[Samba] Samba 3 with LDAP... can create, modify,
delete files but read always causes 'access denied' errors
Jerald Volpe
jeraldv at tomorrowsweb.com
Mon Aug 20 02:10:11 GMT 2007
By mistake.... err a learning mistake... I accidentally placed this
email on samba-technical first. I now believe that this is the proper
list for questions regarding Samba installation issues. - Jerry
Problem synopsis:
What I can NOT DO is access any files to open or read. I always get
'access denied', but I can create, copy and delete files.
Info:
Platform: SuSE 10.2, Samba 3, OpenLDAP.... configured as PDC with DHCP
and Bind.
Mixed network of Windows XP Professional and Linux computers.
(I have been going at this for several weeks now.... (aurgh))
Knowns:
I am able to create users and groups in LDAP without issue. I can assign
users to groups, etc.
I can add computers to the new Samba domain.
I can see the shares.
I can create directories and files. Copy directories and files. I can
delete them too.
I can create or assign ACLs via a windows XP workstation that is logged
in as administrator (mapped to root). I can see all the Samba/LDAP users
and groups from within Windows.
I've assigned Full privileges to all assigned users/groups except
'everyone' which shows no allow or deny. I can't delete 'everyone' group.
In UNIX owner is root (770), group is users (770).
All necessary deamons running correctly
Samba's testparm good.
__________________________________
smbclient -L localhosts -N
mruniverse:~ # smbclient -L localhost -N
Anonymous login successful
Domain=[TOMORROWSWEB] OS=[Unix] Server=[Samba 3.0.23d-19.7-1354-SUSE-SL10.2]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk data share
archives Disk Storage for archived data
commons Disk Read Only Server
databases Disk Database Server
development Disk Development Server
entertain Disk Entertainment Server
files Disk File Server
fonts Disk Font Server
images Disk Image Library
library Disk Document library
ma Disk Market America Files
movies Disk Movie Server
music Disk Music Server
photos Disk Photo Server
sounds Disk Sound Library
IPC$ IPC IPC Service (Samba
3.0.23d-19.7-1354-SUSE-SL10.2)
Anonymous login successful
Domain=[TOMORROWSWEB] OS=[Unix] Server=[Samba 3.0.23d-19.7-1354-SUSE-SL10.2]
Server Comment
--------- -------
MRUNIVERSE Samba 3.0.23d-19.7-1354-SUSE-SL10.2
Workgroup Master
--------- -------
TOMORROWSWEB MRUNIVERSE
WOLFEN WOLFGATE
mruniverse:~ #
__________________________________________________
Here is the smb.conf file (I am currently experimenting with the archive
share... same access problem as other shares):
mruniverse:/etc/samba # cat smb.conf
# Defining domain name, hostname
###########################################
[global]
hosts allow = 127.0.0.1 10.10.10.0/24
hosts deny = 0.0.0.0/0
workgroup = tomorrowsweb
netbios name = mruniverse
# Specifying ldapsam backend database
##########################################
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
# Specifying printing subsystem
#########################################
printcap name = cups
printing = cups
# Specifying path to IDEALX scripts
#########################################
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/local/sbin/smbldap-useradd -w -i %u
# proved on SUSE 10.0
#
# Various other directives (man smb.conf)
##########################################
obey pam restrictions = Yes
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 44
preferred master = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
# Allow user privileges
enable privileges = yes
#OpenLDAP stuff is defined here
#########################################
ldap suffix = dc=tomorrowsweb
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=tomorrowsweb
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
# Defining logging facility
#########################################
# Reduce log level to lower amount to stop the flooding of /tmp
# with SMB____ messages
# log level = 256
log level = 3
log file = /var/log/samba/%m.log
# Virus Scanning Definition
#########################################
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
vfs objects = vscan-clamav
# Defining user home directories
#########################################
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
# Defining printers
#########################################
#
# Some problems appear with this configuration of printer
# and Printers$ in OpenSUSE 10.1, please use this:
#
########################################
[printers]
# comment = ALL PRINTERS
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
########################################
# Defining printers
########################################
[print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @ntadmin root
# force group = ntadmin
# create mask = 0664
# directory mask = 0775
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#
########################################
; Defining network logon service
[netlogon]
comment = NLService
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
# write list = root
# Defining profile share ( for roaming profiles )
#########################################
[profiles]
comment = Roaming Profiles
path = /var/lib/samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
force user = %U
valid users = %U "Domain Admins"
read only = No
profile acls = Yes
# Defining arbitrary shared resource
#########################################
[share]
comment = data share
path = /opt/stuff
valid users = %U
[archives]
comment = Storage for archived data
create mask = 0775
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
inherit acls = Yes
path = /store/archiveserver
read only = No
[commons]
comment = Read Only Server
inherit acls = Yes
path = /store/commons
read only = Yes
[databases]
comment = Database Server
inherit acls = Yes
path = /store/databaseserver
read only = No
[development]
comment = Development Server
inherit acls = Yes
path = /store/devserver
read only = No
[entertain]
comment = Entertainment Server
inherit acls = Yes
path = /store/entertain
read only = No
[files]
comment = File Server
inherit acls = Yes
path = /store/fileserver
read only = No
[fonts]
comment = Font Server
inherit acls = Yes
path = /store/fontserver
read only = No
[images]
comment = Image Library
inherit acls = Yes
path = /store/imageserver
read only = No
[library]
comment = Document library
inherit acls = Yes
path = /store/library
read only = No
[ma]
comment = Market America Files
inherit acls = Yes
path = /store/maserver
read only = No
[movies]
comment = Movie Server
inherit acls = Yes
path = /store/movieserver
read only = No
[music]
comment = Music Server
inherit acls = Yes
path = /store/musicserver
read only = No
[photos]
comment = Photo Server
inherit acls = Yes
path = /store/photoserver
read only = No
[sounds]
comment = Sound Library
inherit acls = Yes
path = /share/soundserver
read only = No
mruniverse:/etc/samba #
--
Jerald Volpe
788 Chestnut Drive
Fairfield, CA 94533
jeraldV at tomorrowsweb.com
510 325-7724
707 399-8838 FAX
More information about the samba
mailing list