[Samba] Groups on AD and LDAP samba configuration

Markus Lang markus at univention.se
Mon Apr 16 08:01:12 MDT 2012


Hi!

I have a problem regarding Samba on AIX, AD and LDAP integration.

The setup is this:
AIX 5.3
Samba 3.6.4, compliled with the following:
./configure AR="ar -X64" NM="nm -X64" CC="/usr/vacpp/bin/xlc -q64"
CXX="/usr/vacpp/bin/xlC -q64" CFLAGS="-O -q64" CXXFLAGS="-O -q64"
LDFLAGS="-bdynamic -brtl -b64 -blibpath:/sleipner/apps/lib:/lib:/usr/lib
-L/sleipner/apps/lib" CPPFLAGS="-I/sleipner/apps/include"
--prefix=/sleipner/
apps --with-krb5=/sleipner/apps --with-ldap --with-ads
--with-aio-support --with-automount --with-pam --with-quotas
--with-sendfile-suppor
t --with-syslog --with-utmp --with-winbind
--with-libiconv=/sleipner/apps --with-configdir=/sleipner/apps/etc
--with-acl-support --with-shared
-modules=idmap_tdb2,idmap_adex,idmap_rid
--with-static-modules=idmap_ad,vfs_aixacl2

Samba is joined with AD with no errors, and wbinfo works fine.

It seems that, when I use smbclient I can login, as shown below:
root at sleipner:/sleipner/lpp/mdb/mdbt1/ecm/out_files: smbclient
//sleipner.mydomain.com/ecmt1 -U rusg
Enter rusg's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.6.4]
smb: \>

But, when listing files, I get an error:
NT_STATUS_ACCESS_DENIED listing \*
smb: \>

I can list files on command promt as user rusg:
rusg at sleipner:/home/rusg: ls -l /sleipner/lpp/mdb/mdbt1/ecm
total 456
-rw-r----- 1 ecmt1 ecmt1 1822 Apr 27 2006 Only_tracking
drwxrwxr-- 2 ecmt1 ecmt1 4096 Dec 11 2008 TEST_copy
lrwxrwxrwx 1 ecmt1 ecmt1 28 Oct 25 15:16 bin ->
/sleipner/lpp/mdb/ecmdev/bin_dev
drwxrwx--- 2 ecmt1 ecmt1 256 Mar 20 2006 catalog
lrwxrwxrwx 1 ecmt1 ecmt1 32 Oct 25 15:16 catalog_data ->
/sleipner/lpp/mdb/common/install/ecm
-rw-r--r-- 1 ecmt1 ecmt1 13312 Jul 06 2007 certificates.db
drwxrwx--- 2 ecmt1 ecmt1 256 Mar 20 2006 cleanQ
drwxrwx--- 2 ecmt1 ecmt1 256 Mar 05 2007 config
drwxrwx--- 3 ecmt1 ecmt1 12288 Mar 09 10:38 logs
drwxrwx--- 2 ecmt1 ecmt1 256 Mar 20 2006 mrg_files
drwxrws--- 13 ecmt1 ecmt1 8192 Apr 16 14:52 out_files
drwxrwx--- 4 ecmt1 ecmt1 4096 Mar 09 10:38 out_files_temp
-rw------- 1 ecmt1 ecmt1 4884 Sep 05 2007 pkzipc.xml
-rw------- 1 ecmt1 ecmt1 4884 Aug 30 2007 pkzipc.xml.OLD
drwxrwx--- 2 ecmt1 ecmt1 256 Mar 20 2006 send_files
-rw-rw-r-- 1 ecmt1 ecmt1 3070 Feb 04 2010 sqlnet.log
-rw-rw-r-- 1 ecmt1 ecmt1 68119 Apr 18 2006 truss.log
-rw-rw-r-- 1 ecmt1 ecmt1 68221 Apr 12 2006 truss_am.out
drwxrwx--- 3 ecmt1 ecmt1 8192 Mar 09 10:38 upd_files
lrwxrwxrwx 1 cardord sshd 11 Mar 20 2006 version -> bin/version

My user groups looks like this:
root at sleipner:/: lsuser -R LDAP -a groups rusg
rusg groups=g_rusg,hmdb,ecmt1,mdb


I ran smbd in full debug mode, and I can see the authentication with AD
is working.
Then it tries to find a valid system user to map to AD account.
It finds this user from LDAP (Get_Pwnam_internals did find user [rusg]!)
I can include a full output from smbd debug if requested.

I can see the listing error in the logfile:
chdir (/sleipner/lpp/mdb/mdbt1/ecm) failed, reason: The file access
permissions do not allow the specified action.
error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED

Now, if I set permissions on the unix files (and dirs) to have my
primary group as owning group, it seems to work fine.
But none of my other groups works.


Please advice how to make this work.



-- 
Best Regards
Markus Lang
Univention Systems AB
Phone +46 72 5255020
Email markus at univention.se <markus at univetion.se>


More information about the samba mailing list