[Samba] Permission issue writing to demo share

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 27 10:42:52 MDT 2014


On 27/06/14 17:36, steve wrote:
> On Fri, 2014-06-27 at 18:15 +0200, Lars Hanke wrote:
>>>> I can read and write the Share using AD\Administrator. AD\StandardUser
>>>> can mount the share and read, what the Administrator put there. But he
>>>> cannot create or modify files.
>>> Please post:
>>> smb.conf
>> [global]
>>           workgroup = AD
>>           realm = AD.MICROSULT.DE
>>           netbios name = SAMBA
>>           server role = active directory domain controller
>>           private dir = /srv/files/private
>>           lock directory = /srv/files
>>           state directory = /srv/files/state
>>           cache directory = /srv/files/cache
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>           idmap_ldb:use rfc2307 = yes
>>
> Remove the tls stuff

I wouldn't, he is using his own certs instead of samba4's

>>           # allow for TLS / ldaps
>>           tls enabled = yes
>>           tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
>>           tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
>>           tls cafile = /etc/certs/cacert.pem
>>
>>           # this is from steve's mail
>>           kerberos method = system keytab
> Remove the kerberos method line
>
>> [netlogon]
>>           path = /srv/files/state/sysvol/ad.microsult.de/scripts
>>           read only = No
>>
>> [sysvol]
>>           path = /srv/files/state/sysvol
>>           read only = No
>>
>> [Demo]
>>           path = /srv/files/shares/Demo
>>           read only = no
>>
>>> /etc/nsswitch.conf
>> passwd:         compat
>> group:          compat
>> shadow:         compat
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>> getent passwd AS\StandardUser
>> empty, as is AD\Administrator
>>
>>> getfacl /path/to/your/demo share
>> Didn't install ACL so far, since the samba docs claim to use extended
>> attributes instead of POSIX ACL.
> We didn't ask for extended acl. Doesn't your distro have getfacl by
> default? If not you will have to install it. In any case, we cannot
> start to play with permissions until winbind is working. . .

It is part of 'acl' which he needs to install.

>> root at samba:/# ls -la /srv/files/shares/Demo/
>> total 8
>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>> root at samba:/# attr -l /srv/files/shares/Demo
>> root at samba:/# attr -l /srv/files/shares/Demo/*
>> Attribute "DOSATTRIB" has a 56 byte value for
>> /srv/files/shares/Demo/Erstellt von Admin.txt
>> Attribute "NTACL" has a 312 byte value for
>> /srv/files/shares/Demo/Erstellt von Admin.txt
>> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ Admin.txt
>> attr_get: No data available
>> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
>>
>> Actually I had expected AD/Administrator to map to uid 0 instead of
>> 3000000. At least this uid is in the LDAP.
> No. If you want that, you will have to use a map file. Only on the DC
> does it map to something which can write to a share. But don't get too
> comfortable with that because soon now, winbind will work on the DC as
> it does elsewhere.
This is the DC.

Rowland

>   
>> Regards,
>>    - lars.
> /etc/nsswitch.conf
> passwd:          files winbind
> group:           files winbind
>
> On a source build:
>   ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
>   ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>   ln -s /usr/local/samba/lib/pam_winbind.so /lib/security
>
> You'll have to work out if you either need to make the links and if so
> where as I can't tell where you have samba installed.
>
> Restart samba and try again with the commands. Also could you remind us
> of your distro and samba version?
> Cheers and HTH
> Steve
>
>



More information about the samba mailing list