[Samba] samba3.0.25b group permissions problem via AD+Winbind

Bryan Collins bcollins at nla.gov.au
Thu Aug 16 01:39:49 GMT 2007


Hi Samba people,

I'm having a strange problem with Samba 3.0.25b running on solaris 9
with native ADS and Winbind.

A domain user (no /etc/passwd entry), jlunch, can write to directories
via the unix shell that has
group permissions he is part of without any issues.
However, doing the same via a samba share (share1) in the same folder
(folder1), returns permission denied.

It almost appears as if the samba process is dropping the secondary
group memberships when the process switches to that user.
The group permission on the share allows access to map the share, but
the underlying filesystem is preventing write access, even though the
permissions allow it.
The user can write to folders via samba if they own the folder, or if
the group permission is "domain users" (primary group), or the user
is set to have write access via solaris ACLs, which is set via the
Security tab under folder properties.

The group 107657(bss) is an AD group.

cut&paste of various tasks included below.

On another note, ps seems to display a padded out UID instead of the
resolved username from winbind.

Can anyone help out with this permission problem?
Its currently preventing me from shifting over to using ADS+Winbind from
the old method of requiring unix accounts for every AD user.

I can provide more logs off-list if it will help diagnose.

Thanks
Bry

-------------

nsswitch.conf
passwd:     files winbind
group:      files winbind



#ps -ef | grep smb
    root  7968  7964  0 11:15:37 ?        0:00 /opt/samba/sbin/smbd -D
    root  7964     1  0 11:15:37 ?        0:00 /opt/samba/sbin/smbd -D
    root  8060 25653  0 11:18:53 pts/1    0:00 grep smb
 0105216  7972  7964  2 11:15:48 ?        0:05 /opt/samba/sbin/smbd -D



#ls -ld /www/devel/test/folder1
drwxrwsr-x   5 root     bss          512 Aug 14 16:25
/www/devel/test/folder1

#getent passwd jlunch
jlunch:*:105216:100513:Joe
Lunchbucket:/export/home/DOMAIN/jlunch:/bin/bash


#getent group bss
bss:x:107657:jlunch


su - jlunch
bash-2.05$ cd /www/devel/test/folder1
bash-2.05$ touch testfile
bash-2.05$ ls -l testfile
-rw-r--r--   1 jlunch   bss            0 Aug 16 11:05 testfile
bash-2.05$ id -a
uid=105216(jlunch) gid=100513(domain users) groups=100513(domain
users),1008(div3),108521(d4),108536(d3),107657(bss) [chopped]



smb.conf:

[global]
        workgroup = DOMAIN
        password server = mydc.xxx.xxx.xx
        security = ADS
        realm = DOMAIN.xxx.xxx.xx
        allow trusted domains = No
        encrypt passwords = Yes
        idmap domains = DOMAIN
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:backend = rid
        idmap config DOMAIN:base_rid = 0
        idmap config DOMAIN:range = 100000-999999
        debug level = 10
        template homedir = /export/home/%D/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes



[share1]
        comment =  test share
        path = /www/devel
        read only = No
        valid users = @DOMAIN\bss, +itstaff



[2007/08/16 11:15:49, 1] smbd/service.c:make_connection_snum(1033)
  xxx.x.xxx.xx (xxx.x.xxx.xx) connect to service www-devel initially as
user DOMAIN\jlunch (uid=105216, gid=100513) (pid 7972)
....
[2007/08/16 11:15:49, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 105216
  Primary group is 100513 and contains 26 supplementary groups
  Group[  0]: 108521
  Group[  1]: 108536
  Group[  2]: 107657
 .....
[2007/08/16 11:15:57, 4] smbd/open.c:open_file_ntcreate(1605)
  calling open_file with flags=0x2 flags2=0x500 mode=0664, access_mask =
0x2019f, open_access_mask = 0x2019f
[2007/08/16 11:15:57, 10] smbd/open.c:fd_open(67)
  fd_open: name test/folder1/New Text Document (2).txt, flags = 02402
mode = 0664, fd = -1. Permission denied
[2007/08/16 11:15:57, 3] smbd/open.c:open_file(301)
  Error opening file test/folder1/New Text Document (2).txt
(NT_STATUS_ACCESS_DENIED) (local_flags=1282) (flags=1282)
[2007/08/16 11:15:57, 5] smbd/files.c:file_free(454)
  freed files structure 6714 (2 used)
[2007/08/16 11:15:57, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(817) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED


More information about the samba mailing list