[Samba] Creating a group share
Prakash Velayutham
prakash.velayutham at cchmc.org
Wed Nov 14 15:51:29 GMT 2007
Hi Dale,
samba-3.0.26a-0.2.91
This is what I am seeing in the logs.
[2007/11/14 09:56:17, 5] auth/auth.c:check_ntlm_password(296)
check_ntlm_password: PAM Account for user [prakash] succeeded
[2007/11/14 09:56:17, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [prakash] ->
[prakash] -> [prakash] succeeded
[2007/11/14 09:56:17, 5] auth/auth_util.c:free_user_info(2045)
attempting to free (and zero) a user_info structure
[2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 544 -> S-1-5-32-544
[2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 10002 -> S-1-5-32-545
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>
[(&(|(objectclass=sambaGroupMapping)(samba
GroupType=4))(|
(sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170)
(sambaSIDList=S-1-22-2-1000)(sambaSI
DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)
(sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1
015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004)
(sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2-
1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2]
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>
[(&(|(objectclass=sambaGroupMapping)(samba
GroupType=4))(|
(sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170)
(sambaSIDList=S-1-22-2-1000)(sambaSI
DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)
(sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1
015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004)
(sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2-
1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2]
[2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID
[S-1-5-21-1913082429-4173022140-755955522-3170]
[2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-22-2-1000]
[2007/11/14 09:56:17, 5] lib/privileges.c:get_privileges_for_sids(460)
get_privileges_for_sids: sid = S-1-1-0
Privilege set:
SE_PRIV 0x0 0x0 0x0 0x0
.. more logs ...
[2007/11/14 09:56:17, 4] smbd/reply.c:reply_tcon_and_X(506)
Client requested device type [?????] for share [JIAGEN1]
[2007/11/14 09:56:17, 5] smbd/service.c:make_connection(1205)
making a connection to 'normal' service jiagen1
[2007/11/14 09:56:17, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid +WTCCC does not start with 'S-'.
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/11/14 09:56:17, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/11/14 09:56:17, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2007/11/14 09:56:17, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter =>
[(&(objectClass=sambaGroupMapping)(|(displ
ayName=WTCCC)(cn=WTCCC)))], scope => [2]
[2007/11/14 09:56:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
init_group_from_ldap: Entry found for group: 1008
[2007/11/14 09:56:17, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/11/14 09:56:17, 2] smbd/service.c:make_connection_snum(616)
user 'prakash' (from session setup) not permitted to access this
share (JIAGEN1)
[2007/11/14 09:56:17, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[global]
workgroup = WORKGROUPNAME
netbios name = servername
encrypt passwords = yes
password server = *
passdb backend = ldapsam:"ldaps://***.***.***"
log level = 9
syslog = 0
name resolve order = wins bcast hosts
ldap suffix = o=x,c=y
ldap machine suffix = ou=xx
ldap group suffix = ou=yy
ldap user suffix = ou=xx
ldap idmap suffix = ou=zz
ldap admin dn = cn=Manager,o=x,c=y
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
security = user
Any more ideas, please?
Thanks,
Prakash
On Nov 14, 2007, at 10:13 AM, Dale Schroeder wrote:
> Are there any errors in the logs? If not, try increasing your log
> level to 10.
> What does the global section of your smb.conf look like, and which
> version of Samba are you running?
> If it is an openldap problem, maybe one of the ldap experts (which I
> am not) could spot it.
>
> Dale
>
> Prakash Velayutham wrote:
>>
>> To add more info, I am seeing the following in the logs. So I am
>> guessing authentication is working fine. It is something with
>> regards to the group membership that is not.
>>
>> [2007/11/14 09:41:06, 5] auth/auth.c:check_ntlm_password(296)
>> check_ntlm_password: PAM Account for user [prakash] succeeded
>> [2007/11/14 09:41:06, 2] auth/auth.c:check_ntlm_password(309)
>> check_ntlm_password: authentication for user [prakash] ->
>> [prakash] -> [prakash] succeeded
>>
>> Thanks,
>> Prakash
>
>
> Prakash Velayutham wrote:
>>
>> Hi Dale,
>>
>> Thanks for the response. I changed my share configuration as below.
>> But now I cannot authenticate.
>>
>> [JIAGEN1]
>> comment = JIAGEN project share
>> path = /export/newWTCCC
>> valid users = +WTCCC
>> write list = +WTCCC
>> read only = No
>> inherit acls = Yes
>> force group = +WTCCC
>> writable = yes
>> create mask = 0660
>> directory mask = 0770
>>
>> Any ideas why?
>>
>> I checked that the user is a part of the group (though not primary).
>>
>> bmifsrd2:~ # groups prakash
>> prakash : users torque-users calendar-users irc-users WTCCC plone-
>> managers plone-members fmadmin fmuser
>>
>> Thanks,
>> Prakash
>>
>> On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote:
>>
>>> Prakash,
>>>
>>> You have inadvertently combined two parameters. There is no
>>> "valid write list" parameter.
>>> You should use
>>> write list = +WTCCC
>>> valid users = +WTCCC
>>>
>>> It should work after correcting the parameter.
>>>
>>> Good luck,
>>> Dale
>>>
>>> Prakash Velayutham wrote:
>>>>
>>>> Hello,
>>>>
>>>> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The
>>>> authentication backend is Open LDAP.
>>>>
>>>> I want to create a group share (WTCCC) which should be accessible
>>>> to a group of users (belonging to a group called WTCCC). The
>>>> users' possess this group as their secondary group (NOT primary).
>>>>
>>>> And the share folder would have its gid bit set, so all the
>>>> writes to the folder would be accessible further by only people
>>>> belonging to WTCCC. Also I want a default umask of 770 for the
>>>> shared folder too.
>>>>
>>>> Could someone suggest a share configuration that can do these?
>>>>
>>>> Currently, I have
>>>>
>>>> [JIAGEN1]
>>>> comment = JIAGEN project share
>>>> path = /export/newWTCCC
>>>> valid write list = +WTCCC
>>>> # acl check permissions = true
>>>> # acl group control = yes
>>>> browseable = Yes
>>>> # read only = No
>>>> inherit acls = Yes
>>>> force group = +WTCCC
>>>> writable = yes
>>>> create mask = 0660
>>>> directory mask = 0770
>>>>
>>>> But as soon as I change the ownership of /export/newWTCCC to
>>>> root:WTCCC, the users are not able to access the share. But if I
>>>> have the force group enabled, everyone is able to access the
>>>> share (as it forces everyone to belong to the group, which should
>>>> not be the case).
>>>>
>>>> Thanks,
>>>> Prakash
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 7.5.503 / Virus Database: 269.15.31/1130 - Release Date:
>> 11/14/2007 9:27 AM
>>
More information about the samba
mailing list