[Samba] SMB + Active Directory And No Ability To Delete Files And Folders
Peter Shevchenko
Peter.Shevchenko at rsise.anu.edu.au
Fri Jun 3 00:50:04 MDT 2011
On Wed, 01 Jun 2011 16:35:05 -0400, Jenkins, Mack wrote:
> The 3.5.8 release is not in the yum repo provided by RHEL6. We are
> trying to stay within the RHEL yum repo if possible. But at this point,
> if there is a repo that has a 3.5.8 release, I'd be more than happy to
> give it a try.
>
> --
> Mack J. Jenkins, II
> 404-385-1591
> mack.jenkins at eas.gatech.edu
> System Support Engineer II
> Earth & Atmospheric Sciences
>
>
> ----- Original Message -----
> From: "Jeremy Allison" <jra at samba.org> To: "Mack Jenkins"
> <mack.jenkins at eas.gatech.edu> Cc: samba at lists.samba.org
> Sent: Friday, May 27, 2011 7:39:21 PM Subject: Re: [Samba] SMB + Active
> Directory And No Ability To Delete Files And Folders
>
> On Fri, May 27, 2011 at 03:21:17PM -0400, Jenkins, Mack wrote:
>> I hope that everyone is doing well. I'm new to the list and look
>> forward to participating in the community. I've been using Samba for a
>> long time and have always preached the samba gospel. :-)
>>
>> I find myself with a peculiar problem. I have a RHEL6 install running
>> Samba Version 3.5.4-68.el6_0.2 acting a local file server and it is
>> tied into an Active Directory server for the user management. When a
>> user on a Windows box supplies their Active Directory credentials, my
>> Samba server validates them against the Active Directory server,
>> creates a directory on the local server, which the user then mounts on
>> their Windows machine.
>>
>> The problem is this. The users can create files and folders, but can
>> not delete them. Has anyone seen this behavior before?
>
> Sounds somewhat like an old bug that got fixed...
>
> Have you tried a 3.5.8. release ?
This sounds like a problem that I have been having. It looks to me like
the open bug 7521. My situation is:
1) Two different windows AD domains one windows 2000 the other 2008R2.
2) Three separate Samba servers one (ubuntu 10.04 LTS with samba 3.4.7
and I have also tried 3.5.8) joined to the 2008r2 domain. On the other
domain I have an old samba 3.0.14 server and a new samba 3.4.7 (also
tried 3.5.8) joined to it. Out of the three samba servers only the
3.0.14 works as expected with file deletes.
The problem is if I have a share in which there is a directory that is
owned by a group say "foo" with permissions drwxrwxr-x. Then user "X"
who is a member of "foo" mounts the drive they are able to create files
in that directory but they can't delete or change the name of that file.
I have been trying to find documentation of how samba handles the
translation of permissions in terms of windows ACLs, linux ACLs and POSIX
permissions but have not found much that is at all current. I have also
looked in the code and the problem looks to be in the se_access_check
function in lib/util_seaccess.c but there are all these big structures
being passed around and I am really struggling to understand what they
all mean. I also don't understand enough about Windows ACLs and how
samba is storing them to get much further. I had a look at http://
samba.org/samba/docs/man/Samba-Developers-Guide/ but it appears to be
very out of date. It looks like with samba 3.3 permissions are handled
totally differently from older releases?
Any ideas?
Peter.
This is the smb.conf
[global]
workgroup = BLAH
realm = BLAH.BLAH.BLAH
preferred master = no
server string = Linux Samba Server
security = ADS
encrypt passwords = yes
log level = 10
log file = /var/log/samba/%m
max log size = 500
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /bin/bash
map untrusted to domain = Yes
[homes]
comment = Home Direcotries
read only = No
browsable = No
writable = yes
create mask = 0644
directory mask = 0755
path = /home/users/%S
store dos attributes = yes
[test]
comment = Test Direcotries
read only = No
browseable = yes
writable = yes
create mask = 0644
directory mask = 0755
path = /home/test
This is a level 10 debug log of some testing I did.
[2011/05/06 09:44:03, 10] ../lib/util/util.c:304(_dump_data)
[0000] 00 5C 00 63 00 6D 00 62 00 72 00 5C 00 76 00 62 .\.c.m.b .r.
\.v.b
[0010] 00 6E 00 6D 00 76 00 62 00 6E 00 6D 00 00
00 .n.m.v.b .n.m...
[2011/05/06 09:44:03, 3] smbd/process.c:1273(switch_message)
switch message SMBntcreateX (pid 13841) conn 0x7fa151fea970
[2011/05/06 09:44:03, 4] smbd/uid.c:256(change_to_user)
change_to_user: Skipping user change - already user
[2011/05/06 09:44:03, 10] smbd/nttrans.c:484(reply_ntcreate_and_X)
reply_ntcreate_and_X: flags = 0x10, access_mask = 0x110080
file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1
create_options = 0x200000 root_dir_fid = 0x0, fname = cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/open.c:3365(create_file_default)
create_file: access_mask = 0x110080 file_attributes = 0x0, share_access
= 0x7, create_disposition = 0x1 create_options = 0x200000 oplock_request
= 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil),
create_file_flags = 0x1, fname = cmbr/vbnmvbnm
[2011/05/06 09:44:03, 5] smbd/filename.c:148(unix_convert)
unix_convert called on file "cmbr/vbnmvbnm"
[2011/05/06 09:44:03, 10] smbd/statcache.c:274(stat_cache_lookup)
stat_cache_lookup: lookup succeeded for name [CMBR/VBNMVBNM] -> [cmbr/
vbnmvbnm]
[2011/05/06 09:44:03, 3] smbd/vfs.c:865(check_reduced_name)
reduce_name [cmbr/vbnmvbnm] [/home/test]
[2011/05/06 09:44:03, 10] smbd/vfs.c:937(check_reduced_name)
reduce_name realpath [cmbr/vbnmvbnm] -> [/home/test/cmbr/vbnmvbnm]
[2011/05/06 09:44:03, 3] smbd/vfs.c:974(check_reduced_name)
reduce_name: cmbr/vbnmvbnm reduced to /home/test/cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/open.c:2896(create_file_unixpath)
create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0,
share_access = 0x7, create_disposition = 0x1 create_options = 0x200000
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = cmbr/
vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
posix_get_nt_acl: called for file cmbr
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
canonicalise_acl: Access ace entries before arrange :
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 2. Type = allow SID =
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
posix_get_nt_acl: called for file cmbr/vbnmvbnm
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
canonicalise_acl: Access ace entries before arrange :
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
canon_ace index 2. Type = allow SID =
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms rwx
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2011/05/06 09:44:03, 10] smbd/open.c:2952(create_file_unixpath)
create_file_unixpath: open file cmbr/vbnmvbnm for delete ACCESS_DENIED
[2011/05/06 09:44:03, 10] smbd/open.c:3218(create_file_unixpath)
create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03, 10] smbd/open.c:3497(create_file_default)
create_file: NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[2011/05/06 09:44:03, 5] lib/util.c:632(show_msg)
[2011/05/06 09:44:03, 5] lib/util.c:642(show_msg)
size=35
smb_com=0xa2
smb_rcls=34
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=2
smb_pid=3440
smb_uid=102
smb_mid=10496
smt_wct=0
smb_bcc=0
[2011/05/06 09:44:03, 10] lib/util_sock.c:789
(read_smb_length_return_keepalive)
got smb length of 104
More information about the samba
mailing list