[Samba] Samba, krb5 and ACL.
Meli Marco
Marco.Meli at gknsintermetals.com
Fri Sep 16 11:37:38 GMT 2005
Hi,
I have FC3 with samba-3.0.10-1.fc3, samba-common and samba-client joined to
Windows 2003 AD with the followings library installed:
ldd /usr/sbin/winbindd
libcrypt.so.1 => /lib/libcrypt.so.1 (0xf6e14000)
libresolv.so.2 => /lib/libresolv.so.2 (0xf6e00000)
libnsl.so.1 => /lib/libnsl.so.1 (0xf6de9000)
libdl.so.2 => /lib/libdl.so.2 (0xf6de5000)
libpopt.so.0 => /usr/lib/libpopt.so.0 (0xf6dde000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xf6dca000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xf6d65000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xf6d44000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xf6d40000)
libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0xf6d0f000)
liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0xf6d03000)
libc.so.6 => /lib/tls/libc.so.6 (0xf6bdc000)
/lib/ld-linux.so.2 (0xf6e4f000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xf6bc8000)
libssl.so.4 => /lib/libssl.so.4 (0xf6b93000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0xf6aab000)
libz.so.1 => /usr/lib/libz.so.1 (0xf6a9b000)
Kerberos 1.3.4-7 was already installed with the distribution and related
file /etc/krb5.conf configured as following:
[libdefaults]
default_realm = SINTER.GKN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SINTER.GKN.COM = {
kdc = krb5srv.sinter.gkn.com:88
admin_server = krb5srv.sinter.domain.com:749
default_domain = sinter.gkn.com
}
[domain_realm]
.sinter.gkn.com = SINTER.GKN.COM
sinter.gkn.com = SINTER.GKN.COM
I have set /etc/nsswitch:
passwd: files winbind
shadow: files winbind
group: files winbind
I have configured /etc/samba/smb.conf:
[global]
netbios name = MYNAME
os level = 16
wins server = xxx.xxx.xxx.xxx
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
unix charset = LOCALE
workgroup = GKNSMI
realm = SINTER.GKN.COM
security = ADS
password server = krb5srv.sinter.gkn.com
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
idmap uid = 10000-100000
idmap gid = 10000-100000
hide unreadable = Yes
template shell = /bin/false
use sendfile = Yes
printer admin =
admin users =
log file = /var/log/samba/log.%m
log level = 1 auth:10 sam:10
max log size = 50
nt acl support = Yes
map acl inherit = Yes
[data]
comment = DATA repository
path = /data
read only = No
create mask = 0775
security mask = 0777
force security mode = 0
directory mask = 0775
directory security mask = 0777
force directory security mode = 0
dos filetimes = yes
In data repository I have one folder named "/user".
In this I have put every user's folders named as username.
Using ACL I have set "complete control" for each users only, so they can
enter in "/user" folder and see only theirs personal folder, unix permission
similar to ACL permissions are setted as below:
Unix permissions:
drwxr-x---+ 3 mabritta root 27 Sep 15 15:54 mabritta.
ACL permissions:
# file: mabritta
# owner: mabritta
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:mabritta:rwx
default:group::r-x
default:mask::rwx
default:other::---
So I expected that it works as I thought instead if I log with this username
(mabritta) and I reach the user repository I can't see any folder, I have
try also with smbclient tool and it seems works fine also if I connect with
Win9x workstation and also in the previous situation when I was connect to
NT4PDC it worked fine.
Previously I have installed samba on RH9 with krb5-1.2.27 while samba
documentation recommanded krb5-1.3.1 so I have decide to jump to FC3, but
the problem in my opinion related to kerberos persist.
Thanks.
Marco.
More information about the samba
mailing list