[Samba] SMB + Active Directory And No Ability To Delete Files And Folders

Peter Shevchenko Peter.Shevchenko at rsise.anu.edu.au
Fri Jun 3 00:50:04 MDT 2011


On Wed, 01 Jun 2011 16:35:05 -0400, Jenkins, Mack wrote:

> The 3.5.8 release is not in the yum repo provided by RHEL6.  We are
> trying to stay within the RHEL yum repo if possible.  But at this point,
> if there is a repo that has a 3.5.8 release, I'd be more than happy to
> give it a try.
> 
> --
> Mack J. Jenkins, II
> 404-385-1591
> mack.jenkins at eas.gatech.edu
> System Support Engineer II
> Earth & Atmospheric Sciences
> 
> 
> ----- Original Message -----
> From: "Jeremy Allison" <jra at samba.org> To: "Mack Jenkins"
> <mack.jenkins at eas.gatech.edu> Cc: samba at lists.samba.org
> Sent: Friday, May 27, 2011 7:39:21 PM Subject: Re: [Samba] SMB + Active
> Directory And No Ability To Delete Files And Folders
> 
> On Fri, May 27, 2011 at 03:21:17PM -0400, Jenkins, Mack wrote:
>> I hope that everyone is doing well.  I'm new to the list and look
>> forward to participating in the community.  I've been using Samba for a
>> long time and have always preached the samba gospel.  :-)
>> 
>> I find myself with a peculiar problem.  I have a RHEL6 install running
>> Samba Version 3.5.4-68.el6_0.2 acting a local file server and it is
>> tied into an Active Directory server for the user management.  When a
>> user on a Windows box supplies their Active Directory credentials, my
>> Samba server validates them against the Active Directory server,
>> creates a directory on the local server, which the user then mounts on
>> their Windows machine.
>> 
>> The problem is this.  The users can create files and folders, but can
>> not delete them.  Has anyone seen this behavior before?
> 
> Sounds somewhat like an old bug that got fixed...
> 
> Have you tried a 3.5.8. release ?

This sounds like a problem that I have been having.  It looks to me like 
the open bug 7521.  My situation is:

1) Two different windows AD domains one windows 2000 the other 2008R2.
2) Three separate Samba servers one (ubuntu 10.04 LTS with samba 3.4.7 
and I have also tried 3.5.8) joined to the 2008r2 domain.  On the other 
domain I have an old samba 3.0.14 server and a new samba 3.4.7 (also 
tried 3.5.8) joined to it.  Out of the three samba servers only the 
3.0.14 works as expected with file deletes.
  
The problem is if I have a share in which there is a directory that is 
owned by a group say "foo" with permissions drwxrwxr-x.  Then user "X" 
who is a member of "foo" mounts the drive they are able to create files 
in that directory but they can't delete or change the name of that file.  

I have been trying to find documentation of how samba handles the 
translation of permissions in terms of windows ACLs, linux ACLs and POSIX 
permissions but have not found much that is at all current.  I have also 
looked in the code and the problem looks to be in the se_access_check 
function in lib/util_seaccess.c but there are all these big structures 
being passed around and I am really struggling to understand what they 
all mean.  I also don't understand enough about Windows ACLs and how 
samba is storing them to get much further.  I had a look at http://
samba.org/samba/docs/man/Samba-Developers-Guide/ but it appears to be 
very out of date.  It looks like with samba 3.3 permissions are handled 
totally differently from older releases? 

Any ideas?

Peter.


This is the smb.conf

[global]
   workgroup = BLAH
   realm = BLAH.BLAH.BLAH
   preferred master = no
   server string = Linux Samba Server
   security = ADS
   encrypt passwords = yes
   log level = 10
   log file = /var/log/samba/%m
   max log size = 500
   winbind use default domain = Yes
   winbind nested groups = Yes
   template shell = /bin/bash
   map untrusted to domain = Yes
[homes]
   comment = Home Direcotries
   read only = No
   browsable = No
   writable = yes
   create mask = 0644
   directory mask = 0755
   path = /home/users/%S
   store dos attributes = yes
[test]
   comment = Test Direcotries
   read only = No
   browseable = yes
   writable = yes
   create mask = 0644
   directory mask = 0755
   path = /home/test

This is a level 10 debug log of some testing I did.

[2011/05/06 09:44:03, 10] ../lib/util/util.c:304(_dump_data)
  [0000] 00 5C 00 63 00 6D 00 62   00 72 00 5C 00 76 00 62   .\.c.m.b .r.
\.v.b
  [0010] 00 6E 00 6D 00 76 00 62   00 6E 00 6D 00 00 
00     .n.m.v.b .n.m...
[2011/05/06 09:44:03,  3] smbd/process.c:1273(switch_message)
  switch message SMBntcreateX (pid 13841) conn 0x7fa151fea970
[2011/05/06 09:44:03,  4] smbd/uid.c:256(change_to_user)
  change_to_user: Skipping user change - already user
[2011/05/06 09:44:03, 10] smbd/nttrans.c:484(reply_ntcreate_and_X)
  reply_ntcreate_and_X: flags = 0x10, access_mask = 0x110080 
file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 
create_options = 0x200000 root_dir_fid = 0x0, fname = cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/open.c:3365(create_file_default)
  create_file: access_mask = 0x110080 file_attributes = 0x0, share_access 
= 0x7, create_disposition = 0x1 create_options = 0x200000 oplock_request 
= 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil), 
create_file_flags = 0x1, fname = cmbr/vbnmvbnm
[2011/05/06 09:44:03,  5] smbd/filename.c:148(unix_convert)
  unix_convert called on file "cmbr/vbnmvbnm"
[2011/05/06 09:44:03, 10] smbd/statcache.c:274(stat_cache_lookup)
  stat_cache_lookup: lookup succeeded for name [CMBR/VBNMVBNM] -> [cmbr/
vbnmvbnm]
[2011/05/06 09:44:03,  3] smbd/vfs.c:865(check_reduced_name)
  reduce_name [cmbr/vbnmvbnm] [/home/test]
[2011/05/06 09:44:03, 10] smbd/vfs.c:937(check_reduced_name)
  reduce_name realpath [cmbr/vbnmvbnm] -> [/home/test/cmbr/vbnmvbnm]
[2011/05/06 09:44:03,  3] smbd/vfs.c:974(check_reduced_name)
  reduce_name: cmbr/vbnmvbnm reduced to /home/test/cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0, 
share_access = 0x7, create_disposition = 0x1 create_options = 0x200000 
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = cmbr/
vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
  posix_get_nt_acl: called for file cmbr
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms ---
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 2. Type = allow SID = 
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = 
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms ---
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
  posix_get_nt_acl: called for file cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 2. Type = allow SID = 
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = 
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/open.c:2952(create_file_unixpath)
  create_file_unixpath: open file cmbr/vbnmvbnm for delete ACCESS_DENIED
[2011/05/06 09:44:03, 10] smbd/open.c:3218(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03, 10] smbd/open.c:3497(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX) 
NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03,  5] lib/util.c:632(show_msg)
[2011/05/06 09:44:03,  5] lib/util.c:642(show_msg)
  size=35
  smb_com=0xa2
  smb_rcls=34
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51201
  smb_tid=2
  smb_pid=3440
  smb_uid=102
  smb_mid=10496
  smt_wct=0
  smb_bcc=0
[2011/05/06 09:44:03, 10] lib/util_sock.c:789
(read_smb_length_return_keepalive)
  got smb length of 104




More information about the samba mailing list