[Samba] Users can Read but not Write / Delete Files

Michael Casale mcasale at knoa.com
Wed Jun 6 02:38:34 GMT 2007 

Hi All,

 

Hi All,

Here is a situation where everyone can read to, but not write to or
delete, the shares on our Samba server: 
 
We moved the file server a few weeks ago - split off some files to a new
Windows file server - and users could read but not write files to the
old Samba server after it was renamed (SAN to OLDSAN). It turned out
SELinux was running, which I disabled, rebooted, and all worked well.

 

Now I've been patching our domain controllers and the same thing
happened. I assumed I installed the "magic patch" on a domain
controller.  All users can read the files they are supposed to, but no
one, including the admin (me), can write to or delete files. In other
words, the same as before, but I checked, and selinux is still disabled.

 

I tried deleting and re-creating the server's computer object in the
Windows 2003 Active Directory  - same problem.

 

Has anyone seen this problem? Can anyone shed any light on this?

 

Here is our setup:

 

Red Hat Enterprise Linux AS kernel 2.6.9-5.EL

 

Samba Version: 3.0.10-1.4E

 

Running in AD Security Mode.

 

Not running as a domain controller

Not running as a WINS server.

 

Thanks for all and any help!

 

Mike Casale

 

Here is our smb.conf file:

 

#======================= Global Settings
=====================================

[global]

 

   workgroup = NYC-14

   netbios name = OLDSAN

# the following changed to adapt to Win2003 MC 19Nov06:

client schannel = no

client use spnego = no 

server signing = auto

   server string = OLD SAN

 

   printcap name = /etc/printcap

   load printers = no

 

cups options = raw

 

 log file = /var/log/samba/%m.log

   max log size = 50

 

   security = ads

   realm = NYC-14.KNOA.COM 

   password server = 192.168.14.243 

 

 

  encrypt passwords = yes

 

 

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

 

   wins server = 192.168.14.243

 

   dns proxy = no 

 

   idmap uid = 10000-20000

   idmap gid = 10000-20000

   ;winbind separator = \ 

   winbind enum users = yes

   winbind enum groups = yes

   template shell = /bin/false

   winbind use default domain = yes

 

#============================ Share Definitions
==============================

# backup depository

[backup]

  comment = Backup Repository

  force create mode = 0777

  force directory mode = 6777

  path = /mnt/data/backup

  browseable = no

  writable = yes

  valid users = NYC-14\backup, NYC-14\mcasale, NYC-14\administrator,
NYC-14\sys_bak, NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain
Admins"

 

 

# bulk data storage for Development

[bulk]

  browsable = no

  force create mode = 0777

  force directory mode = 6777

  path = /mnt/data/bulk

  writable = yes

  guest ok = yes

 

# clients data

[Clients]

  browsable = yes

  comment = Clients of Knoa Software

  inherit permissions = yes

  path = /mnt/data/clients

  valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\Extranet,
NYC-14\administrator, "NYC-14\Domain Admins"

  writable = yes

 

# Engineering signing keys

[CSPDID]

  browseable = no

  # access to this share is controled via valid users list 

  force create mode = 0777

  force directory mode = 6777

  path = /mnt/data/cspdid

  valid users = NYC-14\mcasale, NYC-14\zkopytnik, NYC-14\drayna,
NYC-14\plui, NYC-14\mkrosky, NYC-14\Administrator, "NYC-14\Domain
Admins"

  writable = yes

 

# file share for all company departments

[Company]

   comment = Departamental File Share

   browseable = yes

   inherit permissions = yes

#   force create mode = 0777

#   force directory mode = 6777

   path = /mnt/data/company

   valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
"NYC-14\Domain Admins"

   writable = yes

   inherit permissions = yes

 

# image depository

[image]

   comment = Disk Image Repository

   path = /mnt/data/image

   browseable = no

   write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain
Admins"

 

# intranet site files for access by the Intranet server VMC

[intranet]

  path = "/mnt/data/company/Web Development/Intranet"

  browsable = no

  guest ok = yes

#  valid users = NYC-14\sys_web, NYC-14\vmc$

 

# server root - for backup only

[home]

   path = /mnt/data

   valid users = NYC-14\Services, root, NYC-14\Administrator,
"NYC-14\Domain Admins" NYC-14\mcasale

   browseable = no

 

# software library

[Software]

  comment = Software Library

  force create mode = 0007

  force directory mode = 0007

  path = /mnt/data/software

  valid users = NYC-14\Staff, NYC-14\Administrator, NYC-14\mcasale

  write list = NYC-14\Staff, NYC-14\Administrator, "NYC-14\Domain
Admins", NYC-14\mcasale

 

[VSS]

  browseable = no

  comment = Visual Source Safe

  create mask = 0666

  directory mask = 0777

  path = /mnt/data/vss

  valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
"NYC-14\Domain Admins"

  writable = yes

 

# Users - public files of staff members

[Users]

   comment = Personal File Repositories

#   create mask = 0666

#   directory mask = 0777

   path = /mnt/data/profiles/public

   valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain
Admins"

   writable = yes

   browseable = yes

#   inherit permissions = yes

 

# user profiles

[%U]

   path = /mnt/data/profiles/%U

   create mask = 0666

   directory mask = 0777

   valid users = NYC-14\%U, "NYC-14\Domain Admins"

   writable = yes

   browseable = no

   inherit permissions = yes

 

# Public Directory

[Public]

path = /mnt/data/profiles/public

#create mask = 0007

#directory mask = 0007

#valid users = NYC-14\Staff

writable = yes

browseable = yes

inherit permissions = yes

 

# Test Users Directory

[Users2]

path = /mnt/data/users

#create mask = 0666

#directory mask = 0777

valid users = NYC-14\Staff

writeable = yes

browseable = no

inherit permissions = yes

 

And here is our Kerberos file krb5.conf:

 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = NYC-14.KNOA.COM

 dns_lookup_realm = true

 dns_lookup_kdc = true

 

[realms]

 NYC-14.KNOA.COM = {

  kdc = credo.nyc-14.knoa.com:88

#  kdc = mxs.nyc-14.knoa.com:88

  admin_server = credo.nyc-14.knoa.com:749

#  admin_server = mxs.nyc-14.knoa.com:749

  default_domain = nyc-14.knoa.com

 }

 

[domain_realm]

 .nyc-14.knoa.com = NYC-14.KNOA.COM

 nyc-14.knoa.com = NYC-14.KNOA.COM

 

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

 

 

________________________________

Michael Andrew Casale

Information Technology Manager  | Knoa Software, Inc

5 Union Square West | New York | New York | 10003

t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121



www.knoa.com

More information about the samba mailing list