[Samba] Userrights problem: Samba PDC + OpenLDAP

Jens Schmidt samba.lists.samba.org at actinoide.de
Mon May 14 14:40:28 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello there,

i have a new problem with my samba :-).

i'd created a new user in the OpenLDAP. Then i joined the Domain and
tried to browse in the homedir of the new user.

Here are the rights under Linux:

[16:27:52] jens at saphira:~ > ll
total 1.8M
drwxrwx---  7 jens   Domain Users  632 May 14 16:27 .
drwxrwxrwx 15 nobody root          360 May 12 02:15 ..
- -rw-------  1 jens   Domain Users  265 May 14 16:27 .Xauthority
- -rwxrwx---  1 jens   Domain Users 1.1K May 13 02:24 .bash_history
- -rwxrwx---  1 jens   Domain Users  382 May 12 02:39 .bash_logout
- -rwxrwx---  1 jens   Domain Users  333 May  9 14:29 .bash_profile
- -rwxrwx---  1 jens   Domain Users 2.4K May 12 02:36 .bashrc
- -rwxrwx---  1 jens   Domain Users  707 May 12 02:38 .inputrc
drwxrwx---  3 jens   Domain Users  144 May  9 14:14 .irssi
- -rwxrwx---  1 jens   Domain Users   35 May 10 00:17 .lesshst
- -rwxrwx---  1 jens   Domain Users  14K May 12 00:07 .linux_changelog
- -rwxrwx---  1 jens   Domain Users 5.5K May 12 15:54 .viminfo
- -rwxrwx---  1 jens   Domain Users  778 May  9 14:12 .vimrc
drwxrwx---  2 jens   Domain Users   48 May  8 20:49 .vmware
drwxrwx---  2 jens   Domain Users   48 May  9 17:06 Mail
drwxr-xr-x  2 jens   Domain Users   48 May 13 01:17 Neuer Ordner
[16:27:54] jens at saphira:~ >

As you can see, only the Folder called "Neuer Ordner" is r-x for
"others". The Folder called "Mail" isnt readeble for others.

And here is my problem: I cant see the Folder Mail (because of the
Option "hide unreadable = yes" in samba) but i should read it, becaus
iam logged in as "jens". And "jens" is a user of the group "Domain Users":

[16:27:54] jens at saphira:~ > id
uid=1337(jens) gid=513(Domain Users)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),512(Domain
Admins),513(Domain Users)
[16:30:53] jens at saphira:~ >

So, i think i should read the folder Mail. But i can only see "Neuer
Ordner", because its readable for "others".

Furthermore i created the Folder "Neuer Ordner" over Samba. So, its
created automatically as "jens" and "Domain Users".

This is my Samba Configuration:

[global]

workgroup            = JJAGS
netbios name         = saphira
server string        = JJags Fileserver im Centuri Network

dns proxy            = no
wins support         = yes

interfaces           = 192.168.1.0/24 eth0
bind interfaces only = true
profile acls         = Yes

log file             = /var/log/samba/log.%m
max log size         = 3000
log level            = 2
syslog               = 0
panic action         = /usr/share/samba/panic-action %d

passdb backend       = ldapsam:ldap://localhost/
unix password sync   = no
domain logons        = yes
local master         = yes
preferred master     = yes
os level             = 64
dos charset          = 850
unix charset         = ISO-8859-15
display charset      = ISO-8859-15

time server          = Yes
socket options       = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192

add user script      = /usr/sbin/smbldap-useradd -m '%u'
delete user script   = /usr/sbin/smbldap-userdel %u
add group script     = /usr/sbin/smbldap-groupadd -p '%g'
delete group script  = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script   = /usr/sbin/smbldap-useradd -w '%u'

logon path           = \\%L\profiles\%U
logon drive          = H:
logon home           = \\%L\%U
logon script         = logon.cmd

socket options       = TCP_NODELAY

domain master        = yes

ldap suffix          = dc=centuri,dc=lan
ldap admin dn        = cn=manager,dc=centuri,dc=lan
ldap user suffix     = ou=Users
ldap group suffix    = ou=Groups
ldap machine suffix  = ou=Machine
ldap ssl             = no
ldap delete dn       = Yes

admin users          = root, Administrator

security             = user
encrypt passwords    = yes

#ntlm auth            = no
#lanman auth          = no
#client ntlmv2 auth   = yes

null passwords       = no
hide unreadable      = yes

hide dot files       = yes

#======================= Share Definitions =======================

[netlogon]
   comment = Network Logon Service
   path = /var/samba/netlogon
   public = no
   ; guest ok = yes
   writable = no
   share modes = no
   browseable = no

[profiles]
   comment = Users profiles
   path = /var/samba/profiles
   ; guest ok = no
   guest ok = yes
   writeable = yes
   browseable = no
   preserve case = no
   case sensitive = no
   create mask = 0666
   directory mask = 0777
   hide files = /desktop.ini/ntuser.ini/NTUSER.*/
   write list = "@Domain Users" "@Domain Admins"
   default case = lower

[homes]
   comment = Home Directory
   path = /home/%U
   browseable = no
   #valid users = %S
   writable = yes
   #guest ok = no
   #inherit permissions = yes
   #create mask = 0700
   #directory mask = 0700

[public]
   comment = Public Share
   path = /mnt/public
   browseable = yes
   guest ok = no


I hope someone can help me. Maybe there is a option, where Samba forks a
process with USER ID of the Logged in Person (in this case: "jens"). And
with that user, the process can read my files.

Thanks a lot.

Jens.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRkh024nNy9K3Yw0FAQKIVxAAg8xdDXCtKgnRznfvdnQibW3MXeYNZgV+
7wNOjd+F1EVYsnxMBupwi26Gstv5sj9OXoXqF/9FBTuEKT+tecuTlsxzJG9vNlEG
h/4YwsorjBY56SmA2wDa/3YWmyRzU3IZ/GgFsT4hsSyHv2tki2V8Rn9aVfq7tJG9
fbDT4dZpy985euHofnDDCLstp8CkuQ7nNmpuCLP1tsx8pWUSsHiVfrXj7jsswO78
0gS6oI1gTyYWhRWGammRRI8PNzS84jIBNjuSDxYr1oM2lQR5u7jfyuFJV9qcojrO
Sl301NkzpD+JXOFeJOPVnXSXsp9YAUTOl0kv7XamG5rHd/yxeXHmQbL6NBpP2LRM
9OhdI+oeQs2NVBxs4QvziKe/E+0oxaINqFVYxtJ7TPi3rSX2YhjLsd0AocJJTfOq
5veIKHoE2TI5ldztwJsgNHd3f047PdAJZSxQMgvQHd9yxxQaUwZQhVKQx2UEuU0i
3YTJKmVudIANNljpg/sa18p5CnFWfF2VX8ASbpbYYIxzJGzGa4NcBiafw7ggnc4M
8Ak4FObkbZVvRQYkkVG9Bx4I99v4FMIVye9XiXYlQJsZv7Ow5AwDxPwyP5KXbtfl
AqbD3WeOOqVbZ7fDtPGetQefgF8CLrDNSJML8Cs4UD9BNCofRNrVMG6ZkLG7aS4J
3POAr1wQKHg=
=Y6aN
-----END PGP SIGNATURE-----


More information about the samba mailing list