[Samba] kerberos - permissions - showacls fails
Heinz Hölzl
heinz.hoelzl at gvcc.net
Thu Feb 11 04:18:47 MST 2010
hi
i have a file, owned by heinz_sgv an the permissons are set to 700.
# ls -l x.txt
-rwx------ 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt
with smbclient i can access to the file, i have full rights and i can
see the ACLs
# smbclient //localhost/samba -U heinz_sgv%x -c "showacls ;ls tmp/x.txt"
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:A
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
revision: 1
type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED
SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 3 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
SID: S-1-5-21-3234543381-3221305018-1482225196-1002
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x0
Permissions: 0x0:
SID: S-1-5-21-3234543381-3221305018-1482225196-513
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x0
Permissions: 0x0:
SID: S-1-1-0
Owner SID: S-1-5-21-3234543381-3221305018-1482225196-1002
Group SID: S-1-5-21-3234543381-3221305018-1482225196-513
If i connect to samba using kerberos, i can not get the permissions of
the file. (principal: heinz_sgv at GVCC.NET)
smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir
tmp/x.txt" -d 0
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:A
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
display_finfo() Failed to open \tmp\x.txt: NT_STATUS_ACCESS_DENIED
if i change the permissions to 770 then i can see the permissions of the
file also with kerberos:
# chmod 770 x.txt
# ls -l x.txt
-rwxrwx--- 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt
# smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir
tmp/x.txt"
Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2]
FILENAME:x.txt
MODE:AS
SIZE:15
MTIME:Thu Feb 11 07:38:19 2010
revision: 1
type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED
SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 3 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
SID: S-1-5-21-3234543381-3221305018-1482225196-1002
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x1ff
Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS
WRITE_DAC_ACCESS READ_CONTROL_ACCESS
SID: S-1-5-21-3234543381-3221305018-1482225196-513
ACE
type: ACCESS ALLOWED (0) flags: 0x00
Specific bits: 0x0
Permissions: 0x0:
SID: S-1-1-0
Owner SID: S-1-5-21-3234543381-3221305018-1482225196-1002
Group SID: S-1-5-21-3234543381-3221305018-1482225196-513
Thank you,
heinz
my smb.conf:
[global]
workgroup = GVCC.NET
# Kerberos
realm = GVCC.NET
password server = probe24.bahnhof.gvcc.net
kerberos method = system keytab
client use spnego = yes
use spnego = yes
# pdc settings
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
os level = 65
log level = 3
### ldapsam:editposix
passdb backend = ldapsam:ldap://localhost/
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap admin dn = cn=admin,dc=gvcc,dc=net
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=gvcc,dc=net
ldap ssl = no
idmap backend = ldap:ldap://localhost/
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost/
idmap alloc config : ldap_base_dn = ou=idmap,dc=gvcc,dc=net
idmap alloc config : ldap_user_dn = cn=admin,dc=gvcc,dc=net
logon path =
logon home = \\%N\%U
logon drive = k:
guest ok = No
read only = No
case sensitive = no
default case = lower
preserve case = yes
short preserve case = yes
create mode = 0660
force create mode = 0000
directory mask = 0770
force directory mode = 2000
unix charset = utf8
display charset = utf8
[samba]
path=/samba
readonly=no
guest ok = yes
More information about the samba
mailing list