[Samba] Permission issue writing to demo share

Lars Hanke debian at lhanke.de
Fri Jun 27 12:21:41 MDT 2014 

Am 27.06.2014 19:57, schrieb Rowland Penny:
> On 27/06/14 18:45, Lars Hanke wrote:
>> Am 27.06.2014 19:22, schrieb Rowland Penny:
>>> On 27/06/14 18:17, Lars Hanke wrote:
>>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>>> [Demo]
>>>>>>>>         path = /srv/files/shares/Demo
>>>>>>>>         read only = no
>>>>>> I think to remember that it is not required for file share users to
>>>>>> have login permission to the file server. Am I wrong?
>>>>> Do you have any unix users, if not, then no, but you still need 'acl'
>>>>
>>>> I have much more unix users than Win users and I'm currently trying to
>>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>>> least an option - has pros and cons as all other options as well.
>>>>
>>>> About the ACL stuff:
>>>>
>>>> getfacl /srv/files/shares/Demo/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: srv/files/shares/Demo/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> group::r-x
>>>> other::r-x
>>>>
>>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>>> been denied writing as well according to those ACL.
>>>>
>>>> root at samba:/# ls -la /srv/files/shares/Demo
>>>> total 8
>>>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>>>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>>>
>>>> So, if this is an ACL or NSS issue, this at least doesn't explain
>>>> itself.
>>>>
>>>> Regards,
>>>>  - lars.
>>>>
>>> OK, this is the top of nsswitch.conf on my AD DC:
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>>
>>> And when I run ' getent passwd Administrator'
>>>
>>> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>>>
>>> Hmm userid '0' I wonder who he is???
>>
>> Well, I don't have winbind configured for NSS.
>> root at samba:/# getent passwd Administrator
>> root at samba:/# getent passwd AD/Administrator
>> root at samba:/#
>>
>> and AD\Administrator from my Win7 client was mapped to 3000000, not to
>> 0. This could only happen if samba running as root created the file
>> and changed ownership later. This was the general mechanism with
>> samba3, already.
>
> Try this:
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> This relies on having ldbtools installed and idmap.ldb being in
> /var/lib/samba/private
>
> Search in there for 3000000
root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb 
xidNumber=3000000
# record 1
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

# returned 1 records
# 1 entries
# 0 referrals
root at samba:/# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4

This is however _not_ AD\Administrator:
root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb 
objectsid=$(wbinfo -n Administrator | cut -f1 -d' ')
# record 1
dn: CN=S-1-5-21-820921042-1573760902-1500171102-500
cn: S-1-5-21-820921042-1573760902-1500171102-500
objectClass: sidMap
objectSid: S-1-5-21-820921042-1573760902-1500171102-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-820921042-1573760902-1500171102-500

# returned 1 records
# 1 entries
# 0 referrals

which has xid 0 as expected.

It becomes stranger and stranger ...

Regards,
  - lars.

More information about the samba mailing list