[Samba] Permission issue writing to demo share
Rowland Penny
rowlandpenny at googlemail.com
Fri Jun 27 10:42:52 MDT 2014
On 27/06/14 17:36, steve wrote:
> On Fri, 2014-06-27 at 18:15 +0200, Lars Hanke wrote:
>>>> I can read and write the Share using AD\Administrator. AD\StandardUser
>>>> can mount the share and read, what the Administrator put there. But he
>>>> cannot create or modify files.
>>> Please post:
>>> smb.conf
>> [global]
>> workgroup = AD
>> realm = AD.MICROSULT.DE
>> netbios name = SAMBA
>> server role = active directory domain controller
>> private dir = /srv/files/private
>> lock directory = /srv/files
>> state directory = /srv/files/state
>> cache directory = /srv/files/cache
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>>
> Remove the tls stuff
I wouldn't, he is using his own certs instead of samba4's
>> # allow for TLS / ldaps
>> tls enabled = yes
>> tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
>> tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
>> tls cafile = /etc/certs/cacert.pem
>>
>> # this is from steve's mail
>> kerberos method = system keytab
> Remove the kerberos method line
>
>> [netlogon]
>> path = /srv/files/state/sysvol/ad.microsult.de/scripts
>> read only = No
>>
>> [sysvol]
>> path = /srv/files/state/sysvol
>> read only = No
>>
>> [Demo]
>> path = /srv/files/shares/Demo
>> read only = no
>>
>>> /etc/nsswitch.conf
>> passwd: compat
>> group: compat
>> shadow: compat
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>> getent passwd AS\StandardUser
>> empty, as is AD\Administrator
>>
>>> getfacl /path/to/your/demo share
>> Didn't install ACL so far, since the samba docs claim to use extended
>> attributes instead of POSIX ACL.
> We didn't ask for extended acl. Doesn't your distro have getfacl by
> default? If not you will have to install it. In any case, we cannot
> start to play with permissions until winbind is working. . .
It is part of 'acl' which he needs to install.
>> root at samba:/# ls -la /srv/files/shares/Demo/
>> total 8
>> drwxr-xr-x 2 root root 35 Jun 27 14:24 .
>> drwxr-xr-x 3 root root 17 Jun 13 13:19 ..
>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>> root at samba:/# attr -l /srv/files/shares/Demo
>> root at samba:/# attr -l /srv/files/shares/Demo/*
>> Attribute "DOSATTRIB" has a 56 byte value for
>> /srv/files/shares/Demo/Erstellt von Admin.txt
>> Attribute "NTACL" has a 312 byte value for
>> /srv/files/shares/Demo/Erstellt von Admin.txt
>> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ Admin.txt
>> attr_get: No data available
>> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
>>
>> Actually I had expected AD/Administrator to map to uid 0 instead of
>> 3000000. At least this uid is in the LDAP.
> No. If you want that, you will have to use a map file. Only on the DC
> does it map to something which can write to a share. But don't get too
> comfortable with that because soon now, winbind will work on the DC as
> it does elsewhere.
This is the DC.
Rowland
>
>> Regards,
>> - lars.
> /etc/nsswitch.conf
> passwd: files winbind
> group: files winbind
>
> On a source build:
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> ln -s /usr/local/samba/lib/pam_winbind.so /lib/security
>
> You'll have to work out if you either need to make the links and if so
> where as I can't tell where you have samba installed.
>
> Restart samba and try again with the commands. Also could you remind us
> of your distro and samba version?
> Cheers and HTH
> Steve
>
>
More information about the samba
mailing list