[Samba] SMB + Active Directory And No Ability To Delete Files And Folders
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 3 01:19:00 MDT 2011
Also i suggest read this.
http://rhkernel.org/RHEL6+2.6.32-44.1.el6/fs/cifs/TODO
Louis
>-----Oorspronkelijk bericht-----
>Van: Peter.Shevchenko at rsise.anu.edu.au
>[mailto:samba-bounces at lists.samba.org] Namens Peter Shevchenko
>Verzonden: 2011-06-03 08:50
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] SMB + Active Directory And No Ability
>To Delete Files And Folders
>
>On Wed, 01 Jun 2011 16:35:05 -0400, Jenkins, Mack wrote:
>
>> The 3.5.8 release is not in the yum repo provided by RHEL6. We are
>> trying to stay within the RHEL yum repo if possible. But at
>this point,
>> if there is a repo that has a 3.5.8 release, I'd be more
>than happy to
>> give it a try.
>>
>> --
>> Mack J. Jenkins, II
>> 404-385-1591
>> mack.jenkins at eas.gatech.edu
>> System Support Engineer II
>> Earth & Atmospheric Sciences
>>
>>
>> ----- Original Message -----
>> From: "Jeremy Allison" <jra at samba.org> To: "Mack Jenkins"
>> <mack.jenkins at eas.gatech.edu> Cc: samba at lists.samba.org
>> Sent: Friday, May 27, 2011 7:39:21 PM Subject: Re: [Samba]
>SMB + Active
>> Directory And No Ability To Delete Files And Folders
>>
>> On Fri, May 27, 2011 at 03:21:17PM -0400, Jenkins, Mack wrote:
>>> I hope that everyone is doing well. I'm new to the list and look
>>> forward to participating in the community. I've been using
>Samba for a
>>> long time and have always preached the samba gospel. :-)
>>>
>>> I find myself with a peculiar problem. I have a RHEL6
>install running
>>> Samba Version 3.5.4-68.el6_0.2 acting a local file server and it is
>>> tied into an Active Directory server for the user
>management. When a
>>> user on a Windows box supplies their Active Directory
>credentials, my
>>> Samba server validates them against the Active Directory server,
>>> creates a directory on the local server, which the user
>then mounts on
>>> their Windows machine.
>>>
>>> The problem is this. The users can create files and
>folders, but can
>>> not delete them. Has anyone seen this behavior before?
>>
>> Sounds somewhat like an old bug that got fixed...
>>
>> Have you tried a 3.5.8. release ?
>
>This sounds like a problem that I have been having. It looks
>to me like
>the open bug 7521. My situation is:
>
>1) Two different windows AD domains one windows 2000 the other 2008R2.
>2) Three separate Samba servers one (ubuntu 10.04 LTS with samba 3.4.7
>and I have also tried 3.5.8) joined to the 2008r2 domain. On
>the other
>domain I have an old samba 3.0.14 server and a new samba 3.4.7 (also
>tried 3.5.8) joined to it. Out of the three samba servers only the
>3.0.14 works as expected with file deletes.
>
>The problem is if I have a share in which there is a directory that is
>owned by a group say "foo" with permissions drwxrwxr-x. Then user "X"
>who is a member of "foo" mounts the drive they are able to
>create files
>in that directory but they can't delete or change the name of
>that file.
>
>I have been trying to find documentation of how samba handles the
>translation of permissions in terms of windows ACLs, linux
>ACLs and POSIX
>permissions but have not found much that is at all current. I
>have also
>looked in the code and the problem looks to be in the se_access_check
>function in lib/util_seaccess.c but there are all these big structures
>being passed around and I am really struggling to understand what they
>all mean. I also don't understand enough about Windows ACLs and how
>samba is storing them to get much further. I had a look at http://
>samba.org/samba/docs/man/Samba-Developers-Guide/ but it appears to be
>very out of date. It looks like with samba 3.3 permissions
>are handled
>totally differently from older releases?
>
>Any ideas?
>
>Peter.
>
>
>This is the smb.conf
>
>[global]
> workgroup = BLAH
> realm = BLAH.BLAH.BLAH
> preferred master = no
> server string = Linux Samba Server
> security = ADS
> encrypt passwords = yes
> log level = 10
> log file = /var/log/samba/%m
> max log size = 500
> winbind use default domain = Yes
> winbind nested groups = Yes
> template shell = /bin/bash
> map untrusted to domain = Yes
>[homes]
> comment = Home Direcotries
> read only = No
> browsable = No
> writable = yes
> create mask = 0644
> directory mask = 0755
> path = /home/users/%S
> store dos attributes = yes
>[test]
> comment = Test Direcotries
> read only = No
> browseable = yes
> writable = yes
> create mask = 0644
> directory mask = 0755
> path = /home/test
>
>This is a level 10 debug log of some testing I did.
>
>[2011/05/06 09:44:03, 10] ../lib/util/util.c:304(_dump_data)
> [0000] 00 5C 00 63 00 6D 00 62 00 72 00 5C 00 76 00 62
>.\.c.m.b .r.
>\.v.b
> [0010] 00 6E 00 6D 00 76 00 62 00 6E 00 6D 00 00
>00 .n.m.v.b .n.m...
>[2011/05/06 09:44:03, 3] smbd/process.c:1273(switch_message)
> switch message SMBntcreateX (pid 13841) conn 0x7fa151fea970
>[2011/05/06 09:44:03, 4] smbd/uid.c:256(change_to_user)
> change_to_user: Skipping user change - already user
>[2011/05/06 09:44:03, 10] smbd/nttrans.c:484(reply_ntcreate_and_X)
> reply_ntcreate_and_X: flags = 0x10, access_mask = 0x110080
>file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1
>create_options = 0x200000 root_dir_fid = 0x0, fname = cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/open.c:3365(create_file_default)
> create_file: access_mask = 0x110080 file_attributes = 0x0,
>share_access
>= 0x7, create_disposition = 0x1 create_options = 0x200000
>oplock_request
>= 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil),
>create_file_flags = 0x1, fname = cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 5] smbd/filename.c:148(unix_convert)
> unix_convert called on file "cmbr/vbnmvbnm"
>[2011/05/06 09:44:03, 10] smbd/statcache.c:274(stat_cache_lookup)
> stat_cache_lookup: lookup succeeded for name [CMBR/VBNMVBNM]
>-> [cmbr/
>vbnmvbnm]
>[2011/05/06 09:44:03, 3] smbd/vfs.c:865(check_reduced_name)
> reduce_name [cmbr/vbnmvbnm] [/home/test]
>[2011/05/06 09:44:03, 10] smbd/vfs.c:937(check_reduced_name)
> reduce_name realpath [cmbr/vbnmvbnm] -> [/home/test/cmbr/vbnmvbnm]
>[2011/05/06 09:44:03, 3] smbd/vfs.c:974(check_reduced_name)
> reduce_name: cmbr/vbnmvbnm reduced to /home/test/cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/open.c:2896(create_file_unixpath)
> create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0,
>share_access = 0x7, create_disposition = 0x1 create_options = 0x200000
>oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = cmbr/
>vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
> posix_get_nt_acl: called for file cmbr
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
> canonicalise_acl: Access ace entries before arrange :
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>ace_flags = 0x0 perms ---
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 2. Type = allow SID =
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
> print_canon_ace_list: canonicalise_acl: ace entries after arrange
> canon_ace index 0. Type = allow SID =
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>ace_flags = 0x0 perms ---
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
> posix_get_nt_acl: called for file cmbr/vbnmvbnm
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2522(canonicalise_acl)
> canonicalise_acl: Access ace entries before arrange :
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:2535(canonicalise_acl)
> canon_ace index 2. Type = allow SID =
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:838(print_canon_ace_list)
> print_canon_ace_list: canonicalise_acl: ace entries after arrange
> canon_ace index 0. Type = allow SID =
>S-1-5-21-2171229024-547788684-1459996048-4416 uid 1709 (X)
>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>ace_flags = 0x0 perms rwx
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
> map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
>[2011/05/06 09:44:03, 10] smbd/open.c:2952(create_file_unixpath)
> create_file_unixpath: open file cmbr/vbnmvbnm for delete
>ACCESS_DENIED
>[2011/05/06 09:44:03, 10] smbd/open.c:3218(create_file_unixpath)
> create_file_unixpath: NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03, 10] smbd/open.c:3497(create_file_default)
> create_file: NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX)
>NT_STATUS_ACCESS_DENIED
>[2011/05/06 09:44:03, 5] lib/util.c:632(show_msg)
>[2011/05/06 09:44:03, 5] lib/util.c:642(show_msg)
> size=35
> smb_com=0xa2
> smb_rcls=34
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51201
> smb_tid=2
> smb_pid=3440
> smb_uid=102
> smb_mid=10496
> smt_wct=0
> smb_bcc=0
>[2011/05/06 09:44:03, 10] lib/util_sock.c:789
>(read_smb_length_return_keepalive)
> got smb length of 104
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list