[Samba] How to troubleshoot an ACL error?
Peter Clark
pclark at pclark.com
Tue Mar 4 09:06:12 MST 2014
Hi,
Apparently they're not the same:
[root at c3po ~]# getent passwd pclark
pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
[root at c3po ~]# wbinfo -n pclark
S-1-5-21-3282403630-2364130862-3038773389-1105 SID_USER (1)
[root at c3po ~]# ldbedit -e pico -H /usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3282403630-2364130862-3038773389-1105
no matching records - cannot edit
I'm sure it's likely that this is some sort of operator error. I thought
winbind was supposed to take care of this kind of mapping? The AD user and
computer control panel on a Windows system shows the correct Unix username
and home dir for the user?
On Tue, March 4, 2014 10:34 am, Rowland Penny wrote:
> On 04/03/14 15:08, Peter Clark wrote:
>> I'm running Version 4.2.0pre1-GIT-ca3998d on a Fedora 20 host. The
>> output
>> of testparm is:
>>
>> [global]
>> workgroup = SOMETHING
>> realm = SOMETHING.SOMETHING.COM
>> server role = active directory domain controller
>> passdb backend = samba_dsdb
>> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc, dnsupdate, smb
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>> eventlog6, backupkey, dnsserver, winreg, srvsvc
>> rpc_server:tcpip = no
>> rpc_daemon:spoolssd = embedded
>> rpc_server:spoolss = embedded
>> rpc_server:winreg = embedded
>> rpc_server:ntsvcs = embedded
>> rpc_server:eventlog = embedded
>> rpc_server:srvsvc = embedded
>> rpc_server:svcctl = embedded
>> rpc_server:default = external
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4, acl_xattr
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/something.something.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> [homes]
>> path = /home
>> read only = No
>>
>> I can run lists:
>>
>> smbclient -L localhost -U%
>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> netlogon Disk
>> sysvol Disk
>> homes Disk
>> IPC$ IPC IPC Service
>> localhost is an IPv6 address -- no workgroup available
>> [pclark at c3po ~]$
>>
>> However when I log in as a user and try to go into my homedir:
>>
>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>> smb: \> dir
>> . D 0 Sun Mar 2 11:06:09
>> 2014
>> .. D 0 Mon Mar 3 03:44:25
>> 2014
>> pclark D 0 Mon Mar 3 13:36:36
>> 2014
>>
>> 34001 blocks of size 8388608. 13463 blocks available
>> smb: \> cd pclark
>> cd \pclark\: NT_STATUS_INVALID_ACL
>> smb: \>
>>
>> getfacl shows:
>> getfacl pclark
>> # file: pclark
>> # owner: pclark
>> # group: pclark
>> user::rwx
>> group::rwx
>> other::r-x
>>
>>
>> When I try and bring up the folder on a Windows system the security tab
>> only has an X with an error message that says the "security information
>> is
>> unavailable or cannot be displayed", even when logged into the domain as
>> Administrator.
>>
>> My drives are mounted with user_xattr,acl options in /etc/fstab. I'm not
>> sure how to troubleshoot this further, any thoughts on how to reset the
>> acl to a baseline that can be later edited (or, what did I do wrong
>> here?)
>> would be appreciated.
>>
>> Thanks,
>>
> OK, so you are trying to login to a share on the samba server?
>
> does your user have a uidNumber in AD? if so, is this the same number
> that 'getent passwd pclark' shows on the samba4 server?
>
> Rowland
More information about the samba
mailing list