[Samba] Permission issue writing to demo share

Lars Hanke debian at lhanke.de
Fri Jun 27 11:45:29 MDT 2014 

Am 27.06.2014 19:22, schrieb Rowland Penny:
> On 27/06/14 18:17, Lars Hanke wrote:
>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>> [Demo]
>>>>>>         path = /srv/files/shares/Demo
>>>>>>         read only = no
>>>> I think to remember that it is not required for file share users to
>>>> have login permission to the file server. Am I wrong?
>>> Do you have any unix users, if not, then no, but you still need 'acl'
>>
>> I have much more unix users than Win users and I'm currently trying to
>> figure out how to set up the new infrastructure. Dropping NFS is at
>> least an option - has pros and cons as all other options as well.
>>
>> About the ACL stuff:
>>
>> getfacl /srv/files/shares/Demo/
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/files/shares/Demo/
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> other::r-x
>>
>> But from a POSIX perspective AD\Administrator = 3000000 should have
>> been denied writing as well according to those ACL.
>>
>> root at samba:/# ls -la /srv/files/shares/Demo
>> total 8
>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>
>> So, if this is an ACL or NSS issue, this at least doesn't explain itself.
>>
>> Regards,
>>  - lars.
>>
> OK, this is the top of nsswitch.conf on my AD DC:
>
> passwd:         compat winbind
> group:          compat winbind
>
> And when I run ' getent passwd Administrator'
>
> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>
> Hmm userid '0' I wonder who he is???

Well, I don't have winbind configured for NSS.
root at samba:/# getent passwd Administrator
root at samba:/# getent passwd AD/Administrator
root at samba:/#

and AD\Administrator from my Win7 client was mapped to 3000000, not to 
0. This could only happen if samba running as root created the file and 
changed ownership later. This was the general mechanism with samba3, 
already.

So I suspect the permission issue on the front-end authorization, rather 
than on the POSIX backend.

Regards,
  - lars.

More information about the samba mailing list