[Samba] Permission issue writing to demo share
steve
steve at steve-ss.com
Fri Jun 27 10:36:01 MDT 2014
On Fri, 2014-06-27 at 18:15 +0200, Lars Hanke wrote:
> >> I can read and write the Share using AD\Administrator. AD\StandardUser
> >> can mount the share and read, what the Administrator put there. But he
> >> cannot create or modify files.
> > Please post:
> > smb.conf
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> netbios name = SAMBA
> server role = active directory domain controller
> private dir = /srv/files/private
> lock directory = /srv/files
> state directory = /srv/files/state
> cache directory = /srv/files/cache
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
Remove the tls stuff
> # allow for TLS / ldaps
> tls enabled = yes
> tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
> tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
> tls cafile = /etc/certs/cacert.pem
>
> # this is from steve's mail
> kerberos method = system keytab
Remove the kerberos method line
> [netlogon]
> path = /srv/files/state/sysvol/ad.microsult.de/scripts
> read only = No
>
> [sysvol]
> path = /srv/files/state/sysvol
> read only = No
>
> [Demo]
> path = /srv/files/shares/Demo
> read only = no
>
> > /etc/nsswitch.conf
> passwd: compat
> group: compat
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> > getent passwd AS\StandardUser
> empty, as is AD\Administrator
>
> > getfacl /path/to/your/demo share
> Didn't install ACL so far, since the samba docs claim to use extended
> attributes instead of POSIX ACL.
We didn't ask for extended acl. Doesn't your distro have getfacl by
default? If not you will have to install it. In any case, we cannot
start to play with permissions until winbind is working. . .
>
> root at samba:/# ls -la /srv/files/shares/Demo/
> total 8
> drwxr-xr-x 2 root root 35 Jun 27 14:24 .
> drwxr-xr-x 3 root root 17 Jun 13 13:19 ..
> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
> root at samba:/# attr -l /srv/files/shares/Demo
> root at samba:/# attr -l /srv/files/shares/Demo/*
> Attribute "DOSATTRIB" has a 56 byte value for
> /srv/files/shares/Demo/Erstellt von Admin.txt
> Attribute "NTACL" has a 312 byte value for
> /srv/files/shares/Demo/Erstellt von Admin.txt
> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ Admin.txt
> attr_get: No data available
> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
>
> Actually I had expected AD/Administrator to map to uid 0 instead of
> 3000000. At least this uid is in the LDAP.
No. If you want that, you will have to use a map file. Only on the DC
does it map to something which can write to a share. But don't get too
comfortable with that because soon now, winbind will work on the DC as
it does elsewhere.
>
> Regards,
> - lars.
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
On a source build:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ln -s /usr/local/samba/lib/pam_winbind.so /lib/security
You'll have to work out if you either need to make the links and if so
where as I can't tell where you have samba installed.
Restart samba and try again with the commands. Also could you remind us
of your distro and samba version?
Cheers and HTH
Steve
More information about the samba
mailing list