[Samba] 2.2.6+acl - strange behaviour
Wolfgang Pichler
wolfgang.pichler.zt at aon.at
Mon Nov 4 00:33:00 GMT 2002
intro:
i use a heavily customized arch-linux clone, so this is no newbie stuff.
except root all linux users are auth'ed via winbind/w2kdc's.
for windoze-user-convenience i have to use
winbind use default domain == yes
and installed ext3-acl support.
acls are working ok, if managed via get/setfacl an also samba honours
them correctly.
for windoze-user-convenience acls should also be managable via
win-client properties->security dialog.
but all i saw, was strange behaviour from win-clients (here: w2k prof) :
if i want to add acls, enumeration of users/groups ("look in") in the
"add users" dialog will let me select only from the samba server and not
from the domain.
if this is a feature, not a bug, there is the MAIN PROBLEM #1 in eyesight :
*** all users are simply missing in this whilst all possible groups are
present. ***
but there are also problems on the samba end (see below) :
FYI : samba version is 2.2.6
see the characteristics and the 2 tests below, where i checked name
lookup service with 1 user and 1 group :
--------------------------------- samba
root at wolf # -bash 500 ~
root at wolf # cat /usr/src/samba-2.2.6-config
./configure --prefix=/usr --with-smbmount --with-fhs \
--with-configdir=/etc/samba --with-lockdir=/var/run/samba \
--with-privatdir=/etc/samba/private --with-lockdir=/var/run/samba \
--with-swatdir=/var/samba/swat --with-logfilebase=/var/log/samba \
--with-pam --with-pam_smbpass \
--with-tdbsam \
--with-ssl --with-syslog --with-quotas \
--with-spinlocks \
--with-msdfs \
--with-winbind --with-winbind-auth-challenge \
--with-acl-support \
--with-libsmbclient \
root at wolf # -bash 502 ~
root at wolf # ldd `which smbd`
libacl.so.1 => /usr/lib/libacl.so.1 (0x4001b000)
libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40022000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4004f000)
libcups.so.2 => /usr/local/lib/libcups.so.2 (0x4010c000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40126000)
libpam.so.0 => /lib/libpam.so.0 (0x4013c000)
libpopt.so.0 => /usr/local/lib/libpopt.so.0 (0x40146000)
libc.so.6 => /lib/libc.so.6 (0x4014e000)
libdl.so.2 => /lib/libdl.so.2 (0x40277000)
libattr.so.1 => /usr/lib/libattr.so.1 (0x4027b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
--------------------------------- test 1
root at wolf # -bash 513 ~
root at wolf # sh /rbin/test
---
w2kdomain == dom
w2kpdc == e231pdc
sambahost == wolf
winbind separator == +
winbind use default domain == no
---
=> getent group dom+e231
DOM+e231:x:24006:DOM+pichwo,DOM+atest
-> rpcclient e231pdc
cmd = lookupnames e231
e231 S-1-5-21-507921405-1957994488-839522115-1109 (2)
--> rpcclient wolf
cmd = lookupnames e231
result was NT_STATUS_NONE_MAPPED
-> rpcclient e231pdc
cmd = lookupnames dom\e231
dom\e231 S-1-5-21-507921405-1957994488-839522115-1109 (2)
--> rpcclient wolf
cmd = lookupnames dom\e231
result was NT_STATUS_NONE_MAPPED
-> rpcclient wolf
cmd = lookupnames dom+e231
result was NT_STATUS_NONE_MAPPED
-> rpcclient e231pdc
cmd = lookupnames wolf\e231
result was NT_STATUS_NONE_MAPPED
--> rpcclient wolf
cmd = lookupnames wolf\e231
result was NT_STATUS_NONE_MAPPED
---
=> getent passwd dom+pichwo
DOM+pichwo:x:24023:24006:test1:/tmp:/bin/bash
-> rpcclient e231pdc
cmd = lookupnames pichwo
pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
--> rpcclient wolf
cmd = lookupnames pichwo
result was NT_STATUS_NONE_MAPPED
-> rpcclient e231pdc
cmd = lookupnames dom\pichwo
dom\pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
--> rpcclient wolf
cmd = lookupnames dom\pichwo
result was NT_STATUS_NONE_MAPPED
-> rpcclient wolf
cmd = lookupnames dom+pichwo
dom+pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
-> rpcclient e231pdc
cmd = lookupnames wolf\pichwo
result was NT_STATUS_NONE_MAPPED
--> rpcclient wolf
cmd = lookupnames wolf\pichwo
result was NT_STATUS_NONE_MAPPED
--------------------------------- test 2
root at wolf # -bash 526 ~
root at wolf # sh /rbin/test
---
w2kdomain == dom
w2kpdc == e231pdc
sambahost == wolf
winbind separator == +
winbind use default domain == yes
---
=> getent group e231
e231:x:24006:pichwo,atest
=> getent group dom+e231
e231:x:24006:pichwo,atest
-> rpcclient e231pdc
cmd = lookupnames e231
e231 S-1-5-21-507921405-1957994488-839522115-1109 (2)
--> rpcclient wolf
cmd = lookupnames e231
e231 S-1-5-21-3906623103-4098751207-3827622673-49013 (4)
-> rpcclient e231pdc
cmd = lookupnames dom\e231
dom\e231 S-1-5-21-507921405-1957994488-839522115-1109 (2)
--> rpcclient wolf
cmd = lookupnames dom\e231
dom\e231 S-1-5-21-3906623103-4098751207-3827622673-49013 (4)
-> rpcclient wolf
cmd = lookupnames dom+e231
dom+e231 S-1-5-21-3906623103-4098751207-3827622673-49013 (4)
-> rpcclient e231pdc
cmd = lookupnames wolf\e231
result was NT_STATUS_NONE_MAPPED
--> rpcclient wolf
cmd = lookupnames wolf\e231
result was NT_STATUS_NONE_MAPPED
---
=> getent passwd pichwo
pichwo:x:24023:24006:test1:/tmp:/bin/bash
=> getent passwd dom+pichwo
pichwo:x:24023:24006:test1:/tmp:/bin/bash
-> rpcclient e231pdc
cmd = lookupnames pichwo
pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
--> rpcclient wolf
cmd = lookupnames pichwo
pichwo S-1-5-21-3906623103-4098751207-3827622673-49046 (1)
-> rpcclient e231pdc
cmd = lookupnames dom\pichwo
dom\pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
--> rpcclient wolf
cmd = lookupnames dom\pichwo
dom\pichwo S-1-5-21-3906623103-4098751207-3827622673-49046 (1)
-> rpcclient wolf
cmd = lookupnames dom+pichwo
dom+pichwo S-1-5-21-507921405-1957994488-839522115-1130 (1)
-> rpcclient e231pdc
cmd = lookupnames wolf\pichwo
result was NT_STATUS_NONE_MAPPED
--> rpcclient wolf
cmd = lookupnames wolf\pichwo
result was NT_STATUS_NONE_MAPPED
--------------------------------------
MAIN PROBLEM #2
*** no idea why samba invents a local user/group when
"winbind use default domain" is set to yes and does not otherwise ***
comment : if i ought to use this feature, it should do no harm to name
resolving :-)
--------------------------------------
please submit any suggestions
yours sincerely
wolfgang
More information about the samba
mailing list