[Samba] Can't get permission on a share to work problem with groups

Chan Min Wai dcmwai at gmail.com
Sun Feb 9 03:04:37 MST 2014 

Dear Horace,

Just wonder if this share server is also a DC?

also if your getent passwd "usersname" would work?



On Sun, Feb 9, 2014 at 5:01 PM, Horace <mailinglist at lhplan.tk> wrote:

> On 2014-01-24 18:10, me at electronico.nc wrote:
>
>> Le 25/01/2014 08:05, Horace a écrit :
>>
>>> Hello,
>>>
>>> 1. I have created a directory /srv/samba4/Public Applications.
>>> 2. I created a group 'Domain Admins' with gid 1003
>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>> 4. I created a share
>>> [Public Applications]
>>>     read list = @ACCOUNTSAD\"Domain Users"
>>>     write list = @"Domain Admins"
>>>     comment = Public Applications
>>>     path = /srv/samba4/Public Applications
>>>     #admin users = @"Domain Admins"
>>> 5. wbinfo --group-info 'Domain Admins'
>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>
>>> Debug level
>>> # Debug logging information
>>> #log level = 10
>>> log level = 3
>>> #log file = /var/log/samba.log.%m
>>> #max log size = 50
>>> debug timestamp = yes
>>> syslog only = yes
>>>
>>>
>>> As anyone can see, I like Domain Admins read write access and Domain
>>> Users read access only. For whatever reason, when I access the share
>>> \\PDC-S2\Public Applications and try to create a folder, I get Permission
>>> denied.
>>>
>>> I have tailed both syslog's and log.smbd and there is NO relevant
>>> information regarding why this is failing.
>>>
>>> Am I doing something wrong here ?
>>>
>> Not sure if it's relevent, but I never use shares with space in
>> filename, so you don't have to double-quote them.
>> This avoids lot of errors.
>> Nicolas
>>
>
> I followed your suggestion and set path to path = /srv/samba4/Public_Applications,
> that resolve some annoying errors. However, I am still getting ACCESS
> DENIED, if you take at the logs below:
>
> [2014/02/09 03:46:03.001182,  4, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/02/09 03:46:03.001309,  5, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:127(token_contains_name)
>   Domain Admins is a None, expected a group
> [2014/02/09 03:46:03.001393, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:215(user_ok_token)
>   User ACCOUNTSAD\lutchy.horace not in 'valid users'
> [2014/02/09 03:46:03.001474,  2, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:418(create_connection_session_info)
>   user 'ACCOUNTSAD\lutchy.horace' (from session setup) not permitted to
> access this share (Public Applications)
> [2014/02/09 03:46:03.001564,  1, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:550(make_connection_snum)
>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2014/02/09 03:46:03.001655,  5, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
>   check lock order 1 for /usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
> [2014/02/09 03:46:03.001738, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
>   lock order:  1:/usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
> 2:<none> 3:<none>
> [2014/02/09 03:46:03.001827, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
>   Locking key 96AE9D8A
> [2014/02/09 03:46:03.001920, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
>   Allocated locked data 0x0xb8ec2290
> [2014/02/09 03:46:03.002025, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
>   Unlocking key 96AE9D8A
> [2014/02/09 03:46:03.002109,  5, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>   release lock order 1 for /usr/local/samba/var/lock/
> smbXsrv_tcon_global.tdb
> [2014/02/09 03:46:03.002189, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
>   lock order:  1:<none> 2:<none> 3:<none>
> [2014/02/09 03:46:03.002380, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:2643(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] ||
> at ../source3/smbd/smb2_tcon.c:127
> [2014/02/09 03:46:03.002470, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:2544(smbd_smb2_request_done_ex)
>   smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED]
> body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2682
> [2014/02/09 03:46:03.002558, 10, pid=13792, effective(0, 0), real(0, 0)]
> ../source3/smbd/smb2_server.c:873(smb2_set_operation_credit)
>   smb2_set_operation_credit: requested 1, charge 1, granted 1, current
> possible/max 386/512, total granted/max/low/range 127/8192/17/127
>
> Domain Admins is a None, expected a group is invalid?
>
> Here is my current configuration for the time being:
>
> [Public Applications]
>
>         write list = @"Domain Admins"
>         comment = Publicly Shared Applications for Intranet Users
>         path = /srv/samba4/Public_Applications
>         valid users = @"Domain Admins"
>
>
> I have also tried valid users = ACCOUNTSAD\"Domain Admins" but I still get
> 'is none, expected a group'? What is the correct syntax to providing groups
> in valid users field??
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list