[Samba] kerberos - permissions - showacls fails

Heinz Hölzl heinz.hoelzl at gvcc.net
Thu Feb 11 04:18:47 MST 2010


hi

i have a file, owned by heinz_sgv an the permissons are set to 700.

# ls -l x.txt
-rwx------ 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt


with smbclient i can access to the file, i have full rights and i can 
see the ACLs

# smbclient //localhost/samba -U heinz_sgv%x  -c "showacls ;ls tmp/x.txt"
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:A
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
revision: 1
type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED 
SEC_DESC_SELF_RELATIVE
DACL
    ACL    Num ACEs:    3    revision:    2
    ---
    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x1ff
        Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS 
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
        SID: S-1-5-21-3234543381-3221305018-1482225196-1002

    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x0
        Permissions: 0x0:
        SID: S-1-5-21-3234543381-3221305018-1482225196-513

    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x0
        Permissions: 0x0:
        SID: S-1-1-0

    Owner SID:    S-1-5-21-3234543381-3221305018-1482225196-1002
    Group SID:    S-1-5-21-3234543381-3221305018-1482225196-513




If i connect to samba using kerberos, i can not get the permissions of 
the file. (principal: heinz_sgv at GVCC.NET)

smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir 
tmp/x.txt" -d 0
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:A
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
display_finfo() Failed to open \tmp\x.txt: NT_STATUS_ACCESS_DENIED


if i change the permissions to 770 then i can see the permissions of the 
file also with kerberos:
 # chmod 770 x.txt
 # ls -l x.txt
-rwxrwx--- 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt


# smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir 
tmp/x.txt"
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:AS
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
revision: 1
type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED 
SEC_DESC_SELF_RELATIVE
DACL
    ACL    Num ACEs:    3    revision:    2
    ---
    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x1ff
        Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS 
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
        SID: S-1-5-21-3234543381-3221305018-1482225196-1002

    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x1ff
        Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS 
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
        SID: S-1-5-21-3234543381-3221305018-1482225196-513

    ACE
        type: ACCESS ALLOWED (0) flags: 0x00
        Specific bits: 0x0
        Permissions: 0x0:
        SID: S-1-1-0

    Owner SID:    S-1-5-21-3234543381-3221305018-1482225196-1002
    Group SID:    S-1-5-21-3234543381-3221305018-1482225196-513

Thank you,
heinz



my smb.conf:
[global]
workgroup = GVCC.NET

# Kerberos
realm = GVCC.NET
password server = probe24.bahnhof.gvcc.net
kerberos method = system keytab
client use spnego = yes
use spnego = yes

# pdc settings
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
os level = 65
log level = 3

### ldapsam:editposix
passdb backend = ldapsam:ldap://localhost/
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap admin dn = cn=admin,dc=gvcc,dc=net
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=gvcc,dc=net
ldap ssl = no

idmap backend = ldap:ldap://localhost/
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost/
idmap alloc config : ldap_base_dn = ou=idmap,dc=gvcc,dc=net
idmap alloc config : ldap_user_dn = cn=admin,dc=gvcc,dc=net

logon path = 
logon home = \\%N\%U 
logon drive = k:

guest ok = No
read only = No
case sensitive = no
default case = lower 
preserve case = yes
short preserve case = yes
create mode = 0660
force create mode = 0000
directory mask = 0770
force directory mode = 2000
unix charset = utf8
display charset = utf8

[samba]
        path=/samba
        readonly=no
        guest ok = yes






More information about the samba mailing list