[Samba] Users can Read but not Write / Delete Files
Michael Casale
mcasale at knoa.com
Wed Jun 6 21:53:33 GMT 2007
Just another update -
I set up user security again to test and it works - the users I added in
with smbpasswd worked.
I will no longer use this Samba server with AD security as only a few
users use it.
Thanks for any help. If anyone still has any suggestions on getting my
box to work with AD please let me know.
Mike
__________________
Michael Casale
IT Manager | Knoa Software, Inc
5 Union Square West | New York | New York | 10003
t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121
www.knoa.com
-----Original Message-----
From: Michael Casale
Sent: Wednesday, June 06, 2007 12:31 PM
To: Michael Casale; 'gary at extremeground.com'
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] Users can Read but not Write / Delete Files
New Development,
I just changed the security on my Samba box to user, and added the root
user to the smbpassword file with the smbpasswd root command.
I then successfully authenticated to a share on the Samba server as
root.
Guess what? Once again, I was able to read files, but not write, create,
or delete any files.
This is definitely a problem with the Linux server - since rebooting
last week this has happened.
Anyone know anything about selinux? Maybe I need to set it, or disable
it again?
The problem is independent of the type of authentication Samba uses.
Thanks!
Mike
__________________
Michael Casale
IT Manager | Knoa Software, Inc
5 Union Square West | New York | New York | 10003
t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121
www.knoa.com
-----Original Message-----
From: samba-bounces+mcasale=knoa.com at lists.samba.org
[mailto:samba-bounces+mcasale=knoa.com at lists.samba.org] On Behalf Of
Michael Casale
Sent: Wednesday, June 06, 2007 9:52 AM
To: gary at extremeground.com
Cc: samba at lists.samba.org
Subject: RE: [Samba] Users can Read but not Write / Delete Files
Gary,
Thanks for your reply - but I already tried chmod'ing some files in some
directories to 777 and it still doesn't' work.
Mike
__________________
Michael Casale
IT Manager | Knoa Software, Inc
5 Union Square West | New York | New York | 10003
t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121
www.knoa.com
-----Original Message-----
From: samba-bounces+mcasale=knoa.com at lists.samba.org
[mailto:samba-bounces+mcasale=knoa.com at lists.samba.org] On Behalf Of
Gary Dale
Sent: Tuesday, June 05, 2007 10:58 PM
Cc: samba at lists.samba.org
Subject: Re: [Samba] Users can Read but not Write / Delete Files
One possible problem is the actual file permissions on the server. I
think Samba expects to see the files wide open so that Samba/Winbind can
implement the Windows permissions properly without running afoul of Unix
permissions.
I recognize that this doesn't fit the way the problem developed, but the
symptoms match. :)
Michael Casale wrote:
> Hi All,
>
>
>
> Hi All,
>
> Here is a situation where everyone can read to, but not write to or
> delete, the shares on our Samba server:
>
> We moved the file server a few weeks ago - split off some files to a
new
> Windows file server - and users could read but not write files to the
> old Samba server after it was renamed (SAN to OLDSAN). It turned out
> SELinux was running, which I disabled, rebooted, and all worked well.
>
>
>
> Now I've been patching our domain controllers and the same thing
> happened. I assumed I installed the "magic patch" on a domain
> controller. All users can read the files they are supposed to, but no
> one, including the admin (me), can write to or delete files. In other
> words, the same as before, but I checked, and selinux is still
disabled.
>
>
>
> I tried deleting and re-creating the server's computer object in the
> Windows 2003 Active Directory - same problem.
>
>
>
> Has anyone seen this problem? Can anyone shed any light on this?
>
>
>
> Here is our setup:
>
>
>
> Red Hat Enterprise Linux AS kernel 2.6.9-5.EL
>
>
>
> Samba Version: 3.0.10-1.4E
>
>
>
> Running in AD Security Mode.
>
>
>
> Not running as a domain controller
>
> Not running as a WINS server.
>
>
>
> Thanks for all and any help!
>
>
>
> Mike Casale
>
>
>
> Here is our smb.conf file:
>
>
>
> #======================= Global Settings
> =====================================
>
> [global]
>
>
>
> workgroup = NYC-14
>
> netbios name = OLDSAN
>
> # the following changed to adapt to Win2003 MC 19Nov06:
>
> client schannel = no
>
> client use spnego = no
>
> server signing = auto
>
> server string = OLD SAN
>
>
>
> printcap name = /etc/printcap
>
> load printers = no
>
>
>
> cups options = raw
>
>
>
> log file = /var/log/samba/%m.log
>
> max log size = 50
>
>
>
> security = ads
>
> realm = NYC-14.KNOA.COM
>
> password server = 192.168.14.243
>
>
>
>
>
> encrypt passwords = yes
>
>
>
>
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>
>
> wins server = 192.168.14.243
>
>
>
> dns proxy = no
>
>
>
> idmap uid = 10000-20000
>
> idmap gid = 10000-20000
>
> ;winbind separator = \
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> template shell = /bin/false
>
> winbind use default domain = yes
>
>
>
> #============================ Share Definitions
> ==============================
>
> # backup depository
>
> [backup]
>
> comment = Backup Repository
>
> force create mode = 0777
>
> force directory mode = 6777
>
> path = /mnt/data/backup
>
> browseable = no
>
> writable = yes
>
> valid users = NYC-14\backup, NYC-14\mcasale, NYC-14\administrator,
> NYC-14\sys_bak, NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain
> Admins"
>
>
>
>
>
> # bulk data storage for Development
>
> [bulk]
>
> browsable = no
>
> force create mode = 0777
>
> force directory mode = 6777
>
> path = /mnt/data/bulk
>
> writable = yes
>
> guest ok = yes
>
>
>
> # clients data
>
> [Clients]
>
> browsable = yes
>
> comment = Clients of Knoa Software
>
> inherit permissions = yes
>
> path = /mnt/data/clients
>
> valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\Extranet,
> NYC-14\administrator, "NYC-14\Domain Admins"
>
> writable = yes
>
>
>
> # Engineering signing keys
>
> [CSPDID]
>
> browseable = no
>
> # access to this share is controled via valid users list
>
> force create mode = 0777
>
> force directory mode = 6777
>
> path = /mnt/data/cspdid
>
> valid users = NYC-14\mcasale, NYC-14\zkopytnik, NYC-14\drayna,
> NYC-14\plui, NYC-14\mkrosky, NYC-14\Administrator, "NYC-14\Domain
> Admins"
>
> writable = yes
>
>
>
> # file share for all company departments
>
> [Company]
>
> comment = Departamental File Share
>
> browseable = yes
>
> inherit permissions = yes
>
> # force create mode = 0777
>
> # force directory mode = 6777
>
> path = /mnt/data/company
>
> valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
> "NYC-14\Domain Admins"
>
> writable = yes
>
> inherit permissions = yes
>
>
>
> # image depository
>
> [image]
>
> comment = Disk Image Repository
>
> path = /mnt/data/image
>
> browseable = no
>
> write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain
> Admins"
>
>
>
> # intranet site files for access by the Intranet server VMC
>
> [intranet]
>
> path = "/mnt/data/company/Web Development/Intranet"
>
> browsable = no
>
> guest ok = yes
>
> # valid users = NYC-14\sys_web, NYC-14\vmc$
>
>
>
> # server root - for backup only
>
> [home]
>
> path = /mnt/data
>
> valid users = NYC-14\Services, root, NYC-14\Administrator,
> "NYC-14\Domain Admins" NYC-14\mcasale
>
> browseable = no
>
>
>
> # software library
>
> [Software]
>
> comment = Software Library
>
> force create mode = 0007
>
> force directory mode = 0007
>
> path = /mnt/data/software
>
> valid users = NYC-14\Staff, NYC-14\Administrator, NYC-14\mcasale
>
> write list = NYC-14\Staff, NYC-14\Administrator, "NYC-14\Domain
> Admins", NYC-14\mcasale
>
>
>
> [VSS]
>
> browseable = no
>
> comment = Visual Source Safe
>
> create mask = 0666
>
> directory mask = 0777
>
> path = /mnt/data/vss
>
> valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
> "NYC-14\Domain Admins"
>
> writable = yes
>
>
>
> # Users - public files of staff members
>
> [Users]
>
> comment = Personal File Repositories
>
> # create mask = 0666
>
> # directory mask = 0777
>
> path = /mnt/data/profiles/public
>
> valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain
> Admins"
>
> writable = yes
>
> browseable = yes
>
> # inherit permissions = yes
>
>
>
> # user profiles
>
> [%U]
>
> path = /mnt/data/profiles/%U
>
> create mask = 0666
>
> directory mask = 0777
>
> valid users = NYC-14\%U, "NYC-14\Domain Admins"
>
> writable = yes
>
> browseable = no
>
> inherit permissions = yes
>
>
>
> # Public Directory
>
> [Public]
>
> path = /mnt/data/profiles/public
>
> #create mask = 0007
>
> #directory mask = 0007
>
> #valid users = NYC-14\Staff
>
> writable = yes
>
> browseable = yes
>
> inherit permissions = yes
>
>
>
> # Test Users Directory
>
> [Users2]
>
> path = /mnt/data/users
>
> #create mask = 0666
>
> #directory mask = 0777
>
> valid users = NYC-14\Staff
>
> writeable = yes
>
> browseable = no
>
> inherit permissions = yes
>
>
>
> And here is our Kerberos file krb5.conf:
>
>
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = NYC-14.KNOA.COM
>
> dns_lookup_realm = true
>
> dns_lookup_kdc = true
>
>
>
> [realms]
>
> NYC-14.KNOA.COM = {
>
> kdc = credo.nyc-14.knoa.com:88
>
> # kdc = mxs.nyc-14.knoa.com:88
>
> admin_server = credo.nyc-14.knoa.com:749
>
> # admin_server = mxs.nyc-14.knoa.com:749
>
> default_domain = nyc-14.knoa.com
>
> }
>
>
>
> [domain_realm]
>
> .nyc-14.knoa.com = NYC-14.KNOA.COM
>
> nyc-14.knoa.com = NYC-14.KNOA.COM
>
>
>
> [kdc]
>
> profile = /var/kerberos/krb5kdc/kdc.conf
>
>
>
> [appdefaults]
>
> pam = {
>
> debug = false
>
> ticket_lifetime = 36000
>
> renew_lifetime = 36000
>
> forwardable = true
>
> krb4_convert = false
>
> }
>
>
>
>
>
> ________________________________
>
> Michael Andrew Casale
>
> Information Technology Manager | Knoa Software, Inc
>
> 5 Union Square West | New York | New York | 10003
>
> t: 212.807.9608 x 6000 | m: 352-359-1797 | f: 212.675.6121
>
>
>
> www.knoa.com
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list