[Samba] Users can Read but not Write / Delete Files

Michael Casale mcasale at knoa.com
Wed Jun 6 16:30:55 GMT 2007


New Development,

I just changed the security on my Samba box to user, and added the root
user to the smbpassword file with the smbpasswd root command.

I then successfully authenticated to a share on the Samba server as
root.

Guess what? Once again, I was able to read files, but not write, create,
or delete any files.

This is definitely a problem with the Linux server - since rebooting
last week this has happened.

Anyone know anything about selinux? Maybe I need to set it, or disable
it again?

The problem is independent of the type of authentication Samba uses.

Thanks!

Mike

__________________
Michael Casale
IT Manager | Knoa Software, Inc
5 Union Square West | New York | New York | 10003
t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121

www.knoa.com 

-----Original Message-----
From: samba-bounces+mcasale=knoa.com at lists.samba.org
[mailto:samba-bounces+mcasale=knoa.com at lists.samba.org] On Behalf Of
Michael Casale
Sent: Wednesday, June 06, 2007 9:52 AM
To: gary at extremeground.com
Cc: samba at lists.samba.org
Subject: RE: [Samba] Users can Read but not Write / Delete Files

Gary,

Thanks for your reply - but I already tried chmod'ing some files in some
directories to 777 and it still doesn't' work.

Mike

__________________
Michael Casale
IT Manager | Knoa Software, Inc
5 Union Square West | New York | New York | 10003
t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121

www.knoa.com 

-----Original Message-----
From: samba-bounces+mcasale=knoa.com at lists.samba.org
[mailto:samba-bounces+mcasale=knoa.com at lists.samba.org] On Behalf Of
Gary Dale
Sent: Tuesday, June 05, 2007 10:58 PM
Cc: samba at lists.samba.org
Subject: Re: [Samba] Users can Read but not Write / Delete Files

One possible problem is the actual file permissions on the server. I 
think Samba expects to see the files wide open so that Samba/Winbind can

implement the Windows permissions properly without running afoul of Unix

permissions.

I recognize that this doesn't fit the way the problem developed, but the

symptoms match. :)


Michael Casale wrote:
> Hi All,
>
>  
>
> Hi All,
>
> Here is a situation where everyone can read to, but not write to or
> delete, the shares on our Samba server: 
>  
> We moved the file server a few weeks ago - split off some files to a
new
> Windows file server - and users could read but not write files to the
> old Samba server after it was renamed (SAN to OLDSAN). It turned out
> SELinux was running, which I disabled, rebooted, and all worked well.
>
>  
>
> Now I've been patching our domain controllers and the same thing
> happened. I assumed I installed the "magic patch" on a domain
> controller.  All users can read the files they are supposed to, but no
> one, including the admin (me), can write to or delete files. In other
> words, the same as before, but I checked, and selinux is still
disabled.
>
>  
>
> I tried deleting and re-creating the server's computer object in the
> Windows 2003 Active Directory  - same problem.
>
>  
>
> Has anyone seen this problem? Can anyone shed any light on this?
>
>  
>
> Here is our setup:
>
>  
>
> Red Hat Enterprise Linux AS kernel 2.6.9-5.EL
>
>  
>
> Samba Version: 3.0.10-1.4E
>
>  
>
> Running in AD Security Mode.
>
>  
>
> Not running as a domain controller
>
> Not running as a WINS server.
>
>  
>
> Thanks for all and any help!
>
>  
>
> Mike Casale
>
>  
>
> Here is our smb.conf file:
>
>  
>
> #======================= Global Settings
> =====================================
>
> [global]
>
>  
>
>    workgroup = NYC-14
>
>    netbios name = OLDSAN
>
> # the following changed to adapt to Win2003 MC 19Nov06:
>
> client schannel = no
>
> client use spnego = no 
>
> server signing = auto
>
>    server string = OLD SAN
>
>  
>
>    printcap name = /etc/printcap
>
>    load printers = no
>
>  
>
> cups options = raw
>
>  
>
>  log file = /var/log/samba/%m.log
>
>    max log size = 50
>
>  
>
>    security = ads
>
>    realm = NYC-14.KNOA.COM 
>
>    password server = 192.168.14.243 
>
>  
>
>  
>
>   encrypt passwords = yes
>
>  
>
>  
>
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>  
>
>    wins server = 192.168.14.243
>
>  
>
>    dns proxy = no 
>
>  
>
>    idmap uid = 10000-20000
>
>    idmap gid = 10000-20000
>
>    ;winbind separator = \ 
>
>    winbind enum users = yes
>
>    winbind enum groups = yes
>
>    template shell = /bin/false
>
>    winbind use default domain = yes
>
>  
>
> #============================ Share Definitions
> ==============================
>
> # backup depository
>
> [backup]
>
>   comment = Backup Repository
>
>   force create mode = 0777
>
>   force directory mode = 6777
>
>   path = /mnt/data/backup
>
>   browseable = no
>
>   writable = yes
>
>   valid users = NYC-14\backup, NYC-14\mcasale, NYC-14\administrator,
> NYC-14\sys_bak, NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain
> Admins"
>
>  
>
>  
>
> # bulk data storage for Development
>
> [bulk]
>
>   browsable = no
>
>   force create mode = 0777
>
>   force directory mode = 6777
>
>   path = /mnt/data/bulk
>
>   writable = yes
>
>   guest ok = yes
>
>  
>
> # clients data
>
> [Clients]
>
>   browsable = yes
>
>   comment = Clients of Knoa Software
>
>   inherit permissions = yes
>
>   path = /mnt/data/clients
>
>   valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\Extranet,
> NYC-14\administrator, "NYC-14\Domain Admins"
>
>   writable = yes
>
>  
>
> # Engineering signing keys
>
> [CSPDID]
>
>   browseable = no
>
>   # access to this share is controled via valid users list 
>
>   force create mode = 0777
>
>   force directory mode = 6777
>
>   path = /mnt/data/cspdid
>
>   valid users = NYC-14\mcasale, NYC-14\zkopytnik, NYC-14\drayna,
> NYC-14\plui, NYC-14\mkrosky, NYC-14\Administrator, "NYC-14\Domain
> Admins"
>
>   writable = yes
>
>  
>
> # file share for all company departments
>
> [Company]
>
>    comment = Departamental File Share
>
>    browseable = yes
>
>    inherit permissions = yes
>
> #   force create mode = 0777
>
> #   force directory mode = 6777
>
>    path = /mnt/data/company
>
>    valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
> "NYC-14\Domain Admins"
>
>    writable = yes
>
>    inherit permissions = yes
>
>  
>
> # image depository
>
> [image]
>
>    comment = Disk Image Repository
>
>    path = /mnt/data/image
>
>    browseable = no
>
>    write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain
> Admins"
>
>  
>
> # intranet site files for access by the Intranet server VMC
>
> [intranet]
>
>   path = "/mnt/data/company/Web Development/Intranet"
>
>   browsable = no
>
>   guest ok = yes
>
> #  valid users = NYC-14\sys_web, NYC-14\vmc$
>
>  
>
> # server root - for backup only
>
> [home]
>
>    path = /mnt/data
>
>    valid users = NYC-14\Services, root, NYC-14\Administrator,
> "NYC-14\Domain Admins" NYC-14\mcasale
>
>    browseable = no
>
>  
>
> # software library
>
> [Software]
>
>   comment = Software Library
>
>   force create mode = 0007
>
>   force directory mode = 0007
>
>   path = /mnt/data/software
>
>   valid users = NYC-14\Staff, NYC-14\Administrator, NYC-14\mcasale
>
>   write list = NYC-14\Staff, NYC-14\Administrator, "NYC-14\Domain
> Admins", NYC-14\mcasale
>
>  
>
> [VSS]
>
>   browseable = no
>
>   comment = Visual Source Safe
>
>   create mask = 0666
>
>   directory mask = 0777
>
>   path = /mnt/data/vss
>
>   valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
> "NYC-14\Domain Admins"
>
>   writable = yes
>
>  
>
> # Users - public files of staff members
>
> [Users]
>
>    comment = Personal File Repositories
>
> #   create mask = 0666
>
> #   directory mask = 0777
>
>    path = /mnt/data/profiles/public
>
>    valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain
> Admins"
>
>    writable = yes
>
>    browseable = yes
>
> #   inherit permissions = yes
>
>  
>
> # user profiles
>
> [%U]
>
>    path = /mnt/data/profiles/%U
>
>    create mask = 0666
>
>    directory mask = 0777
>
>    valid users = NYC-14\%U, "NYC-14\Domain Admins"
>
>    writable = yes
>
>    browseable = no
>
>    inherit permissions = yes
>
>  
>
> # Public Directory
>
> [Public]
>
> path = /mnt/data/profiles/public
>
> #create mask = 0007
>
> #directory mask = 0007
>
> #valid users = NYC-14\Staff
>
> writable = yes
>
> browseable = yes
>
> inherit permissions = yes
>
>  
>
> # Test Users Directory
>
> [Users2]
>
> path = /mnt/data/users
>
> #create mask = 0666
>
> #directory mask = 0777
>
> valid users = NYC-14\Staff
>
> writeable = yes
>
> browseable = no
>
> inherit permissions = yes
>
>  
>
> And here is our Kerberos file krb5.conf:
>
>  
>
> [logging]
>
>  default = FILE:/var/log/krb5libs.log
>
>  kdc = FILE:/var/log/krb5kdc.log
>
>  admin_server = FILE:/var/log/kadmind.log
>
>  
>
> [libdefaults]
>
>  default_realm = NYC-14.KNOA.COM
>
>  dns_lookup_realm = true
>
>  dns_lookup_kdc = true
>
>  
>
> [realms]
>
>  NYC-14.KNOA.COM = {
>
>   kdc = credo.nyc-14.knoa.com:88
>
> #  kdc = mxs.nyc-14.knoa.com:88
>
>   admin_server = credo.nyc-14.knoa.com:749
>
> #  admin_server = mxs.nyc-14.knoa.com:749
>
>   default_domain = nyc-14.knoa.com
>
>  }
>
>  
>
> [domain_realm]
>
>  .nyc-14.knoa.com = NYC-14.KNOA.COM
>
>  nyc-14.knoa.com = NYC-14.KNOA.COM
>
>  
>
> [kdc]
>
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
>  
>
> [appdefaults]
>
>  pam = {
>
>    debug = false
>
>    ticket_lifetime = 36000
>
>    renew_lifetime = 36000
>
>    forwardable = true
>
>    krb4_convert = false
>
>  }
>
>  
>
>  
>
> ________________________________
>
> Michael Andrew Casale
>
> Information Technology Manager  | Knoa Software, Inc
>
> 5 Union Square West | New York | New York | 10003
>
> t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121
>
>
>
> www.knoa.com 
>
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list