[Samba] Fixed problem with permissions on new server

Michael Davidson mdavidson at mountwashington.org
Wed Dec 31 16:21:22 GMT 2008 

Here is the solution to a problem that I recently had.  (I almost emailed
this list asking for help, but then a co-worker clued me into the solution.)

 

Server: a new Cent OS 5.1 install with Samba 3.0.28 that is joined to a Win
2003 domain.

Client: Win XP Pro SP3, member of same domain

 

A user was attempting to save an Excel file which had 644 perms and was
owned by her.  As soon as she saved it, Excel threw a cryptic error stating
that the file had been saved, but had to be re-opened read-only.  Subsequent
attempts to open the file gave a permission denied error, saying the file
was possibly encrypted or corrupted.  Looking at the file's security
properties in Windows (XP Pro SP3) showed four access entries:

 

Her (the owner): should have had R/W, but had no access

Domain users group: should have had R, but had no access

Everyone: should have had R, but had no access

Unix User 504: this access entry should not have been there

 

It turns out that the directory containing the Excel file was owned by a
local user and group I had failed to carry over from the previous system.
Samba apparently freaked out and applied bizarre permissions to the file,
including an ACE for the nonexistent user.

 

I had transferred all the shared files from a previous system, using rsync
to retain correct file ownership and permissions.  What is actually retained
is the Linux UID and GID for each file and directory, so you must ensure
that your Linux and Winbind users (and groups) have the same underlying IDs
from the old server to the new one.  I was careful to do this with the
domain (Winbind) users, but failed to do this for the local system users.
The old server had a local user called "samba" with UID 504 that owned some
of the directories within the share.

 

So, the symptom was bizarre and cryptic, but the solution was to make sure
all of the files and directories are owned by existing users and groups.

 

I hope this helps someone!!

 

Michael Davidson

Mount Washington Observatory

More information about the samba mailing list