[Samba] Samba 3.0.x access rights issue with secondary groups or
Unix rights
albanperso-zatoo at yahoo.com
albanperso-zatoo at yahoo.com
Tue Aug 19 12:40:53 GMT 2008
details on grous command
To have the secondary groups, I have to enter "id -a" logged as the user
As root, It doesn't work. "id -a jdoe" just returns the primary group
----- Message d'origine ----
> De : Duncan Brannen <dbb at st-andrews.ac.uk>
> À : albanperso-zatoo at yahoo.com
> Cc : samba at lists.samba.org
> Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s
> Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
>
>
> Hi,
> I have a similar problem, no ADS in my setup, just no
> supplementary groups showing
> up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working
> with Samba 3.0.28 and groups nis in nsswitch.conf)
> Solaris 10 SPARC
>
> Everything looks ok, getent, groups etc when logged in as root,
> but if I su to the user
> not getting any groups and type
>
> >groups
>
> I don't see any groups there bar the primary one.
>
> Are you seeing the same thing? IE if you're logged in as root and type
>
> groups jdoe
>
> You see all of jdoe's groups
>
> but if you su to jdoe and type
>
> groups
>
> You only see the primary group?
>
> Just a long shot but might push you in the right direction?
>
>
> Cheers,
> Duncan
>
>
> albanperso-zatoo at yahoo.com wrote:
> > Hi experts
> >
> > I have a trouble in access rights
> >
> > I am running Samba
> > 3.0.31 on Solaris 10 x86 64 bits as member server of an Active
> > Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
> > I set rights to access a sub folder of a Samba share. On Solaris the user
> > "toto" jdoe can write a new file. From Windows, the same user can't.
> > Itlooks like OK when the primary group (grp1) of the user is the group
> > that own the subtree but not when this owner group is a secondary group
> > (grp2).
> > It is OK If I set explicitly the user right from MS Windows
> > I can't change the access rights to the group from MS Windows
> >
> > I suspect Unix ownership or ACL to be the root cause but I can't exclude a
> Samba issue
> >
> > Thanks for help
> >
> > Here a long details on my config (sorry for the parts that take place and no
> useful info, so just go to the valuable data)
> >
> > ************ An extract from my smb.conf ************
> >
> > [global]
> > ## part windows ##
> > host msdfs = no
> > netbios name = machines01
> > netbios aliases = 2store
> > server string = 2store
> > workgroup = MYDOMAIN
> > realm = MYDOMAIN.LOCAL
> > security = ADS
> > use kerberos keytab = yes
> > obey pam restrictions = Yes
> > use spnego = yes
> > client use spnego = yes
> > password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
> > # unix extensions = no
> > machine password timeout = 0
> > # logon path = \\machines01\profiles\%U
> > template shell = /bin/bash
> > hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0,
> 192.168.11.0/255.255.255.0
> > ## part samba engine ##
> > max log size = 50000
> > log level = 10
> > syslog = 0
> > log file = /var/log/samba/%m
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > ## part ldap et idmap ##
> > ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
> > ldap idmap suffix = ou=idmap
> > ldap ssl = no
> > idmap backend = ldap:ldap://machinew01.MYDOMAIN.local
> ldap:ldap://machinew07.MYDOMAIN.local
> > #idmap backend =
> > 0-20000
> > #idmap backend = ad
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > #idmap config MYDOMAIN:schema_mode = rfc2307
> > ## part winbind ##
> > winbind nss info = rfc2307
> > winbind cache time = 5
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> > winbind trusted domains only = Yes
> > winbind nested groups = Yes
> > winbind enum groups = Yes
> > winbind enum users = Yes
> >
> > [data]
> > comment = Samba data folder
> > path = /samba/data
> > read only = No
> > create mask = 0740
> > directory mask = 0750
> > guest ok = Yes
> >
> >
> >
> >
> > ************ Check the Unix name resolution ************
> > getent passwd jdoe
> > jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh
> >
> >
> > getent group grp2
> > grp2::10004:myadmin,jdoe,demo1,demo2,demo3
> >
> >
> > ************ I can check that Samba can resolve if the user is member of the
> group ************
> >
> > /usr/local/samba/bin/net ads user info jdoe
> > grp2
> > grp1
> >
> >
> > /usr/local/samba/bin/wbinfo -G 10004
> > S-1-5-21-2269603188-533060101-51835291-1642
> >
> > /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
> > 10004
> >
> >
> > /usr/local/samba/bin/wbinfo -R 10004
> > winbind_lookup_rids failed
> > Could not lookup RIDs 10004
> >
> >
> >
> > ************ Review of the access rights ************
> >
> > ls -al /samba/data/level1/level2/level3/level4
> > drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 .
> > drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 ..
> > drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general
> > -rwxr-----+ 1 jdoe grp2 0 Aug 15 11:18 New Text Document from
> Windows.txt
> > -rwxrw---- 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt
> >
> > *** ACTION: I try on Unix to change the group owner of ".." by grp2 but that
> remove all jdoe access from Windows
> >
> >
> > ************ Test POSIX ACLs ************
> > getfacl -a /samba/data/level1/level2/level3/level4/
> >
> > # file: /samba/data/level1/level2/level3/level4/
> > # owner: myadmin
> > # group: grp2
> > user::rwx
> > group::rwx #effective:rwx
> > other:r-x
> >
> >
> > getfacl -a /samba/data/level1/leve
> > vel3
> >
> > # file: /samba/data/level1/level2/level3
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > group::r-x #effective:r-x
> > mask:r-x
> > other:---
> >
> >
> > getfacl -a /samba/data/level1/level2
> >
> > # file: /samba/data/level1/level2
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > group::r-x #effective:r-x
> > other:r-x
> >
> >
> > getfacl -a /samba/data/level1
> >
> > # file: /samba/data/level1
> > # owner: root
> > # group: root
> > user::rwx
> > group::r-x #effective:r-x
> > mask:r-x
> > other:r-x
> >
> >
> > getfacl -a /samba/data
> >
> > # file: /samba/data
> > # owner: myadmin
> > # group: grp1
> > user::rwx
> > user:user123:rwx #effective:rwx
> > group::r-x #effective:r-x
> > mask:rwx
> > other:r-x
> >
> >
> >
> > ************ From MS Windows side ************
> >
> > properties/security
> > The group is in the "group and user names" list
> > there is no check box in the Allow or deny clomn
> >
> > Advanced/permissions
> >
> > Type Name Permission Inherited from Apply to
> > Allow smb_ins (MYDOMAIN/smb_ins) This folder only
> >
> > ****** ACTION:
> > When I try to force the situation returns to the original state with no error
> > checking allow inheritable and/or Replace permissions has no effect on nany
> combination
> >
> > When I add the user with access right, it is OK
> >
> >
> >
> >
> > ************ Some extract the Samba log level 10 ************
> >
> > [2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
> > stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
> > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
> > unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start =
> ntuser.man
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> > is_mangled ntuser.man ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
> > is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> > is_mangled ntuser.man ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
> > is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
> > is_mangled ntuser.man ?
> > [200
> > mangle_hash2.c:is_mangled_component(215)
> > is_mangled_component ntuser.man (len 10) ?
> > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440)
> > New file ntuser.man
> > [2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
> > unix_mode(jdoe/ntuser.man) returning 0700
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)
> >
> > open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
> > access_mask=0x1 share_access=0x7 create_disposition = 0x1
> > create_options=0x140 unix mode=0700 oplock_request=3
> > [2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
> > open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file
> doesn't exist.
> > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
> > error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX)
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
> > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
> > size=35
> > smb_com=0xa2
> > smb_rcls=52
> > smb_reh=0
> > smb_err=49152
> > smb_flg=136
> > smb_flg2=51201
> > smb_tid=3
> > smb_pid=588
> > smb_uid=101
> > smb_mid=1024
> > smt_wct=0
> > smb_bcc=0
> >
> >
> >
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
> > open_file_ntcreate: fname=jdoe/Application
> Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
> > allocated file structure 1332, fnum = 5428 (5 used)
> > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
> > calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1,
> open_access_mask = 0x1
> > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
> > fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs,
> flags = 00 mode = 0700, fd = 32.
> > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
> > get_windows_lock_count for file = 0
> > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
> > delete_windows_lock_ref_count for file
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
> > freed files structure 5428 (4 used)
> > [2008/08/15 12:25:22, 3]
> > 6)
> > error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX)
> NT_STATUS_FILE_IS_A_DIRECTORY
> >
> >
> > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
> > open_file_ntcreate: fname=jdoe/Application
> Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
> > allocated file structure 1332, fnum = 5428 (5 used)
> > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
> > calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1,
> open_access_mask = 0x1
> > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
> > fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs,
> flags = 00 mode = 0700, fd = 32.
> > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
> > get_windows_lock_count for file = 0
> > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
> > delete_windows_lock_ref_count for file
> > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
> > freed files structure 5428 (4 used)
> > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
> > error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX)
> NT_STATUS_FILE_IS_A_DIRECTORY
> >
> >
> >
> _____________________________________________________________________________
> > Envoyez avec Yahoo! Mail. Une boite mail plus intelligente
> http://mail.yahoo.fr
> >
>
>
> --
> The University of St Andrews is a charity registered in Scotland : No SC013532
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
More information about the samba
mailing list