[Samba] Re: smbusers and root privs
reader at newsguy.com
reader at newsguy.com
Tue Sep 12 16:31:30 GMT 2006
Felipe Augusto van de Wiel <felipe at paranacidade.org.br> writes:
>> Harry is a member of the Administrators group and user accounts on the
>> windows xp pro machine. I see nothing called
>> `Domain Administrators' in the windows dialog for users and groups.
>
> Domain Adminitrators is a group on networks that has a
> domain properly configured.
>
>
>> Harry has no account on the linux machine. Hence the need to map to a
>> unix user account.
>
> "admin users" and "root" (usermap) parameters has a
> special combination according to your security parameter,
> it is documented in the smb.conf the different situations.
The only mentions so `root' in my smb.conf.example are in regards to
setting up some kind of ldap situtaion or in regards to printing.
Neither is what I'm attempting to do.
What do you mean by `your security parameter' above?
>> It is not at all clear what I would need to do with `net groupmap'.
>
> 'net groupmap' is the recommended way to have Domain
> Administrators working on a Domain Network, but looks like it
> is not your case.
>
>
>> Can you be a bit more specific?
>
> It is not clear why do you want a root/Admin user in
> a network that looks like to have share as security parameter.
> Anyway, we probably need your smb.conf and a relevant part of
> the log with loglevel/debuglevel increased.
What do you mean by `have share as security parameter' here?
As posted in OP, security is not much of a factor here since I am the
only user of either windows or unix machines on the network. It is a
home network where I am the sole user and environmental security
factors are nearly non-existent.
I want my windows user to have root access to anything on the linux
machine. The whole machine is shared thru samba, starting at `/'.
The whole of the windows machines are shared on the hard drive level.
My linux user has complete access to the windows machines. I want my
windows user to have complete access to linux machines.
=================
Partial smb.conf:
[global]
workgroup = HOME
server string = ""
printcap name = cups
load printers = yes
printing = cups
printer admin = @adm
log file = /var/log/samba/log.%m
max log size = 50
log level = 7
map to guest = bad user
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
create mode = 0700
print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers.
[print$]
path = /var/lib/samba/printers
browseable = yes
read only = yes
write list = @adm root
guest ok = yes
[smWinBk]
comment = ""
valid users = reader Harry
path = /anex2/win_bk/
writeable = yes
guest ok = yes
[smUsrLocal]
comment = ""
valid users = reader Harry
path = /usr/local
writeable = yes
guest ok = yes
[smRootHome]
comment = ""
valid users = reader Harry
path = /root
writeable = yes
guest ok = yes
[smRoot]
comment = ""
valid users = reader Harry
path = /
writeable = yes
guest ok = yes
[smReader]
comment = ""
valid users = reader Harry
path = /home/reader
writeable = yes
guest ok = yes
[smPub]
comment = ""
valid users = reader harry
path = /pub
writeable = yes
guest ok = yes
==============================
smbusers:
root = administrator admin harry Harry reader
nobody = guest pcguest smbguest
reader = harry Harry
=============================
log extract:
I hope this is the relevant part. I cranked log level up to 7 and its
hard to tell what might be usefull. I've posted a small snippet below
but have put the entire ouput of one failure at:
http://www.jtan.com/~reader/smb.log
To try to give you a head start, what I did was try to access
/root on the linux box from a windows machine, logged in there as
user harry.
I started by rm -f /var/log/samba/log.chub. Then made my attempt from
chub (a windows machine). The log produced by that one attempt is
what is posted on line at above address.
A partial extract is posted here:
==================================
[...]
[2006/09/12 11:11:39, 3] smbd/process.c:switch_message(914)
switch message SMBtrans2 (pid 3652) conn 0x803f2198
[2006/09/12 11:11:39, 4] smbd/uid.c:change_to_user(176)
change_to_user: Skipping user change - already user
[2006/09/12 11:11:39, 3] smbd/trans2.c:call_trans2findfirst(1662)
call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0, close_if_end = 2 requires_resume_key = 4 level = 0x104, max_data_bytes = 16384
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(91)
temp in parse_processed_dfs_path: .Reader/smRoot/root/*. after trimming \'s
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(101)
parse_processed_dfs_path: hostname: Reader
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(113)
parse_processed_dfs_path: servicename: smRoot
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(123)
parse_processed_dfs_path: rest of the path: root/*
[2006/09/12 11:11:39, 10] smbd/msdfs.c:resolve_dfs_path(337)
resolve_dfs_path: Conn path = / req_path = root/*
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "root/*"
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(215)
stat_cache_lookup: lookup failed for name [ROOT/*]
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(248)
stat_cache_lookup: lookup succeeded for name [ROOT] -> [root]
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = root/*, dirpath = root, start = *
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(335)
New file *
[2006/09/12 11:11:39, 5] smbd/msdfs.c:is_msdfs_link(269)
is_msdfs_link: root/* does not exist.
[2006/09/12 11:11:39, 3] smbd/msdfs.c:dfs_redirect(435)
dfs_redirect: Not redirecting Reader/smRoot/root/*.
[2006/09/12 11:11:39, 3] smbd/msdfs.c:dfs_redirect(439)
dfs_redirect: Path converted to non-dfs path root/*
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "root/*"
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(215)
stat_cache_lookup: lookup failed for name [ROOT/*]
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(248)
stat_cache_lookup: lookup succeeded for name [ROOT] -> [root]
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(185)
unix_convert begin: name = root/*, dirpath = root, start = *
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(335)
New file *
[2006/09/12 11:11:39, 5] smbd/trans2.c:call_trans2findfirst(1719)
dir=root, mask = *
[2006/09/12 11:11:39, 5] smbd/dir.c:dptr_create(391)
dptr_create dir=root
[2006/09/12 11:11:39, 5] smbd/dir.c:OpenDir(1045)
OpenDir: Can't open root. Permission denied
[2006/09/12 11:11:39, 3] smbd/error.c:unix_error_packet(90)
unix_error_packet: error string = Permission denied
[2006/09/12 11:11:39, 3] smbd/error.c:error_packet(146)
error packet at smbd/trans2.c(1772) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2006/09/12 11:11:39, 5] lib/util.c:show_msg(478)
[2006/09/12 11:11:39, 5] lib/util.c:show_msg(488)
[...]
More information about the samba
mailing list