[Samba] Samba 3 with LDAP... can create, modify, delete files but read always causes 'access denied' errors

Jerald Volpe jeraldv at tomorrowsweb.com
Mon Aug 20 02:10:11 GMT 2007


By mistake.... err a learning mistake... I accidentally placed this 
email on samba-technical first. I now believe that this is the proper 
list for questions regarding Samba installation issues. - Jerry

Problem synopsis:
What I can NOT DO is access any files to open or read. I always get
'access denied', but I can create, copy and delete files.

Info:
Platform: SuSE 10.2, Samba 3, OpenLDAP.... configured as PDC with DHCP
and Bind.
Mixed network of Windows XP Professional and Linux computers.

(I have been going at this for several weeks now.... (aurgh))

Knowns:
I am able to create users and groups in LDAP without issue. I can assign
users to groups, etc.
I can add computers to the new Samba domain.
I can see the shares.
I can create directories and files. Copy directories and files. I can
delete them too.
I can create or assign ACLs via a windows XP workstation that is logged
in as administrator (mapped to root). I can see all the Samba/LDAP users
and groups from within Windows.
I've assigned Full privileges to all assigned users/groups except
'everyone' which shows no allow or deny. I can't delete 'everyone' group.
In UNIX owner is root (770), group is users (770).
All necessary deamons running correctly
Samba's testparm good.
__________________________________
smbclient -L localhosts -N

mruniverse:~ # smbclient -L localhost -N
Anonymous login successful
Domain=[TOMORROWSWEB] OS=[Unix] Server=[Samba 3.0.23d-19.7-1354-SUSE-SL10.2]

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        share           Disk      data share
        archives        Disk      Storage for archived data
        commons         Disk      Read Only Server
        databases       Disk      Database Server
        development     Disk      Development Server
        entertain       Disk      Entertainment Server
        files           Disk      File Server
        fonts           Disk      Font Server
        images          Disk      Image Library
        library         Disk      Document library
        ma              Disk      Market America Files
        movies          Disk      Movie Server
        music           Disk      Music Server
        photos          Disk      Photo Server
        sounds          Disk      Sound Library
        IPC$            IPC       IPC Service (Samba
3.0.23d-19.7-1354-SUSE-SL10.2)
Anonymous login successful
Domain=[TOMORROWSWEB] OS=[Unix] Server=[Samba 3.0.23d-19.7-1354-SUSE-SL10.2]

        Server               Comment
        ---------            -------
        MRUNIVERSE           Samba 3.0.23d-19.7-1354-SUSE-SL10.2

        Workgroup            Master
        ---------            -------
        TOMORROWSWEB         MRUNIVERSE
        WOLFEN               WOLFGATE
mruniverse:~ #

__________________________________________________
Here is the smb.conf file (I am currently experimenting with the archive
share... same access problem as other shares):


mruniverse:/etc/samba # cat smb.conf
# Defining domain name, hostname
###########################################
[global]
        hosts allow = 127.0.0.1 10.10.10.0/24
        hosts deny = 0.0.0.0/0
        workgroup = tomorrowsweb
        netbios name = mruniverse

# Specifying ldapsam backend database
##########################################
        passdb backend = ldapsam:ldap://127.0.0.1
        username map = /etc/samba/smbusers

# Specifying printing subsystem
#########################################
        printcap name = cups
        printing = cups

# Specifying path to IDEALX scripts
#########################################
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/local/sbin/smbldap-useradd -w -i %u

# proved on SUSE 10.0
#
# Various other directives (man smb.conf)
##########################################

        obey pam restrictions = Yes
        logon script = scripts\logon.bat
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U
        domain logons = Yes
        os level = 44
        preferred master = Yes
        domain master = Yes
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes

# Allow user privileges
enable privileges = yes

#OpenLDAP stuff is defined here
#########################################

        ldap suffix = dc=tomorrowsweb
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Users
        ldap admin dn = cn=Manager,dc=tomorrowsweb
        ldap ssl = no
        ldap passwd sync = Yes
        idmap uid = 15000-20000
        idmap gid = 15000-20000

# Defining logging facility
#########################################
# Reduce log level to lower amount to stop the flooding of /tmp
# with SMB____ messages
#       log level = 256
        log level = 3
        log file = /var/log/samba/%m.log

# Virus Scanning Definition
#########################################

vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
        vfs objects = vscan-clamav

# Defining user home directories
#########################################

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

# Defining printers
#########################################
#
# Some problems appear with this configuration of printer
# and Printers$ in OpenSUSE 10.1, please use this:
#
########################################
[printers]
#       comment = ALL PRINTERS
#       path = /var/tmp
#       printable = Yes
#       create mask = 0600
#       browseable = No
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
########################################
# Defining printers
########################################
[print$]
#       comment = Printer Drivers
#       path = /var/lib/samba/drivers
#       write list = @ntadmin root
#       force group = ntadmin
#       create mask = 0664
#       directory mask = 0775
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775
#

########################################
; Defining network logon service
[netlogon]
        comment = NLService
        path = /var/lib/samba/netlogon
        guest ok = Yes
        browseable = No

#       write list = root

# Defining profile share ( for roaming profiles )
#########################################

[profiles]
        comment = Roaming Profiles
        path = /var/lib/samba/profiles
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        force user = %U
        valid users = %U "Domain Admins"
        read only = No
        profile acls = Yes

# Defining arbitrary shared resource
#########################################

[share]
        comment = data share
        path = /opt/stuff
        valid users = %U

[archives]
        comment = Storage for archived data
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory security mask = 0777
        force directory security mode = 0
        inherit acls = Yes
        path = /store/archiveserver
        read only = No

[commons]
        comment = Read Only Server
        inherit acls = Yes
        path = /store/commons
        read only = Yes

[databases]
        comment = Database Server
        inherit acls = Yes
        path = /store/databaseserver
        read only = No

[development]
        comment = Development Server
        inherit acls = Yes
        path = /store/devserver
        read only = No

[entertain]
        comment = Entertainment Server
        inherit acls = Yes
        path = /store/entertain
        read only = No

[files]
        comment = File Server
        inherit acls = Yes
        path = /store/fileserver
        read only = No

[fonts]
        comment = Font Server
        inherit acls = Yes
        path = /store/fontserver
        read only = No

[images]
        comment = Image Library
        inherit acls = Yes
        path = /store/imageserver
        read only = No

[library]
        comment = Document library
        inherit acls = Yes
        path = /store/library
        read only = No

[ma]
        comment = Market America Files
        inherit acls = Yes
        path = /store/maserver
        read only = No

[movies]
        comment = Movie Server
        inherit acls = Yes
        path = /store/movieserver
        read only = No

[music]
        comment = Music Server
        inherit acls = Yes
        path = /store/musicserver
        read only = No

[photos]
        comment = Photo Server
        inherit acls = Yes
        path = /store/photoserver
        read only = No

[sounds]
        comment = Sound Library
        inherit acls = Yes
        path = /share/soundserver
        read only = No
mruniverse:/etc/samba #



-- 
Jerald Volpe
788 Chestnut Drive
Fairfield, CA 94533

jeraldV at tomorrowsweb.com

510 325-7724
707 399-8838 FAX




More information about the samba mailing list