[Samba] Permission Denied when "all" bits not set to r/w

Brandon Dimcheff bdimcheff at westpole.com
Wed Jul 5 21:07:16 GMT 2006 

Here's a dialog from smbclient that illustrates the problem.  I've  
noticed that Samba doesn't map my UID and GID to an actual name...  
Could this be a symptom of a larger problem with UID/GID mappings or  
something?

And under what circumstances would Samba return a  
NT_STATUS_ACCESS_DENIED error when the user the smbd process is  
running as has permissions to access the file?  (it runs as UID 5000,  
the UID on the file is 5000, permissions are 600, therefore the smbd  
process can access the file)  It seems to me that if the spawned  
process can access the file, then it should be working.  Does Samba  
put additional restrictions on file access above and beyond those  
imposed by the underlying OS?

------------------------------------------------------------------------ 
-------
smb: \User\Brandon\test\> ls
   .                                   D        0  Wed Jul  5  
16:51:41 2006
   ..                                  D        0  Mon Jul  3  
16:06:45 2006
   bar                                 A       10  Mon Jul  3  
16:09:54 2006
   foo                                          5  Mon Jul  3  
16:07:16 2006

                 61438 blocks of size 524288. 33649 blocks available
smb: \User\Brandon\test\> get foo
NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\foo
smb: \User\Brandon\test\> stat foo
File: \User\Brandon\test\foo
Size: 5                 Blocks: 8       regular file
Inode: 17100    Links: 1
Access: (0600/-rw-------)       Uid: 5000       Gid: 5000
Access: 2006-07-03 16:11:02 -0400
Modify: 2006-07-03 16:07:16 -0400
Change: 2006-07-05 09:58:33 -0400
smb: \User\Brandon\test\> get bar
getting file \User\Brandon\test\bar of size 10 as bar (9.8 kb/s)  
(average 1.8 kb/s)
smb: \User\Brandon\test\> stat bar
File: \User\Brandon\test\bar
Size: 10                Blocks: 8       regular file
Inode: 17101    Links: 1
Access: (0764/-rwxrw-r--)       Uid: 5000       Gid: 5000
Access: 2006-07-05 16:52:02 -0400
Modify: 2006-07-03 16:09:54 -0400
Change: 2006-07-05 09:58:33 -0400
smb: \User\Brandon\test\> put baz
putting file baz as \User\Brandon\test\baz (3.9 kb/s) (average 0.6 kb/s)
smb: \User\Brandon\test\> get baz
getting file \User\Brandon\test\baz of size 4 as baz (3.9 kb/s)  
(average 1.9 kb/s)
smb: \User\Brandon\test\> stat baz
File: \User\Brandon\test\baz
Size: 4                 Blocks: 8       regular file
Inode: 17099    Links: 1
Access: (0764/-rwxrw-r--)       Uid: 5000       Gid: 5000
Access: 2006-07-05 16:52:15 -0400
Modify: 2006-07-05 16:52:07 -0400
Change: 2006-07-05 16:52:07 -0400
smb: \User\Brandon\test\> chmod 0600 baz
Pushing string of 'unlimited' length into non-SMB buffer!
smb: \User\Brandon\test\> stat baz
File: \User\Brandon\test\baz
Size: 4                 Blocks: 8       regular file
Inode: 17099    Links: 1
Access: (0600/-rw-------)       Uid: 5000       Gid: 5000
Access: 2006-07-05 16:52:15 -0400
Modify: 2006-07-05 16:52:07 -0400
Change: 2006-07-05 16:52:31 -0400
smb: \User\Brandon\test\> get baz
NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\baz
smb: \User\Brandon\test\>

Thanks again,
-- 
Brandon Dimcheff
IT Consultant
West Pole, Inc. - http://www.westpole.com
201 Nickels Arcade, Ann Arbor, MI 48104 - 734.995.6390 x21


On Jul 5, 2006, at 13:39, Brandon Dimcheff wrote:

> ... Or my smb.conf is pasted here, since attachments are removed  
> automatically ...
>
> [global]
> 	log level = 3
> 	workgroup = WESTPOLE_BETA
> 	server string = Unity
> 	map to guest = Bad User
> 	smb passwd file = /etc/samba/private/smbpasswd
> 	passdb backend = ldapsam:ldap://unity.westpole.com/
> 	log file = /var/log/samba3/log.%m
> 	max log size = 5000
> 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 	printcap name = cups
> 	dns proxy = No
> 	add user script = /usr/sbin/smbldap-useradd -m "%u"
> 	ldap delete dn = Yes
> 	#delete user script = /usr/sbin/smbldap-userdel "%u"
> 	add machine script = /usr/sbin/smbldap-useradd -w "%u"
> 	add group script = /usr/sbin/smbldap-groupadd -p "%g"
> 	#delete group script = /usr/sbin/smbldap-groupdel "%g"
> 	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> 	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"  
> "%g"
> 	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> 	ldap admin dn = cn=Manager,dc=westpole,dc=com
> 	ldap delete dn = Yes
> 	ldap group suffix = ou=Group
> 	ldap idmap suffix = ou=People
> 	ldap machine suffix = ou=Computers
> 	ldap passwd sync = Yes
> 	ldap suffix = dc=westpole,dc=com
> 	ldap ssl = start tls
> 	ldap user suffix = ou=People
> 	printer admin = @adm
> 	create mask = 0774
> 	directory mask = 0775
> 	domain logons = yes
> 	preferred master = yes
> 	domain master = yes
> 	os level = 65
> 	hide dot files = yes
> 	load printers = yes
> 	printing = cups
> 	printcap name = cups
> 	security = user
> 	guest ok = no
> 	use client driver = no
> 	# For Samba 3.x. This enables ClamAV on access scanning.
> 	vfs object = vscan-clamav
> 	vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
> 	wins support = yes
> 	name resolve order = wins lmhosts host bcast
> 	dns proxy = no
> 					
>
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	browseable = No
>
> [printers]
> 	comment = All Printers
> 	path = /var/spool/samba
> 	create mask = 0700
> 	guest ok = Yes
> 	printable = Yes
> 	browseable = No
> 	writeable = No
>
> [brother_hl_2700cn]
> 	comment = Brother HL2700cn Network Printer
> 	printable = yes
> 	path = /var/spool/samba
> 	public = yes
> 	guest ok = yes
> 	printer admin = root
>
> [hp_laserjet_4000]
> 	comment = HP LaserJet 4000 Network Printer
> 	printable = yes
> 	path = /var/spool/samba
> 	public = yes
> 	guest ok = yes
> 	printer admin = root
> # Now we setup our print drivers information!
> [print$]
> 	comment = Printer Drivers
> 	path = /etc/samba/printer
> 	guest ok = yes
> 	browseable = yes
> 	read only = yes
> 	# Modify this to "username,root" if you don't want root to
> 	# be the only printer admin)
> 	write list = @adm,root
>
> [fileserver]
> 	comment = West Pole File Server
> 	path = /mnt/fileserver
> 	read only = No
> 	hide dot files = yes
>
> [backups]
> 	comment = West Pole File Server Daily Backups
> 	path = /mnt/dailies
> 	read only = Yes
> 	hide dot files = yes
>
> [netlogon]
> 	path = /var/lib/samba/netlogon
> 	guest ok = no
> 	read only = yes
> 	browseable = no
>
>
> [profiles]
> 	path = /var/lib/samba/profiles
> 	browseable = no
> 	writeable = yes
> 	default case = lower
> 	preserve case = no
> 	short preserve case = no
> 	case sensitive = no
> 	hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> 	write list = @smbusers @root @westpole
> 	create mask = 0600
> 	directory mask = 0700
> 	profile acls = no
>
>
> Thanks,
> -- 
> Brandon Dimcheff
> IT Consultant
> West Pole, Inc. - http://www.westpole.com
> 201 Nickels Arcade, Ann Arbor, MI 48104 - 734.995.6390 x21
>
>
> On Jul 5, 2006, at 10:11, Brandon Dimcheff wrote:
>
>> Hello,
>>
>> I'm having trouble with permissions on Samba 3.0.21.  It almost  
>> seems that the "all" bits are the only ones that Samba is  
>> obeying.  For instance, I created this file remotely over a samba  
>> share:
>>
>> brandon.dimcheff at unity ~/untitled folder $ ls -als
>> total 17
>> 0 drwx--S---   3 brandon.dimcheff westpole  160 Jul  3 15:51 .
>> 1 drwx------  12 brandon.dimcheff westpole  816 Jul  3 15:51 ..
>> 4 -rw-rw----   1 brandon.dimcheff westpole    4 Apr 12 17:41 test2
>>
>> But when I try to access it, I get a permissions denied error and  
>> the logs produce the following.  If I set the permissions of the  
>> file to 666, I can use the file just fine:
>>
>> [2006/07/03 15:51:45, 3] smbd/process.c:process_smb(1194)
>>   Transaction 321 of length 134
>> [2006/07/03 15:51:45, 3] smbd/process.c:switch_message(993)
>>   switch message SMBntcreateX (pid 22541) conn 0x803b73f8
>> [2006/07/03 15:51:45, 3] smbd/dosmode.c:unix_mode(121)
>>   unix_mode(untitled folder/test2) returning 0764
>> [2006/07/03 15:51:45, 3] smbd/open.c:open_file(276)
>>   Error opening file untitled folder/test2 (Permission denied)  
>> (local_flags=0) (flags=0)
>> [2006/07/03 15:51:45, 3] smbd/error.c:unix_error_packet(90)
>>   unix_error_packet: error string = Permission denied
>> [2006/07/03 15:51:45, 3] smbd/error.c:error_packet(146)
>>   error packet at smbd/trans2.c(2632) cmd=162 (SMBntcreateX)  
>> NT_STATUS_ACCESS_DENIED
>>
>> I'm running Samba with an LDAP backend and have ACL support  
>> compiled in, and the filesystem has ACLs enabled.  Samba is  
>> serving as the PDC.
>>
>> I appreciate any suggestions.  My smb.conf is attached.
>> -- 
>> Brandon Dimcheff
>> IT Consultant
>> West Pole, Inc. - http://www.westpole.com
>> 201 Nickels Arcade, Ann Arbor, MI 48104 - 734.995.6390 x21
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list