[Samba] Samba, krb5 and ACL.

Meli Marco Marco.Meli at gknsintermetals.com
Fri Sep 16 11:37:38 GMT 2005


Hi,
I have FC3 with samba-3.0.10-1.fc3, samba-common and samba-client joined to
Windows 2003 AD with the followings library installed:
ldd /usr/sbin/winbindd 
        libcrypt.so.1 => /lib/libcrypt.so.1 (0xf6e14000)
        libresolv.so.2 => /lib/libresolv.so.2 (0xf6e00000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xf6de9000)
        libdl.so.2 => /lib/libdl.so.2 (0xf6de5000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0xf6dde000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xf6dca000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xf6d65000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xf6d44000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0xf6d40000)
        libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0xf6d0f000)
        liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0xf6d03000)
        libc.so.6 => /lib/tls/libc.so.6 (0xf6bdc000)
        /lib/ld-linux.so.2 (0xf6e4f000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xf6bc8000)
        libssl.so.4 => /lib/libssl.so.4 (0xf6b93000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0xf6aab000)
        libz.so.1 => /usr/lib/libz.so.1 (0xf6a9b000)

Kerberos 1.3.4-7 was already installed with the distribution and related
file /etc/krb5.conf configured as following:
[libdefaults]
 default_realm = SINTER.GKN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 SINTER.GKN.COM = {
  kdc = krb5srv.sinter.gkn.com:88
  admin_server = krb5srv.sinter.domain.com:749
  default_domain = sinter.gkn.com
 }

[domain_realm]
 .sinter.gkn.com = SINTER.GKN.COM
 sinter.gkn.com = SINTER.GKN.COM

I have set /etc/nsswitch: 
passwd:     files winbind
shadow:     files winbind
group:      files winbind

I have configured /etc/samba/smb.conf:
[global]
        netbios name = MYNAME
        os level = 16
        wins server = xxx.xxx.xxx.xxx
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
        unix charset = LOCALE
        workgroup = GKNSMI
        realm = SINTER.GKN.COM
        security = ADS
        password server = krb5srv.sinter.gkn.com
        encrypt passwords = yes
        allow trusted domains = Yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        hide unreadable = Yes
        template shell = /bin/false
        use sendfile = Yes
        printer admin = 
        admin users = 
        log file = /var/log/samba/log.%m
        log level = 1 auth:10 sam:10
        max log size = 50
        nt acl support = Yes
        map acl inherit = Yes
[data]
        comment = DATA repository
        path = /data
        read only = No
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory mask = 0775
        directory security mask = 0777
        force directory security mode = 0
        dos filetimes = yes
 
In data repository I have one folder named "/user".
In this I have put every user's folders named as username.
Using ACL I have set "complete control" for each users only, so they can
enter in "/user" folder and see only theirs personal folder, unix permission
similar to ACL permissions are setted as below:

Unix permissions:
drwxr-x---+ 3 mabritta root 27 Sep 15 15:54 mabritta.

ACL permissions:
# file: mabritta
# owner: mabritta
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:mabritta:rwx
default:group::r-x
default:mask::rwx
default:other::---

So I expected that it works as I thought instead if I log with this username
(mabritta) and I reach the user repository I can't see any folder, I have
try also with smbclient tool and it seems works fine also if I connect with
Win9x workstation and also in the previous situation when I was connect to
NT4PDC it worked fine.
Previously I have installed samba on RH9 with krb5-1.2.27 while samba
documentation recommanded krb5-1.3.1 so I have decide to jump to FC3, but
the problem in my opinion related to kerberos persist.

Thanks.
Marco.






More information about the samba mailing list