[Samba] SMB + Active Directory And No Ability To Delete Files And Folders

L.P.H. van Belle belle at bazuin.nl
Fri Jun 3 01:09:22 MDT 2011


Hai, 

Samba RHEL packages look here.

http://www.enterprisesamba.org/index.php?id=54

Louis

 

>-----Oorspronkelijk bericht-----
>Van: Peter.Shevchenko at rsise.anu.edu.au 
>[mailto:samba-bounces at lists.samba.org] Namens Peter Shevchenko
>Verzonden: 2011-06-03 08:50
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] SMB + Active Directory And No Ability 
>To Delete Files And Folders
>
>On Wed, 01 Jun 2011 16:35:05 -0400, Jenkins, Mack wrote:
>
>> The 3.5.8 release is not in the yum repo provided by RHEL6.  We are
>> trying to stay within the RHEL yum repo if possible.  But at 
>this point,
>> if there is a repo that has a 3.5.8 release, I'd be more 
>than happy to
>> give it a try.
>> 
>> --
>> Mack J. Jenkins, II
>> 404-385-1591
>> mack.jenkins at eas.gatech.edu
>> System Support Engineer II
>> Earth & Atmospheric Sciences
>> 
>> 
>> ----- Original Message -----
>> From: "Jeremy Allison" <jra at samba.org> To: "Mack Jenkins"
>> <mack.jenkins at eas.gatech.edu> Cc: samba at lists.samba.org
>> Sent: Friday, May 27, 2011 7:39:21 PM Subject: Re: [Samba] 
>SMB + Active
>> Directory And No Ability To Delete Files And Folders
>> 
>> On Fri, May 27, 2011 at 03:21:17PM -0400, Jenkins, Mack wrote:
>>> I hope that everyone is doing well.  I'm new to the list and look
>>> forward to participating in the community.  I've been using 
>Samba for a
>>> long time and have always preached the samba gospel.  :-)
>>> 
>>> I find myself with a peculiar problem.  I have a RHEL6 
>install running
>>> Samba Version 3.5.4-68.el6_0.2 acting a local file server and it is
>>> tied into an Active Directory server for the user 
>management.  When a
>>> user on a Windows box supplies their Active Directory 
>credentials, my
>>> Samba server validates them against the Active Directory server,
>>> creates a directory on the local server, which the user 
>then mounts on
>>> their Windows machine.
>>> 
>>> The problem is this.  The users can create files and 
>folders, but can
>>> not delete them.  Has anyone seen this behavior before?
>> 
>> Sounds somewhat like an old bug that got fixed...
>> 
>> Have you tried a 3.5.8. release ?
>
>This sounds like a problem that I have been having.  It looks 
>to me like 
>the open bug 7521.  My situation is:
>
>1) Two different windows AD domains one windows 2000 the other 2008R2.
>2) Three separate Samba servers one (ubuntu 10.04 LTS with samba 3.4.7 
>and I have also tried 3.5.8) joined to the 2008r2 domain.  On 
>the other 
>domain I have an old samba 3.0.14 server and a new samba 3.4.7 (also 
>tried 3.5.8) joined to it.  Out of the three samba servers only the 
>3.0.14 works as expected with file deletes.
>  
>The problem is if I have a share in which there is a directory that is 
>owned by a group say "foo" with permissions drwxrwxr-x.  Then user "X" 
>who is a member of "foo" mounts the drive they are able to 
>create files 
>in that directory but they can't delete or change the name of 
>that file.  
>
>I have been trying to find documentation of how samba handles the 
>translation of permissions in terms of windows ACLs, linux 
>ACLs and POSIX 
>permissions but have not found much that is at all current.  I 
>have also 
>looked in the code and the problem looks to be in the se_access_check 
>function in lib/util_seaccess.c but there are all these big structures 
>being passed around and I am really struggling to understand what they 
>all mean.  I also don't understand enough about Windows ACLs and how 
>samba is storing them to get much further.  I had a look at http://
>samba.org/samba/docs/man/Samba-Developers-Guide/ but it appears to be 
>very out of date.  It looks like with samba 3.3 permissions 
>are handled 
>totally differently from older releases? 
>
>Any ideas?
>
>Peter.
>
>
>This is the smb.conf
>
>[global]
>   workgroup = BLAH
>   realm = BLAH.BLAH.BLAH
>   preferred master = no
>   server string = Linux Samba Server
>   security = ADS
>   encrypt passwords = yes
>   log level = 10
>   log file = /var/log/samba/%m
>   max log size = 500
>   winbind use default domain = Yes
>   winbind nested groups = Yes
>   template shell = /bin/bash
>   map untrusted to domain = Yes
>[homes]
>   comment = Home Direcotries
>   read only = No
>   browsable = No
>   writable = yes
>   create mask = 0644
>   directory mask = 0755
>   path = /home/users/%S
>   store dos attributes = yes
>[test]
>   comment = Test Direcotries
>   read only = No
>   browseable = yes
>   writable = yes
>   create mask = 0644
>   directory mask = 0755
>   path = /home/test
>
>This is a level 10 debug log of some testing I did.
>
>[2011/05/06 09:44:03, 10] ../lib/util/util.c:304(_dump_data)
>  [0000] 00 5C 00 63 00 6D 00 62   00 72 00 5C 00 76 00 62   
>.\.c.m.b .r.
>\.v.b
>  [0010] 00 6E 00 6D 00 76 00 62   00 6E 00 6D 00 00 
>00     .n.m.v.b .n.m...
>[2011/05/06 09:44:03,  3] smbd/process.c:1273(switch_message)
>  switch message SMBntcreateX (pid 13841) conn 0x7fa151fea970
>[2011/05/06 09:44:03,  4] smbd/uid.c:256(change_to_user)
>  change_to_user: Skipping user change - already user
>[2011/05/06 09:44:03, 10] smbd/nttrans.c:484(reply_ntcreate_and_X)
>  reply_ntcreate_and_X: flags = 0x10, access_mask = 0x110080 
>file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 
>create_options = 0x200000 root_dir_fid = 0x0, fname = cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/open.c:3365(create_file_default)
>  create_file: access_mask = 0x110080 file_attributes = 0x0, 
>share_access 
>= 0x7, create_disposition = 0x1 create_options = 0x200000 
>oplock_request 
>= 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil), 
>create_file_flags = 0x1, fname = cmbr/vbnmvbnm
>[2011/05/06 09:44:03,  5] smbd/filename.c:148(unix_convert)
>  unix_convert called on file "cmbr/vbnmvbnm"
>[2011/05/06 09:44:03, 10] smbd/statcache.c:274(stat_cache_lookup)
>  stat_cache_lookup: lookup succeeded for name [CMBR/VBNMVBNM] 
>-> [cmbr/
>vbnmvbnm]
>[2011/05/06 09:44:03,  3] smbd/vfs.c:865(check_reduced_name)
>  reduce_name [cmbr/vbnmvbnm] [/home/test]
>[2011/05/06 09:44:03, 10] smbd/vfs.c:937(check_reduced_name)
>  reduce_name realpath [cmbr/vbnmvbnm] -> [/home/test/cmbr/vbnmvbnm]
>[2011/05/06 09:44:03,  3] smbd/vfs.c:974(check_reduced_name)
>  reduce_name: cmbr/vbnmvbnm reduced to /home/test/cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/open.c:2896(create_file_unixpath)
>  create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0, 
>share_access = 0x7, create_disposition = 0x1 create_options = 0x200000 
>oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = cmbr/
>vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
>  posix_get_nt_acl: called for file cmbr
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
>  canonicalise_acl: Access ace entries before arrange :
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
>ace_flags = 0x0 perms ---
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 2. Type = allow SID = 
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
>  print_canon_ace_list: canonicalise_acl: ace entries after arrange
>  canon_ace index 0. Type = allow SID = 
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
>ace_flags = 0x0 perms ---
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
>  posix_get_nt_acl: called for file cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
>  canonicalise_acl: Access ace entries before arrange :
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
>ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
>  canon_ace index 2. Type = allow SID = 
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
>  print_canon_ace_list: canonicalise_acl: ace entries after arrange
>  canon_ace index 0. Type = allow SID = 
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X) 
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) 
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
>ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
>  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/open.c:2952(create_file_unixpath)
>  create_file_unixpath: open file cmbr/vbnmvbnm for delete 
>ACCESS_DENIED
>[2011/05/06 09:44:03, 10] smbd/open.c:3218(create_file_unixpath)
>  create_file_unixpath: NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03, 10] smbd/open.c:3497(create_file_default)
>  create_file: NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03,  3] smbd/error.c:60(error_packet_set)
>  error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX) 
>NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03,  5] lib/util.c:632(show_msg)
>[2011/05/06 09:44:03,  5] lib/util.c:642(show_msg)
>  size=35
>  smb_com=0xa2
>  smb_rcls=34
>  smb_reh=0
>  smb_err=49152
>  smb_flg=136
>  smb_flg2=51201
>  smb_tid=2
>  smb_pid=3440
>  smb_uid=102
>  smb_mid=10496
>  smt_wct=0
>  smb_bcc=0
>[2011/05/06 09:44:03, 10] lib/util_sock.c:789
>(read_smb_length_return_keepalive)
>  got smb length of 104
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list