[Samba] How to troubleshoot an ACL error?
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 4 10:18:52 MST 2014
On 04/03/14 16:06, Peter Clark wrote:
> Hi,
>
> Apparently they're not the same:
>
> [root at c3po ~]# getent passwd pclark
> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
Are you using fedora or centos or similar and is pclark a local user?
> [root at c3po ~]# wbinfo -n pclark
> S-1-5-21-3282403630-2364130862-3038773389-1105 SID_USER (1)
> [root at c3po ~]# ldbedit -e pico -H /usr/local/samba/private/idmap.ldb
> objectsid=S-1-5-21-3282403630-2364130862-3038773389-1105
> no matching records - cannot edit
So pclark is also a domain user, must be, he has a SID
>
> I'm sure it's likely that this is some sort of operator error. I thought
> winbind was supposed to take care of this kind of mapping? The AD user and
> computer control panel on a Windows system shows the correct Unix username
> and home dir for the user?
Winbind will take of this, but the user cannot be a local user on the
server, he must only exist in AD. If the user is in AD then winbind
idmapping will map the user to a xidNumber (this is what you should find
in idmap.ldb), but this can be overridden by giving the user a uidNumber
(see UNIX Attributes tab in ADUC), Domain Users must also be given a
gidNumber and the user must also have this gidNumber, this is what
'idmap_ldb:use rfc2307 = yes' in smb.conf is for.
Rowland
>
> On Tue, March 4, 2014 10:34 am, Rowland Penny wrote:
>> On 04/03/14 15:08, Peter Clark wrote:
>>> I'm running Version 4.2.0pre1-GIT-ca3998d on a Fedora 20 host. The
>>> output
>>> of testparm is:
>>>
>>> [global]
>>> workgroup = SOMETHING
>>> realm = SOMETHING.SOMETHING.COM
>>> server role = active directory domain controller
>>> passdb backend = samba_dsdb
>>> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc, dnsupdate, smb
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>> eventlog6, backupkey, dnsserver, winreg, srvsvc
>>> rpc_server:tcpip = no
>>> rpc_daemon:spoolssd = embedded
>>> rpc_server:spoolss = embedded
>>> rpc_server:winreg = embedded
>>> rpc_server:ntsvcs = embedded
>>> rpc_server:eventlog = embedded
>>> rpc_server:srvsvc = embedded
>>> rpc_server:svcctl = embedded
>>> rpc_server:default = external
>>> idmap_ldb:use rfc2307 = yes
>>> idmap config * : backend = tdb
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> vfs objects = dfs_samba4, acl_xattr
>>>
>>> [netlogon]
>>> path =
>>> /usr/local/samba/var/locks/sysvol/something.something.com/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>> [homes]
>>> path = /home
>>> read only = No
>>>
>>> I can run lists:
>>>
>>> smbclient -L localhost -U%
>>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>>>
>>> Sharename Type Comment
>>> --------- ---- -------
>>> netlogon Disk
>>> sysvol Disk
>>> homes Disk
>>> IPC$ IPC IPC Service
>>> localhost is an IPv6 address -- no workgroup available
>>> [pclark at c3po ~]$
>>>
>>> However when I log in as a user and try to go into my homedir:
>>>
>>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>>> smb: \> dir
>>> . D 0 Sun Mar 2 11:06:09
>>> 2014
>>> .. D 0 Mon Mar 3 03:44:25
>>> 2014
>>> pclark D 0 Mon Mar 3 13:36:36
>>> 2014
>>>
>>> 34001 blocks of size 8388608. 13463 blocks available
>>> smb: \> cd pclark
>>> cd \pclark\: NT_STATUS_INVALID_ACL
>>> smb: \>
>>>
>>> getfacl shows:
>>> getfacl pclark
>>> # file: pclark
>>> # owner: pclark
>>> # group: pclark
>>> user::rwx
>>> group::rwx
>>> other::r-x
>>>
>>>
>>> When I try and bring up the folder on a Windows system the security tab
>>> only has an X with an error message that says the "security information
>>> is
>>> unavailable or cannot be displayed", even when logged into the domain as
>>> Administrator.
>>>
>>> My drives are mounted with user_xattr,acl options in /etc/fstab. I'm not
>>> sure how to troubleshoot this further, any thoughts on how to reset the
>>> acl to a baseline that can be later edited (or, what did I do wrong
>>> here?)
>>> would be appreciated.
>>>
>>> Thanks,
>>>
>> OK, so you are trying to login to a share on the samba server?
>>
>> does your user have a uidNumber in AD? if so, is this the same number
>> that 'getent passwd pclark' shows on the samba4 server?
>>
>> Rowland
>
More information about the samba
mailing list