[Samba] weird problem with "access denied" on share
morgan toal
mtoal at burlingtoniowa.org
Thu Apr 14 15:38:07 GMT 2005
Hi folks,
I am having a weird problem that I just recently noticed on this
particular server runnng Samba 3.0.10 on Fedora Core 3 and am hoping
someone could shed some light on this.
We're using tdb for our backend database.
The user "nsu" is a member of unix group admin.
The unix group admin is mapped to "Domain Adminstrators".
This works OK, in that when logging in on a workstation, I have local
administrative privelege on that workstation.
So far, so good. But here's the rub: when I attempt to, say, create a
file within certain shares I have set up in smb.conf (see below), where
I specifically set "write list = @admin" I receive a dialog from Windows:
"Unable to create the file foo.txt Access is denied."
Furthermore I notice some weird messages in /var/log/messages (last
segment below). Of particular interest are the "transport endpoint is
not connected" which we have seen before above, but more suspicious is
the "get_alias_user_groups" errors which state that the gid does not
exist for user nsu. I suspect this is somehow related, but I am not sure
what this *really* means.
I did attetmpt to delete and recreate the user nsu. I deleted from
/etc/passwd and then from the tdb manually using pdbedit. I then
re-created this user, thiking somehow this might fix this gid problem
somehow. Didn't fix the share permission issue, though I can still log
in with local admin rights on the workstation.
This is really annoying!!! Can someone help???? Thanks!
Morgan Toal
Network Manager
City of Burlington, Iowa
--------------------------------------------------------------------------------------
Here is what net user info says about nsu:
[root at pd1 xinetd.d]# net user info nsu
root's password:
[2005/04/14 10:21:13, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Transport endpoint is not connected
Domain Admins
(as an aside, I don't know what the ads_connect error means or if it is
related to my issue.)
--------------------------------------------------------------------------------------
Here is what net groupmap list says:
[root at pd1 xinetd.d]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
seint (S-1-5-21-3505514775-834951346-1128776050-2157) -> seint
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> admin
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
chief (S-1-5-21-3505514775-834951346-1128776050-2005) -> chief
cid (S-1-5-21-3505514775-834951346-1128776050-2045) -> cid
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
--------------------------------------------------------------------------------------
Here is what pdbedit -v -u nsu says:
[root at pd1 xinetd.d]# pdbedit -v -u nsu
Unix username: nsu
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3505514775-834951346-1128776050-2124
Primary Group SID: S-1-5-21-3505514775-834951346-1128776050-2127
Full Name: nsu account
Home Directory: \\pd1\nsu
HomeDir Drive: Z:
Logon Script: logon.bat
Profile Path: \\pd1\nsu\profile
Domain: PD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 21:14:07 GMT
Kickoff time: Mon, 18 Jan 2038 21:14:07 GMT
Password last set: Thu, 14 Apr 2005 08:58:29 GMT
Password can change: Thu, 14 Apr 2005 08:58:29 GMT
Password must change: Mon, 18 Jan 2038 21:14:07 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
--------------------------------------------------------------------------------------
Here is what smb.conf says:
[root at pd1 xinetd.d]# more /etc/samba/smb.conf
[global]
log level = 1
workgroup = pd
netbios name = pd1
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
add group script = /usr/sbin/groupadd %g
delete user script = /usr/sbin/userdel -r %u
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
logon script = logon.bat
# logon path = \\%L\Profiles\%U
logon drive = Z:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups
wins support = no
wins server = 192.168.18.14
host msdfs = yes
################################################################
## Share Definitions
################################################################
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
public = yes
write list = @admin
[public]
comment = Public Stuff
path = /home/samba/public
public = yes
writeable = yes
force create mode = 0777
force directory mode = 0777
[system]
comment = System Stuff
path = /home/samba/system
public = yes
write list = @admin
[chief]
comment = Police Administration
path = /home/samba/chief
public = no
valid users = @admin, @chief
write list = @admin, @chief
force group = chief
force create mode = 0770
force directory mode = 0770
[seint]
comment = Police Administration
path = /home/samba/seint
public = no
valid users = @admin, @seint
write list = @admin, @seint
force group = seint
force create mode = 0770
force directory mode = 0770
[dfs]
comment = DFS Root
path = /home/samba/dfs
msdfs root = yes
[tracs]
comment = TRACS program data files
path = /home/samba/tracs
public = yes
writeable = yes
force group = nobody
force create mode = 0777
[cid]
comment = Criminal Investigation
path = /home/samba/cid
public = yes
writeable = yes
valid users = @admin, @cid
write list = @admin, @cid
force group = cid
force create mode = 0770
force directory mode = 0770
--------------------------------------------------------------------------------------
Here is some of the stuff I see in /var/log/messages:
[root at pd1 xinetd.d]# cat /var/log/messages | grep smb
...(snip)
Apr 14 09:13:27 pd1 smb: nmbd startup succeeded
Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:13:27 pd1 smbd[1449]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:13:27 pd1 smbd[1449]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0]
lib/util_sock.c:write_socket_data(430)
Apr 14 09:13:28 pd1 smbd[1449]: write_socket_data: write failure.
Error = Connection reset by peer
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0]
lib/util_sock.c:write_socket(455)
Apr 14 09:13:28 pd1 smbd[1449]: write_socket: Error writing 4 bytes to
socket 22: ERRNO = Connection reset by peer
Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0]
lib/util_sock.c:send_smb(647)
Apr 14 09:13:28 pd1 smbd[1449]: Error writing 4 bytes to client. -1.
(Connection reset by peer)
Apr 14 09:13:46 pd1 smbd[1451]: [2005/04/14 09:13:46, 0]
rpc_server/srv_util.c:get_alias_user_groups(206)
Apr 14 09:13:46 pd1 smbd[1451]: get_alias_user_groups: gid of user
mtoal doesn't exist. Check your /etc/passwd and /etc/group files
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:18:12 pd1 smbd[1479]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:18:12 pd1 smbd[1479]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0]
lib/util_sock.c:write_socket_data(430)
Apr 14 09:18:12 pd1 smbd[1479]: write_socket_data: write failure.
Error = Connection reset by peer
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0]
lib/util_sock.c:write_socket(455)
Apr 14 09:18:12 pd1 smbd[1479]: write_socket: Error writing 4 bytes to
socket 5: ERRNO = Connection reset by peer
Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0]
lib/util_sock.c:send_smb(647)
Apr 14 09:18:12 pd1 smbd[1479]: Error writing 4 bytes to client. -1.
(Connection reset by peer)
Apr 14 09:25:14 pd1 smbd[1456]: [2005/04/14 09:25:14, 0]
rpc_server/srv_util.c:get_alias_user_groups(206)
Apr 14 09:25:14 pd1 smbd[1456]: get_alias_user_groups: gid of user nsu
doesn't exist. Check your /etc/passwd and /etc/group files
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:52:59 pd1 smbd[1724]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0]
lib/util_sock.c:get_peer_addr(1000)
Apr 14 09:52:59 pd1 smbd[1724]: getpeername failed. Error was
Transport endpoint is not connected
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0]
lib/util_sock.c:write_socket_data(430)
Apr 14 09:52:59 pd1 smbd[1724]: write_socket_data: write failure.
Error = Connection reset by peer
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0]
lib/util_sock.c:write_socket(455)
Apr 14 09:52:59 pd1 smbd[1724]: write_socket: Error writing 4 bytes to
socket 22: ERRNO = Connection reset by peer
Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0]
lib/util_sock.c:send_smb(647)
Apr 14 09:52:59 pd1 smbd[1724]: Error writing 4 bytes to client. -1.
(Connection reset by peer)
More information about the samba
mailing list