[Samba] Creating a group share

Prakash Velayutham prakash.velayutham at cchmc.org
Wed Nov 14 15:51:29 GMT 2007


Hi Dale,

samba-3.0.26a-0.2.91

This is what I am seeing in the logs.

[2007/11/14 09:56:17, 5] auth/auth.c:check_ntlm_password(296)
   check_ntlm_password:  PAM Account for user [prakash] succeeded
[2007/11/14 09:56:17, 2] auth/auth.c:check_ntlm_password(309)
   check_ntlm_password:  authentication for user [prakash] ->  
[prakash] -> [prakash] succeeded
[2007/11/14 09:56:17, 5] auth/auth_util.c:free_user_info(2045)
   attempting to free (and zero) a user_info structure
[2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
   fetch gid from cache 544 -> S-1-5-32-544
[2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
   fetch gid from cache 10002 -> S-1-5-32-545
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
   smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>  
[(&(|(objectclass=sambaGroupMapping)(samba
GroupType=4))(| 
(sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170) 
(sambaSIDList=S-1-22-2-1000)(sambaSI
DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11) 
(sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1
015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004) 
(sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2-
1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2]
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
   smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>  
[(&(|(objectclass=sambaGroupMapping)(samba
GroupType=4))(| 
(sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170) 
(sambaSIDList=S-1-22-2-1000)(sambaSI
DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11) 
(sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1
015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004) 
(sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2-
1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2]
[2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261)
   get_privileges: No privileges assigned to SID  
[S-1-5-21-1913082429-4173022140-755955522-3170]
[2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261)
   get_privileges: No privileges assigned to SID [S-1-22-2-1000]
[2007/11/14 09:56:17, 5] lib/privileges.c:get_privileges_for_sids(460)
   get_privileges_for_sids: sid = S-1-1-0
   Privilege set:
   SE_PRIV  0x0 0x0 0x0 0x0

.. more logs ...

[2007/11/14 09:56:17, 4] smbd/reply.c:reply_tcon_and_X(506)
   Client requested device type [?????] for share [JIAGEN1]
[2007/11/14 09:56:17, 5] smbd/service.c:make_connection(1205)
   making a connection to 'normal' service jiagen1
[2007/11/14 09:56:17, 3] lib/util_sid.c:string_to_sid(223)
   string_to_sid: Sid +WTCCC does not start with 'S-'.
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:push_sec_ctx(208)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/11/14 09:56:17, 3] smbd/uid.c:push_conn_ctx(358)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:set_sec_ctx(241)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/11/14 09:56:17, 5] auth/auth_util.c:debug_nt_user_token(448)
   NT user token: (NULL)
[2007/11/14 09:56:17, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
   smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>  
[(&(objectClass=sambaGroupMapping)(|(displ
ayName=WTCCC)(cn=WTCCC)))], scope => [2]
[2007/11/14 09:56:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
   init_group_from_ldap: Entry found for group: 1008
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/11/14 09:56:17, 2] smbd/service.c:make_connection_snum(616)
   user 'prakash' (from session setup) not permitted to access this  
share (JIAGEN1)
[2007/11/14 09:56:17, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/reply.c(514) cmd=117 (SMBtconX)  
NT_STATUS_ACCESS_DENIED

[global]
	workgroup = WORKGROUPNAME
	netbios name = servername
	encrypt passwords = yes
	password server = *
	passdb backend = ldapsam:"ldaps://***.***.***"
	log level = 9
	syslog = 0
	name resolve order = wins bcast hosts
	ldap suffix = o=x,c=y
	ldap machine suffix = ou=xx
	ldap group suffix = ou=yy
	ldap user suffix = ou=xx
	ldap idmap suffix = ou=zz
	ldap admin dn = cn=Manager,o=x,c=y
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind use default domain = yes
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	security = user

Any more ideas, please?

Thanks,
Prakash

On Nov 14, 2007, at 10:13 AM, Dale Schroeder wrote:

> Are there any errors in the logs?  If not, try increasing your log  
> level to 10.
> What does the global section of your smb.conf look like, and which  
> version of Samba are you running?
> If it is an openldap problem, maybe one of the ldap experts (which I  
> am not) could spot it.
>
> Dale
>
> Prakash Velayutham wrote:
>>
>> To add more info, I am seeing the following in the logs. So I am  
>> guessing authentication is working fine. It is something with  
>> regards to the group membership that is not.
>>
>> [2007/11/14 09:41:06, 5] auth/auth.c:check_ntlm_password(296)
>>   check_ntlm_password:  PAM Account for user [prakash] succeeded
>> [2007/11/14 09:41:06, 2] auth/auth.c:check_ntlm_password(309)
>>   check_ntlm_password:  authentication for user [prakash] ->  
>> [prakash] -> [prakash] succeeded
>>
>> Thanks,
>> Prakash
>
>
> Prakash Velayutham wrote:
>>
>> Hi Dale,
>>
>> Thanks for the response. I changed my share configuration as below.  
>> But now I cannot authenticate.
>>
>> [JIAGEN1]
>>  comment = JIAGEN project share
>>  path = /export/newWTCCC
>>  valid users = +WTCCC
>>  write list = +WTCCC
>>  read only = No
>>  inherit acls = Yes
>>  force group = +WTCCC
>>  writable = yes
>>  create mask = 0660
>>  directory mask = 0770
>>
>> Any ideas why?
>>
>> I checked that the user is a part of the group (though not primary).
>>
>> bmifsrd2:~ # groups prakash
>> prakash : users torque-users calendar-users irc-users WTCCC plone- 
>> managers plone-members fmadmin fmuser
>>
>> Thanks,
>> Prakash
>>
>> On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote:
>>
>>> Prakash,
>>>
>>> You have inadvertently combined two parameters.  There is no  
>>> "valid write list" parameter.
>>> You should use
>>>     write list = +WTCCC
>>>     valid users = +WTCCC
>>>
>>> It should work after correcting the parameter.
>>>
>>> Good luck,
>>> Dale
>>>
>>> Prakash Velayutham wrote:
>>>>
>>>> Hello,
>>>>
>>>> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The  
>>>> authentication backend is Open LDAP.
>>>>
>>>> I want to create a group share (WTCCC) which should be accessible  
>>>> to a group of users (belonging to a group called WTCCC). The  
>>>> users' possess this group as their secondary group (NOT primary).
>>>>
>>>> And the share folder would have its gid bit set, so all the  
>>>> writes to the folder would be accessible further by only people  
>>>> belonging to WTCCC. Also I want a default umask of 770 for the  
>>>> shared folder too.
>>>>
>>>> Could someone suggest a share configuration that can do these?
>>>>
>>>> Currently, I have
>>>>
>>>> [JIAGEN1]
>>>>     comment = JIAGEN project share
>>>>     path = /export/newWTCCC
>>>>     valid write list = +WTCCC
>>>> #    acl check permissions = true
>>>> #    acl group control = yes
>>>>     browseable = Yes
>>>> #    read only = No
>>>>     inherit acls = Yes
>>>>     force group = +WTCCC
>>>>     writable = yes
>>>>     create mask = 0660
>>>>     directory mask = 0770
>>>>
>>>> But as soon as I change the ownership of /export/newWTCCC to  
>>>> root:WTCCC, the users are not able to access the share. But if I  
>>>> have the force group enabled, everyone is able to access the  
>>>> share (as it forces everyone to belong to the group, which should  
>>>> not be the case).
>>>>
>>>> Thanks,
>>>> Prakash
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 7.5.503 / Virus Database: 269.15.31/1130 - Release Date:  
>> 11/14/2007 9:27 AM
>>



More information about the samba mailing list