[Samba] Permission issue writing to demo share
rowlandpenny at googlemail.com
Fri Jun 27 11:57:14 MDT 2014
On 27/06/14 18:45, Lars Hanke wrote:
> Am 27.06.2014 19:22, schrieb Rowland Penny:
>> On 27/06/14 18:17, Lars Hanke wrote:
>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>> path = /srv/files/shares/Demo
>>>>>>> read only = no
>>>>> I think to remember that it is not required for file share users to
>>>>> have login permission to the file server. Am I wrong?
>>>> Do you have any unix users, if not, then no, but you still need 'acl'
>>> I have much more unix users than Win users and I'm currently trying to
>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>> least an option - has pros and cons as all other options as well.
>>> About the ACL stuff:
>>> getfacl /srv/files/shares/Demo/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/files/shares/Demo/
>>> # owner: root
>>> # group: root
>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>> been denied writing as well according to those ACL.
>>> root at samba:/# ls -la /srv/files/shares/Demo
>>> total 8
>>> drwxr-xr-x 2 root root 35 Jun 27 14:24 .
>>> drwxr-xr-x 3 root root 17 Jun 13 13:19 ..
>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>> So, if this is an ACL or NSS issue, this at least doesn't explain
>>> - lars.
>> OK, this is the top of nsswitch.conf on my AD DC:
>> passwd: compat winbind
>> group: compat winbind
>> And when I run ' getent passwd Administrator'
>> Hmm userid '0' I wonder who he is???
> Well, I don't have winbind configured for NSS.
> root at samba:/# getent passwd Administrator
> root at samba:/# getent passwd AD/Administrator
> root at samba:/#
> and AD\Administrator from my Win7 client was mapped to 3000000, not to
> 0. This could only happen if samba running as root created the file
> and changed ownership later. This was the general mechanism with
> samba3, already.
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
This relies on having ldbtools installed and idmap.ldb being in
Search in there for 3000000
> So I suspect the permission issue on the front-end authorization,
> rather than on the POSIX backend.
> - lars.
More information about the samba