[Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights

albanperso-zatoo at yahoo.com albanperso-zatoo at yahoo.com
Mon Aug 18 14:53:42 GMT 2008 

Hi experts

I have a trouble in access rights

I am running Samba
3.0.31 on Solaris 10 x86 64 bits as member server of an Active
Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
I set rights to access a sub folder of a Samba share. On Solaris the user
"toto" jdoe can write a new file. From Windows, the same user can't.
Itlooks like OK when the primary group (grp1) of the user is the group
that own the subtree but not when this owner group is a secondary group
(grp2).
It is OK If I set explicitly the user right from MS Windows
I can't change the access rights to the group from MS Windows

I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue

Thanks for help

Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data)

************ An extract from my smb.conf ************

[global]
## part windows ##
        host msdfs = no
        netbios name = machines01
        netbios aliases = 2store
        server string = 2store
        workgroup = MYDOMAIN
        realm = MYDOMAIN.LOCAL
        security = ADS
        use kerberos keytab = yes
        obey pam restrictions = Yes
        use spnego = yes
        client use spnego = yes
        password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
#       unix extensions = no
        machine password timeout = 0
#       logon path = \\machines01\profiles\%U
        template shell = /bin/bash
        hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0
## part samba engine ##
        max log size = 50000
        log level = 10
        syslog = 0
        log file = /var/log/samba/%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
## part ldap et idmap ##
        ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
        ldap idmap suffix = ou=idmap
        ldap ssl = no
        idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local
        #idmap backend = idmap_rid:MYDOMAIN=10000-20000
        #idmap backend = ad
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        #idmap config MYDOMAIN:schema_mode = rfc2307
## part winbind ##
        winbind nss info = rfc2307
        winbind cache time = 5
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes
        winbind enum groups = Yes
        winbind enum users = Yes

[data]
        comment = Samba data folder
        path = /samba/data
        read only = No
        create mask = 0740
        directory mask = 0750
        guest ok = Yes




************ Check the Unix name resolution ************
getent passwd jdoe
jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh


getent group grp2
grp2::10004:myadmin,jdoe,demo1,demo2,demo3


************ I can check that Samba can resolve if the user is member of the group ************

/usr/local/samba/bin/net ads user info jdoe
grp2
grp1


/usr/local/samba/bin/wbinfo -G 10004
S-1-5-21-2269603188-533060101-51835291-1642

/usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
10004


/usr/local/samba/bin/wbinfo -R 10004
winbind_lookup_rids failed
Could not lookup RIDs 10004



************ Review of the access rights ************

ls -al /samba/data/level1/level2/level3/level4
drwxrwsr-x+ 19 myadmin grp2      512 Aug 15 11:18 .
drwxr-x---   9 myadmin grp1     512 Aug 12 16:06 ..
drwxrws---+  3 myadmin grp2      512 Jun 27 10:58 general
-rwxr-----+  1 jdoe     grp2        0 Aug 15 11:18 New Text Document from Windows.txt
-rwxrw----   1 jdoe     grp2       44 Aug 15 11:14 newdocfromunix.txt

*** ACTION: I try on Unix to change the group owner of ".." by grp2 but that remove all jdoe access from Windows


************ Test POSIX ACLs ************
getfacl -a /samba/data/level1/level2/level3/level4/

# file: /samba/data/level1/level2/level3/level4/
# owner: myadmin
# group: grp2
user::rwx
group::rwx              #effective:rwx
other:r-x


getfacl -a /samba/data/level1/level2/level3

# file: /samba/data/level1/level2/level3
# owner: myadmin
# group: grp1
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:---


getfacl -a /samba/data/level1/level2

# file: /samba/data/level1/level2
# owner: myadmin
# group: grp1
user::rwx
group::r-x              #effective:r-x
other:r-x


getfacl -a /samba/data/level1

# file: /samba/data/level1
# owner: root
# group: root
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:r-x


getfacl -a /samba/data

# file: /samba/data
# owner: myadmin
# group: grp1
user::rwx
user:user123:rwx            #effective:rwx
group::r-x              #effective:r-x
mask:rwx
other:r-x



************ From MS Windows side ************

properties/security
The group is in the "group and user names" list
there is no check box in the Allow or deny clomn

Advanced/permissions

Type    Name    Permission    Inherited from    Apply to
Allow    smb_ins (MYDOMAIN/smb_ins)    <not inherited>    This folder only

****** ACTION: 
When I try to force the situation returns to the original state with no error
checking allow inheritable and/or Replace permissions has no effect on nany combination

When I add the user with access right, it is OK




************ Some extract the Samba log level 10 ************

[2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
  unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = ntuser.man
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440)
  New file ntuser.man
[2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
  unix_mode(jdoe/ntuser.man) returning 0700
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)

open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
access_mask=0x1 share_access=0x7 create_disposition = 0x1
create_options=0x140 unix mode=0700 oplock_request=3
[2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
  open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file doesn't exist.
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
  size=35
  smb_com=0xa2
  smb_rcls=52
  smb_reh=0
  smb_err=49152
    smb_flg=136
  smb_flg2=51201
  smb_tid=3
  smb_pid=588
  smb_uid=101
  smb_mid=1024
  smt_wct=0
  smb_bcc=0
  
  
  
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
  open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
  allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
  calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
  fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32. 
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
  get_windows_lock_count for file  = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
  delete_windows_lock_ref_count for file 
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
  freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
  
  
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
  open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
  allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
  calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
  fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32. 
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
  get_windows_lock_count for file  = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
  delete_windows_lock_ref_count for file 
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
  freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr

More information about the samba mailing list