[Samba] Permission Problem --Windows or UNIX?
Stephen Carville
stephen at totalflood.com
Wed Aug 23 01:27:40 GMT 2006
I am using Samba 3.0.20a with winbindd on FC3 and all the shares except
one are working. I keep getting a permison denied error for non-local
users in certain directories.
The permissions on the directory are
# ls -ld .
drwxr-xr-x 11 procman users 4096 Aug 3 15:35 .
# ls -l
drwxrwx--- 12 procman admin 4096 Aug 2 15:47 administration
drwxrwx--- 5 procman data-entry 4096 Nov 16 2005 data-entry
drwxrwx--- 10 procman devel 4096 Jul 5 11:24 development
drwxrwx--- 26 procman gis 4096 Aug 21 13:48 GIS
drwx------ 2 root root 4096 Aug 19 07:01 lost+found
drwxrwxr-x 14 procman users 4096 Jun 6 17:22 MapCopy
drwxrwx--- 25 procman marketing 4096 Nov 16 2005 marketing
drwxrwx--- 4 procman users 4096 Nov 16 2005 production
drwxrwx--- 22 procman system 4096 Apr 26 10:21 systems
The problem is that any directroy with a group other than users is
simply not accessible to users who don't have local accounts. For
example the user "ttest" (Tommy Test) has the following membership:
# id ttest
uid=10226(ttest) gid=10000(Domain Users) groups=10000(Domain
Users),10109(Common GIS),10004(VPN ACCESS),10006(All
Users),10021(Mapper),10010(TSC_USERS),10108(Common
Development),10013(xeroxaccess)
And I have mapping between Windows and UNIX groups (list trimmed):
# net groupmap list
Guests (S-1-5-32-546) -> nobody
Domain Guests (S-1-5-21-2679732778-2536521927-3344223750-1199) -> nobody
Common Production (S-1-5-21-2679732778-2536521927-3344223750-7121) ->
prod-mgrs
Common Administration (S-1-5-21-2679732778-2536521927-3344223750-21113)
-> admin
Common Development (S-1-5-21-2679732778-2536521927-3344223750-7021) -> devel
Common GIS (S-1-5-21-2679732778-2536521927-3344223750-7141) -> gis
Common Marketing (S-1-5-21-2679732778-2536521927-3344223750-7041) ->
marketing
Domain Users (S-1-5-21-2679732778-2536521927-3344223750-513) -> users
Common System (S-1-5-21-2679732778-2536521927-3344223750-7061) -> system
But "ttest" cannot enter the directories GIS or Development even tho he
belongs to groups that should have access. Unless I am seriously
misunderstanding the documentation at the samba.org web site.
testparm shows:
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
unix charset = LOCALE
workgroup = TOTALFLOOD
netbios name = FILE-CABINET
server string = Main File Server
security = DOMAIN
allow trusted domains = No
username map = /etc/samba/smbusers
log level = 5
syslog = 2
log file = /var/log/samba/%m.log
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
client signing = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
disable spoolss = Yes
show add printer wizard = No
wins server = 192.168.124.10
idmap uid = 10000-100000000
idmap gid = 10000-100000000
template homedir = /export/private/%U
template shell = "/sbin/nologin"
winbind use default domain = Yes
hosts allow = 192.168.124., 127.
[netapps]
comment = Network Applications
path = /export/netapps
force user = procman
force group = users
read only = No
[common]
comment = Common Files
path = /export/common
force group = users
read only = No
create mask = 0775
force create mode = 0664
directory mask = 0775
force directory mode = 0775
[public]
comment = Public Files
path = /export/public
force user = procman
force group = users
read only = No
create mask = 0774
[homes]
comment = Home Directory
read only = No
browseable = No
[xerox]
comment = Scanned Documents Root
path = /export/xerox
force user = xerox
force group = ftpguest
read only = No
I've tried the steps in "Troubleshooting" and "Analyzing and Solving
Samba Problems" and everythhing test out OK.
--
Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
Nationwide Totalflood
6033 W. Century Blvd
Los Angeles, CA 90045
310-342-3602
More information about the samba
mailing list