[Samba] Permission issue writing to demo share
Rowland Penny
rowlandpenny at googlemail.com
Fri Jun 27 10:39:17 MDT 2014
On 27/06/14 17:15, Lars Hanke wrote:
>
>>> I can read and write the Share using AD\Administrator. AD\StandardUser
>>> can mount the share and read, what the Administrator put there. But he
>>> cannot create or modify files.
>> Please post:
>> smb.conf
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> netbios name = SAMBA
> server role = active directory domain controller
> private dir = /srv/files/private
> lock directory = /srv/files
> state directory = /srv/files/state
> cache directory = /srv/files/cache
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> # allow for TLS / ldaps
> tls enabled = yes
> tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
> tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
> tls cafile = /etc/certs/cacert.pem
>
> # this is from steve's mail
> kerberos method = system keytab
>
> [netlogon]
> path = /srv/files/state/sysvol/ad.microsult.de/scripts
> read only = No
>
> [sysvol]
> path = /srv/files/state/sysvol
> read only = No
>
> [Demo]
> path = /srv/files/shares/Demo
> read only = no
>
>> /etc/nsswitch.conf
> passwd: compat
> group: compat
> shadow: compat
>
This shows that your unix machine is not connecting to AD to find users
or groups, you need to add windbind to the passwd & group lines
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>> getent passwd AS\StandardUser
> empty, as is AD\Administrator
yes it will be, see above
>
>
>> getfacl /path/to/your/demo share
> Didn't install ACL so far, since the samba docs claim to use extended
> attributes instead of POSIX ACL.
>
You need to install 'acl'
> root at samba:/# ls -la /srv/files/shares/Demo/
> total 8
> drwxr-xr-x 2 root root 35 Jun 27 14:24 .
> drwxr-xr-x 3 root root 17 Jun 13 13:19 ..
> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
> root at samba:/# attr -l /srv/files/shares/Demo
> root at samba:/# attr -l /srv/files/shares/Demo/*
> Attribute "DOSATTRIB" has a 56 byte value for
> /srv/files/shares/Demo/Erstellt von Admin.txt
> Attribute "NTACL" has a 312 byte value for
> /srv/files/shares/Demo/Erstellt von Admin.txt
> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\
> Admin.txt
> attr_get: No data available
> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
>
> Actually I had expected AD/Administrator to map to uid 0 instead of
> 3000000. At least this uid is in the LDAP.
>
it will when you add the lines to nsswitch.conf
Rowland
> Regards,
> - lars.
More information about the samba
mailing list