[Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights

albanperso-zatoo at yahoo.com albanperso-zatoo at yahoo.com
Tue Aug 19 12:40:53 GMT 2008


details on grous command


To have the secondary groups, I have to enter "id -a" logged as the user

As root, It doesn't work. "id -a jdoe" just returns the primary group



----- Message d'origine ----
> De : Duncan Brannen <dbb at st-andrews.ac.uk>
> À : albanperso-zatoo at yahoo.com
> Cc : samba at lists.samba.org
> Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s
> Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
> 
> 
> Hi,
>       I have a similar problem, no ADS in my setup, just no 
> supplementary groups showing
> up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working 
> with Samba 3.0.28 and groups nis in nsswitch.conf)
> Solaris 10 SPARC
> 
> Everything looks ok, getent, groups etc when logged in as root, 
> but if I su to the user
> not getting any groups and type
> 
> >groups
> 
> I don't see any groups there bar the primary one.
> 
> Are you seeing the same thing?  IE if you're logged in as root and type
> 
> groups jdoe
> 
> You see all of jdoe's groups
> 
> but if you su to jdoe and type
> 
> groups
> 
> You only see the primary group?
> 
> Just a long shot but might push you in the right direction?
> 
> 
> Cheers,
>           Duncan
> 
> 
> albanperso-zatoo at yahoo.com wrote:
> > Hi experts
> >
> > I have a trouble in access rights
> >
> > I am running Samba
> > 3.0.31 on Solaris 10 x86 64 bits as member server of an Active
> > Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
> > I set rights to access a sub folder of a Samba share. On Solaris the user
> > "toto" jdoe can write a new file. From Windows, the same user can't.
> > Itlooks like OK when the primary group (grp1) of the user is the group
> > that own the subtree but not when this owner group is a secondary group
> > (grp2).
> > It is OK If I set explicitly the user right from MS Windows
> > I can't change the access rights to the group from MS Windows
> >
> > I suspect Unix ownership or ACL to be the root cause but I can't exclude a 
> Samba issue
> >
> > Thanks for help
> >
> > Here a long details on my config (sorry for the parts that take place and no 
> useful info, so just go to the valuable data)
> >
> > ************ An extract from my smb.conf ************
> >
> > [global]
> > ## part windows ##
> >         host msdfs = no
> >         netbios name = machines01
> >         netbios aliases = 2store
> >         server string = 2store
> >         workgroup = MYDOMAIN
> >         realm = MYDOMAIN.LOCAL
> >         security = ADS
> >         use kerberos keytab = yes
> >         obey pam restrictions = Yes
> >         use spnego = yes
> >         client use spnego = yes
> >         password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
> > #       unix extensions = no
> >         machine password timeout = 0
> > #       logon path = \\machines01\profiles\%U
> >         template shell = /bin/bash
> >         hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 
> 192.168.11.0/255.255.255.0
> > ## part samba engine ##
> >         max log size = 50000
> >         log level = 10
> >         syslog = 0
> >         log file = /var/log/samba/%m
> >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > ## part ldap et idmap ##
> >         ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
> >         ldap idmap suffix = ou=idmap
> >         ldap ssl = no
> >         idmap backend = ldap:ldap://machinew01.MYDOMAIN.local 
> ldap:ldap://machinew07.MYDOMAIN.local
> >         #idmap backend =
> > 0-20000
> >         #idmap backend = ad
> >         idmap uid = 10000-20000
> >         idmap gid = 10000-20000
> >         #idmap config MYDOMAIN:schema_mode = rfc2307
> > ## part winbind ##
> >         winbind nss info = rfc2307
> >         winbind cache time = 5
> >         winbind refresh tickets = Yes
> >         winbind use default domain = Yes
> >         winbind trusted domains only = Yes
> >         winbind nested groups = Yes
> >         winbind enum groups = Yes
> >         winbind enum users = Yes
> >
> > [data]
> >         comment = Samba data folder
> >         path = /samba/data
> >         read only = No
> >         create mask = 0740
> >         directory mask = 0750
> >         guest ok = Yes
> >
> >
> >
> >
> > ************ Check the Unix name resolution ************
> > getent passwd jdoe
> > jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh
> >
> >
> > getent group grp2
> > grp2::10004:myadmin,jdoe,demo1,demo2,demo3
> >
> >
> > ************ I can check that Samba can resolve if the user is member of the 
> group ************
> >
> > /usr/local/samba/bin/net ads user info jdoe
> > grp2
> > grp1
> >
> >
> > /usr/local/samba/bin/wbinfo -G 10004
> > S-1-5-21-2269603188-533060101-51835291-1642
> >
> > /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
> > 10004
> >
> >
> > /usr/local/samba/bin/wbinfo -R 10004
> > winbind_lookup_rids failed
> > Could not lookup RIDs 10004
> >
> >
> >
> > ************ Review of the access rights ************
> >
> > ls -al /samba/data/level1/level2/level3/level4
> > drwxrwsr-x+ 19 myadmin grp2      512 Aug 15 11:18 .
> > drwxr-x---   9 myadmin grp1     512 Aug 12 16:06 ..
> > drwxrws---+  3 myadmin grp2      512 Jun 27 10:58 general
> > -rwxr-----+  1 jdoe     grp2        0 Aug 15 11:18 New Text Document from 
> Windows.txt
> > -rwxrw----   1 jdoe     grp2       44 Aug 15 11:14 newdocfromunix.txt
> >
> > *** ACTION: I try on Unix to change the group owner of ".." by grp2 but that 
> remove all jdoe access from Windows
> >
> >
> > ************ Test POSIX ACLs ************
> > getfacl -a /samba/data/level1/level2/level3/level4/
> >
> > # file: /samba/data/level1/level2/level3/level4/
> > # owner: myadmin
> > # group: grp2
> > user::rwx
> > group::rwx              #effective:rwx
> > other:r-x
> >
> >
> > getfacl -a /samba/data/level1/leve
> > vel3
> >
> > # file: /samba/data/level1/level2/level3
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > group::r-x              #effective:r-x
> > mask:r-x
> > other:---
> >
> >
> > getfacl -a /samba/data/level1/level2
> >
> > # file: /samba/data/level1/level2
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > group::r-x              #effective:r-x
> > other:r-x
> >
> >
> > getfacl -a /samba/data/level1
> >
> > # file: /samba/data/level1
> > # owner: root
> > # group: root
> > user::rwx
> > group::r-x              #effective:r-x
> > mask:r-x
> > other:r-x
> >
> >
> > getfacl -a /samba/data
> >
> > # file: /samba/data
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > user:user123:rwx            #effective:rwx
> > group::r-x              #effective:r-x
> > mask:rwx
> > other:r-x
> >
> >
> >
> > ************ From MS Windows side ************
> >
> > properties/security
> > The group is in the "group and user names" list
> > there is no check box in the Allow or deny clomn
> >
> > Advanced/permissions
> >
> > Type    Name    Permission    Inherited from    Apply to
> > Allow    smb_ins (MYDOMAIN/smb_ins)        This folder only
> >
> > ****** ACTION: 
> > When I try to force the situation returns to the original state with no error
> > checking allow inheritable and/or Replace permissions has no effect on nany 
> combination
> >
> > When I add the user with access right, it is OK
> >
> >
> >
> >
> > ************ Some extract the Samba log level 10 ************
> >
> > [2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
> >   stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
> > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
> >   unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = 
> ntuser.man
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> >   is_mangled ntuser.man ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
> >   is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> >   is_mangled ntuser.man ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
> >   is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> >   is_mangled ntuser.man ?
> > [200
> > mangle_hash2.c:is_mangled_component(215)
> >   is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440)
> >   New file ntuser.man
> > [2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
> >   unix_mode(jdoe/ntuser.man) returning 0700
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)
> >
> > open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
> > access_mask=0x1 share_access=0x7 create_disposition = 0x1
> > create_options=0x140 unix mode=0700 oplock_request=3
> > [2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
> >   open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file 
> doesn't exist.
> > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
> >   error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) 
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
> > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
> >   size=35
> >   smb_com=0xa2
> >   smb_rcls=52
> >   smb_reh=0
> >   smb_err=49152
> >     smb_flg=136
> >   smb_flg2=51201
> >   smb_tid=3
> >   smb_pid=588
> >   smb_uid=101
> >   smb_mid=1024
> >   smt_wct=0
> >   smb_bcc=0
> >  
> >  
> >  
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
> >   open_file_ntcreate: fname=jdoe/Application 
> Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
> >   allocated file structure 1332, fnum = 5428 (5 used)
> > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
> >   calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, 
> open_access_mask = 0x1
> > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
> >   fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, 
> flags = 00 mode = 0700, fd = 32. 
> > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
> >   get_windows_lock_count for file  = 0
> > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
> >   delete_windows_lock_ref_count for file 
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
> >   freed files structure 5428 (4 used)
> > [2008/08/15 12:25:22, 3] 
> > 6)
> >   error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) 
> NT_STATUS_FILE_IS_A_DIRECTORY
> >  
> >  
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
> >   open_file_ntcreate: fname=jdoe/Application 
> Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
> >   allocated file structure 1332, fnum = 5428 (5 used)
> > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
> >   calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, 
> open_access_mask = 0x1
> > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
> >   fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, 
> flags = 00 mode = 0700, fd = 32. 
> > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
> >   get_windows_lock_count for file  = 0
> > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
> >   delete_windows_lock_ref_count for file 
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
> >   freed files structure 5428 (4 used)
> > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
> >   error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) 
> NT_STATUS_FILE_IS_A_DIRECTORY
> >
> >
> >      
> _____________________________________________________________________________ 
> > Envoyez avec Yahoo! Mail. Une boite mail plus intelligente 
> http://mail.yahoo.fr
> >  
> 
> 
> -- 
> The University of St Andrews is a charity registered in Scotland : No SC013532



      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr


More information about the samba mailing list