[Samba] Permission issue writing to demo share

Fri Jun 27 10:39:17 MDT 2014

On 27/06/14 17:15, Lars Hanke wrote:
>
>>> I can read and write the Share using AD\Administrator. AD\StandardUser
>>> can mount the share and read, what the Administrator put there. But he
>>> cannot create or modify files.
>> Please post:
>> smb.conf
> [global]
>         workgroup = AD
>         realm = AD.MICROSULT.DE
>         netbios name = SAMBA
>         server role = active directory domain controller
>         private dir = /srv/files/private
>         lock directory = /srv/files
>         state directory = /srv/files/state
>         cache directory = /srv/files/cache
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>
>         # allow for TLS / ldaps
>         tls enabled = yes
>         tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
>         tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
>         tls cafile = /etc/certs/cacert.pem
>
>         # this is from steve's mail
>         kerberos method = system keytab
>
> [netlogon]
>         path = /srv/files/state/sysvol/ad.microsult.de/scripts
>         read only = No
>
> [sysvol]
>         path = /srv/files/state/sysvol
>         read only = No
>
> [Demo]
>         path = /srv/files/shares/Demo
>         read only = no
>
>> /etc/nsswitch.conf
> passwd:         compat
> group:          compat
> shadow:         compat
>
This shows that your unix machine is not connecting to AD to find users 
or groups, you need to add windbind to the passwd & group lines

> hosts: files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>> getent passwd AS\StandardUser
> empty, as is AD\Administrator

yes it will be, see above

>
>
>> getfacl /path/to/your/demo share
> Didn't install ACL so far, since the samba docs claim to use extended 
> attributes instead of POSIX ACL.
>

You need to install 'acl'

> root at samba:/# ls -la /srv/files/shares/Demo/
> total 8
> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
> root at samba:/# attr -l /srv/files/shares/Demo
> root at samba:/# attr -l /srv/files/shares/Demo/*
> Attribute "DOSATTRIB" has a 56 byte value for 
> /srv/files/shares/Demo/Erstellt von Admin.txt
> Attribute "NTACL" has a 312 byte value for 
> /srv/files/shares/Demo/Erstellt von Admin.txt
> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ 
> Admin.txt
> attr_get: No data available
> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
>
> Actually I had expected AD/Administrator to map to uid 0 instead of 
> 3000000. At least this uid is in the LDAP.
>
it will when you add the lines to nsswitch.conf

Rowland

> Regards,
>  - lars.