[Samba] Re: smbusers and root privs

reader at newsguy.com reader at newsguy.com
Tue Sep 12 16:31:30 GMT 2006


Felipe Augusto van de Wiel <felipe at paranacidade.org.br> writes:

>> Harry is a member of the Administrators group and user accounts on the
>> windows xp pro machine.  I see nothing called 
>> `Domain Administrators' in the windows dialog for users and groups.
>
> 	Domain Adminitrators is a group on networks that has a
> domain properly configured.
>
>
>> Harry has no account on the linux machine.  Hence the need to map to a
>> unix user account.  
>
> 	"admin users" and "root" (usermap) parameters has a
> special combination according to your security parameter,
> it is documented in the smb.conf the different situations.

The only mentions so `root' in my smb.conf.example are in regards to
setting up some kind of ldap situtaion or in regards to printing.
Neither is what I'm attempting to do.

What do you mean by `your security parameter' above?

>> It is not at all clear what I would need to do  with `net groupmap'.
>
> 	'net groupmap' is the recommended way to have Domain
> Administrators working on a Domain Network, but looks like it
> is not your case.
>
>
>> Can you be a bit more specific?
>
> 	It is not clear why do you want a root/Admin user in
> a network that looks like to have share as security parameter.
> Anyway, we probably need your smb.conf and a relevant part of
> the log with loglevel/debuglevel increased.

What do you mean by `have share as security parameter' here?

As posted in OP, security is not much of a factor here since I am the
only user of either windows or unix machines on the network.  It is a
home network where I am the sole user and environmental security
factors are nearly non-existent.

I want my windows user to have root access to anything on the linux
machine.  The whole machine is shared thru samba, starting at `/'.

The whole of the windows machines are shared on the hard drive level.

My linux user has complete access to the windows machines.  I want my
windows user to have complete access to linux machines.

=================
Partial smb.conf:

[global]
   workgroup = HOME
   server string = ""
   printcap name = cups
   load printers = yes
   printing = cups
   printer admin = @adm
   log file = /var/log/samba/log.%m
   max log size = 50
 log level = 7
  map to guest = bad user
   security = user
  encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = yes
   writable = no
   printable = yes
   create mode = 0700
   print command = lpr-cups -P %p -o raw %s -r   # using client side printer drivers.
[print$]
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   write list = @adm root
   guest ok = yes

[smWinBk]
	comment = ""
	valid users = reader Harry
	path = /anex2/win_bk/
	writeable = yes
	guest ok = yes

[smUsrLocal]
	comment = ""
	valid users = reader Harry
	path = /usr/local
	writeable = yes
	guest ok = yes

[smRootHome]
	comment = ""
        valid users = reader Harry
	path = /root
	writeable = yes
	guest ok = yes
	
[smRoot]
	comment = ""
        valid users = reader Harry
	path = /
	writeable = yes
	guest ok = yes

[smReader]
	comment = ""
        valid users = reader Harry
	path = /home/reader
	writeable = yes
	guest ok = yes

[smPub]
	comment = ""
	valid users = reader harry
	path = /pub
	writeable = yes
	guest ok = yes

==============================
smbusers:

root = administrator admin harry Harry reader
nobody = guest pcguest smbguest
reader = harry Harry

=============================
log extract:

I hope this is the relevant part.  I cranked log level up to 7 and its
hard to tell what might be usefull.  I've posted a small snippet below
but have put the entire ouput of one failure at:
   http://www.jtan.com/~reader/smb.log

To try to give you a head start, what I did was try to access
 /root on the linux box from a windows machine, logged in there as
 user harry.

I started by rm -f /var/log/samba/log.chub.  Then made my attempt from
chub (a windows machine).  The log produced by that one attempt is
what is posted on line at above address.

A partial extract is posted here:
==================================
[...]
[2006/09/12 11:11:39, 3] smbd/process.c:switch_message(914)
  switch message SMBtrans2 (pid 3652) conn 0x803f2198
[2006/09/12 11:11:39, 4] smbd/uid.c:change_to_user(176)
  change_to_user: Skipping user change - already user
[2006/09/12 11:11:39, 3] smbd/trans2.c:call_trans2findfirst(1662)
  call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0, close_if_end = 2 requires_resume_key = 4 level = 0x104, max_data_bytes = 16384
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(91)
  temp in parse_processed_dfs_path: .Reader/smRoot/root/*. after trimming \'s
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(101)
  parse_processed_dfs_path: hostname: Reader
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(113)
  parse_processed_dfs_path: servicename: smRoot
[2006/09/12 11:11:39, 10] smbd/msdfs.c:parse_processed_dfs_path(123)
  parse_processed_dfs_path: rest of the path: root/*
[2006/09/12 11:11:39, 10] smbd/msdfs.c:resolve_dfs_path(337)
  resolve_dfs_path: Conn path = / req_path = root/*
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "root/*"
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [ROOT/*]
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [ROOT] -> [root]
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(185)
  unix_convert begin: name = root/*, dirpath = root, start = *
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(335)
  New file *
[2006/09/12 11:11:39, 5] smbd/msdfs.c:is_msdfs_link(269)
  is_msdfs_link: root/* does not exist.
[2006/09/12 11:11:39, 3] smbd/msdfs.c:dfs_redirect(435)
  dfs_redirect: Not redirecting Reader/smRoot/root/*.
[2006/09/12 11:11:39, 3] smbd/msdfs.c:dfs_redirect(439)
  dfs_redirect: Path converted to non-dfs path root/*
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "root/*"
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [ROOT/*]
[2006/09/12 11:11:39, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [ROOT] -> [root]
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(185)
  unix_convert begin: name = root/*, dirpath = root, start = *
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2006/09/12 11:11:39, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2006/09/12 11:11:39, 5] smbd/filename.c:unix_convert(335)
  New file *
[2006/09/12 11:11:39, 5] smbd/trans2.c:call_trans2findfirst(1719)
  dir=root, mask = *
[2006/09/12 11:11:39, 5] smbd/dir.c:dptr_create(391)
  dptr_create dir=root
[2006/09/12 11:11:39, 5] smbd/dir.c:OpenDir(1045)
  OpenDir: Can't open root. Permission denied
[2006/09/12 11:11:39, 3] smbd/error.c:unix_error_packet(90)
  unix_error_packet: error string = Permission denied
[2006/09/12 11:11:39, 3] smbd/error.c:error_packet(146)
  error packet at smbd/trans2.c(1772) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2006/09/12 11:11:39, 5] lib/util.c:show_msg(478)
[2006/09/12 11:11:39, 5] lib/util.c:show_msg(488)
[...]



More information about the samba mailing list