Unlocking key 96AE9D8A
> [2014/02/09 03:46:03.002109, 5, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
> release lock order 1 for /usr/local/samba/var/lock/
> smbXsrv_tcon_global.tdb
> [2014/02/09 03:46:03.002189, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
> lock order: 1:<none> 2:<none> 3:<none>
> [2014/02/09 03:46:03.002380, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:2643(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] ||
> at ../source3/smbd/smb2_tcon.c:127
> [2014/02/09 03:46:03.002470, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:2544(smbd_smb2_request_done_ex)
> smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED]
> body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2682
> [2014/02/09 03:46:03.002558, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:873(smb2_set_operation_credit)
> smb2_set_operation_credit: requested 1, charge 1, granted 1, current
> possible/max 386/512, total granted/max/low/range 127/8192/17/127
>
> Domain Admins is a None, expected a group is invalid?
>
> Here is my current configuration for the time being:
>
> [Public Applications]
>
> write list = @"Domain Admins"
> comment = Publicly Shared Applications for Intranet Users
> path = /srv/samba4/Public_Applications
> valid users = @"Domain Admins"
>
>
> I have also tried valid users = ACCOUNTSAD\"Domain Admins" but I still get
> 'is none, expected a group'? What is the correct syntax to providing groups
> in valid users field??
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list