[Samba] Fwd: Re: Re: Cannot add/modify ACL through windows client
?icro MEGAS
micromegas at mail333.com
Wed May 15 03:23:08 MDT 2013
Hi Denis,
my smb.conf on PDC (hostname=donald) looks like that:
[global]
workgroup = MYDOM
server string = Fileserver
interfaces = 172.16.0.1/16, 127.0.0.1
update encrypted = Yes
map to guest = Bad User
passdb backend = ldapsam:ldap://172.16.0.1
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 500
name resolve order = hosts wins lmhosts bcast
socket options = IPTOS_LOWDELAY TCP_NODELAY
cups server = 127.0.0.1
add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
add group script = /opt/IDEALX/sbin/smbldap-groupadd -a '%g'
delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u' '%g'
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%u' '%g'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
logon script = %U.bat
logon path = \\donald\profiles\%U
logon drive = U:
domain logons = Yes
os level = 254
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=root,dc=foobar,dc=com
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = yes
ldap suffix = dc=foobar,dc=com
ldap ssl = no
ldap user suffix = ou=users
admin users = admin, "@Domain Admins"
cups options = raw
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
The smb.conf of my member server (=pluto) which is just serving fileservices looks like that:
[global]
workgroup = MYDOM
netbios name = PLUTO
security = domain
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
unix password sync = yes
ldap passwd sync = yes
ldap ssl = off
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
log level = 3
syslog = 2
log file = /var/log/samba/log.%m
max log size = 100000
mangling method = hash2
Dos charset = 850
Unix charset = UTF-8
password server = *
domain logons = No
domain master = No
passdb backend = ldapsam:ldap://172.16.0.1/
ldap admin dn = cn=root,dc=foobar,dc=com
ldap suffix = dc=foobar,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmap
admin users = admin
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
load printers = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
preserve case = yes
short preserve case = yes
case sensitive = no
I also realized that pdbedit -L on the PDC outputs everything correct. But when I execute pdbedit -L on the member server "pluto" I get for every account an error like:
sid S-1-5-21-1062190697-4189521229-2202214947-1080 does not belong to our domain
Here's the output of some other useful commands:
root at donald:~ # net getdomainsid
SID for local machine DONALD is: S-1-5-21-1062190697-4189521229-2202214947
SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947
root at pluto:~# net getdomainsid
SID for local machine PLUTO is: S-1-5-21-1434506976-3680264795-2229774564
SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947
Samba4 really rocks, I already work with that, but on another environment ;)
Срд 15 Май 2013 12:46:55 +0400, Denis Cardon написал:
Hi Lucas,
> on both samba hosts (donald and pluto) these commands work great:
>
> id johndoe
> getent group
> getent passwd
>
> My pluto:/etc/nsswitch.conf looks like that:
> [...]
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
> [...]
>
> I want to add, that the described problem works fine if I try it on a share on "donald", my domain controller. The users are displayed fine under the security tab. So where could be the problem?
Users may be displayed because through query to the PDC.
If your nsswitch works properly, then I think we ought to look into your
smb.conf. Could you please post the global part? Are you using
security=user or security=domain?
What do you get with pdbedit -L -v ?
By the way, samba4 rocks and it is much easier to setup. You should try it.
Cheers,
Denis
>
> Lucas
>
> Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал:
> Hi Lucas,
>
>> I am struggling around with Windows ACLs and cannot find a solution nor how to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto" is my other samba 3.x server which was joined to my domain. I use LDAP for my users+groups. I dont have winbind on my machines. On hostname "pluto" I have a share in smb.conf which says:
>>
>> [free4all]
>> path = /data/free4all
>> read onlyXSSCleaned= No
>> create mask = 0777
>> directory mask = 0777
>> vfs object = acl_xattr
>> nt acl support = yes
>> dos filemode = yes
>>
>> "testparm -s -a -v |grep acl" shows me:
>>
>> acl compatibility = auto
>> acl check permissions = Yes
>> acl group control = No
>> acl map full control = Yes
>> force unknown acl user = No
>> inherit acls = No
>> nt acl support = Yes
>> profile acls = No
>> map acl inherit = No
>> vfs objects = acl_xattr
>> force unknown acl user = Yes
>>
>> On a windows client I am right-clicking on \\pluto\free4all\subdir and choose the "Security" tab. I see a user called "Everyone" and a user without username, but only SID number. The SID is S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my LDAP database. Funnily I have two users with this same SID, one is called "root" and the is called "admin". Weird, but not important imho at this point.
>
> Rid -500 is part of the well known SID, it should be for admin user and
> shouldn't be used for root (http://support.microsoft.com/kb/243330)
>
>> Back on the windows client, inside the "Security" tab, I click on "Add" and choose a user of my Domain Users. I see him in the list. But as soon as I click "Apply" on this window, the user disappears from the security tab list. The logfile at samba-server hostname=pluto outputs:
>>
>> [2013/05/14 15:48:08.861822, 0] smbd/posix_acls.c:1755(create_canon_ace_lists)
>> create_canon_ace_lists: unable to map SID S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
>>
>> This SID was the user I tried to add. Why does this not work and how should I fix or even troubleshoot that? I really need some assistance, I have no clue what else to try. Thanks to everyone.
>
> Are you sure that there is a uid/gid mapping for your samba users on
> your server. For instance, if you type "id myusername" or "getent
> passwd", do you get a uid?
>
> If not, you should check if your /etc/nsswitch.conf configuration is ok.
> If you don't use winbind, you should have nssldap configured.
>
> Cheers,
>
> Denis
>
>>
>> Lucas.
>>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list