[Samba] Permission issue writing to demo share

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 27 11:57:14 MDT 2014 

On 27/06/14 18:45, Lars Hanke wrote:
> Am 27.06.2014 19:22, schrieb Rowland Penny:
>> On 27/06/14 18:17, Lars Hanke wrote:
>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>> [Demo]
>>>>>>>         path = /srv/files/shares/Demo
>>>>>>>         read only = no
>>>>> I think to remember that it is not required for file share users to
>>>>> have login permission to the file server. Am I wrong?
>>>> Do you have any unix users, if not, then no, but you still need 'acl'
>>>
>>> I have much more unix users than Win users and I'm currently trying to
>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>> least an option - has pros and cons as all other options as well.
>>>
>>> About the ACL stuff:
>>>
>>> getfacl /srv/files/shares/Demo/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: srv/files/shares/Demo/
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> group::r-x
>>> other::r-x
>>>
>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>> been denied writing as well according to those ACL.
>>>
>>> root at samba:/# ls -la /srv/files/shares/Demo
>>> total 8
>>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>>
>>> So, if this is an ACL or NSS issue, this at least doesn't explain 
>>> itself.
>>>
>>> Regards,
>>>  - lars.
>>>
>> OK, this is the top of nsswitch.conf on my AD DC:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> And when I run ' getent passwd Administrator'
>>
>> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>>
>> Hmm userid '0' I wonder who he is???
>
> Well, I don't have winbind configured for NSS.
> root at samba:/# getent passwd Administrator
> root at samba:/# getent passwd AD/Administrator
> root at samba:/#
>
> and AD\Administrator from my Win7 client was mapped to 3000000, not to 
> 0. This could only happen if samba running as root created the file 
> and changed ownership later. This was the general mechanism with 
> samba3, already.

Try this:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

This relies on having ldbtools installed and idmap.ldb being in 
/var/lib/samba/private

Search in there for 3000000

Rowland

>
> So I suspect the permission issue on the front-end authorization, 
> rather than on the POSIX backend.
>
> Regards,
>  - lars.

More information about the samba mailing list