[Samba] Permission issue writing to demo share

steve steve at steve-ss.com
Fri Jun 27 10:50:47 MDT 2014 

On Fri, 2014-06-27 at 17:42 +0100, Rowland Penny wrote:
> On 27/06/14 17:36, steve wrote:
> > On Fri, 2014-06-27 at 18:15 +0200, Lars Hanke wrote:
> >>>> I can read and write the Share using AD\Administrator. AD\StandardUser
> >>>> can mount the share and read, what the Administrator put there. But he
> >>>> cannot create or modify files.
> >>> Please post:
> >>> smb.conf
> >> [global]
> >>           workgroup = AD
> >>           realm = AD.MICROSULT.DE
> >>           netbios name = SAMBA
> >>           server role = active directory domain controller
> >>           private dir = /srv/files/private
> >>           lock directory = /srv/files
> >>           state directory = /srv/files/state
> >>           cache directory = /srv/files/cache
> >>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbind, ntp_signd, kcc, dnsupdate
> >>           idmap_ldb:use rfc2307 = yes
> >>
> > Remove the tls stuff
> 
> I wouldn't, he is using his own certs instead of samba4's
But he's not going out over the network is he? The DC is the same as the
file server no? Sorry, I've not read the whole thread.
> 
> >>           # allow for TLS / ldaps
> >>           tls enabled = yes
> >>           tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
> >>           tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
> >>           tls cafile = /etc/certs/cacert.pem
> >>
> >>           # this is from steve's mail
> >>           kerberos method = system keytab
> > Remove the kerberos method line
> >
> >> [netlogon]
> >>           path = /srv/files/state/sysvol/ad.microsult.de/scripts
> >>           read only = No
> >>
> >> [sysvol]
> >>           path = /srv/files/state/sysvol
> >>           read only = No
> >>
> >> [Demo]
> >>           path = /srv/files/shares/Demo
> >>           read only = no
> >>
> >>> /etc/nsswitch.conf
> >> passwd:         compat
> >> group:          compat
> >> shadow:         compat
> >>
> >> hosts:          files dns
> >> networks:       files
> >>
> >> protocols:      db files
> >> services:       db files
> >> ethers:         db files
> >> rpc:            db files
> >>
> >> netgroup:       nis
> >>
> >>> getent passwd AS\StandardUser
> >> empty, as is AD\Administrator
> >>
> >>> getfacl /path/to/your/demo share
> >> Didn't install ACL so far, since the samba docs claim to use extended
> >> attributes instead of POSIX ACL.
> > We didn't ask for extended acl. Doesn't your distro have getfacl by
> > default? If not you will have to install it. In any case, we cannot
> > start to play with permissions until winbind is working. . .
> 
> It is part of 'acl' which he needs to install.
> 
> >> root at samba:/# ls -la /srv/files/shares/Demo/
> >> total 8
> >> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
> >> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
> >> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
> >> root at samba:/# attr -l /srv/files/shares/Demo
> >> root at samba:/# attr -l /srv/files/shares/Demo/*
> >> Attribute "DOSATTRIB" has a 56 byte value for
> >> /srv/files/shares/Demo/Erstellt von Admin.txt
> >> Attribute "NTACL" has a 312 byte value for
> >> /srv/files/shares/Demo/Erstellt von Admin.txt
> >> root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ Admin.txt
> >> attr_get: No data available
> >> Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt
> >>
> >> Actually I had expected AD/Administrator to map to uid 0 instead of
> >> 3000000. At least this uid is in the LDAP.
> > No. If you want that, you will have to use a map file. Only on the DC
> > does it map to something which can write to a share. But don't get too
> > comfortable with that because soon now, winbind will work on the DC as
> > it does elsewhere.
> This is the DC.
The point being that when the 'correct' winbind code is added to the DC,
Administrator will no longer behave as it does now.
HTH

> 
> Rowland
> 
> >   
> >> Regards,
> >>    - lars.
> > /etc/nsswitch.conf
> > passwd:          files winbind
> > group:           files winbind
> >
> > On a source build:
> >   ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> >   ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> >   ln -s /usr/local/samba/lib/pam_winbind.so /lib/security
> >
> > You'll have to work out if you either need to make the links and if so
> > where as I can't tell where you have samba installed.
> >
> > Restart samba and try again with the commands. Also could you remind us
> > of your distro and samba version?
> > Cheers and HTH
> > Steve
> >
> >
>

More information about the samba mailing list