[Samba] Permission issue writing to demo share

[Rowland Penny]

On 27/06/14 19:21, Lars Hanke wrote:
> Am 27.06.2014 19:57, schrieb Rowland Penny:
>> On 27/06/14 18:45, Lars Hanke wrote:
>>> Am 27.06.2014 19:22, schrieb Rowland Penny:
>>>> On 27/06/14 18:17, Lars Hanke wrote:
>>>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>>>> [Demo]
>>>>>>>>>         path = /srv/files/shares/Demo
>>>>>>>>>         read only = no
>>>>>>> I think to remember that it is not required for file share users to
>>>>>>> have login permission to the file server. Am I wrong?
>>>>>> Do you have any unix users, if not, then no, but you still need 
>>>>>> 'acl'
>>>>>
>>>>> I have much more unix users than Win users and I'm currently 
>>>>> trying to
>>>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>>>> least an option - has pros and cons as all other options as well.
>>>>>
>>>>> About the ACL stuff:
>>>>>
>>>>> getfacl /srv/files/shares/Demo/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: srv/files/shares/Demo/
>>>>> # owner: root
>>>>> # group: root
>>>>> user::rwx
>>>>> group::r-x
>>>>> other::r-x
>>>>>
>>>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>>>> been denied writing as well according to those ACL.
>>>>>
>>>>> root at samba:/# ls -la /srv/files/shares/Demo
>>>>> total 8
>>>>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>>>>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>>>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>>>>
>>>>> So, if this is an ACL or NSS issue, this at least doesn't explain
>>>>> itself.
>>>>>
>>>>> Regards,
>>>>>  - lars.
>>>>>
>>>> OK, this is the top of nsswitch.conf on my AD DC:
>>>>
>>>> passwd:         compat winbind
>>>> group:          compat winbind
>>>>
>>>> And when I run ' getent passwd Administrator'
>>>>
>>>> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>>>>
>>>> Hmm userid '0' I wonder who he is???
>>>
>>> Well, I don't have winbind configured for NSS.
>>> root at samba:/# getent passwd Administrator
>>> root at samba:/# getent passwd AD/Administrator
>>> root at samba:/#
>>>
>>> and AD\Administrator from my Win7 client was mapped to 3000000, not to
>>> 0. This could only happen if samba running as root created the file
>>> and changed ownership later. This was the general mechanism with
>>> samba3, already.
>>
>> Try this:
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> This relies on having ldbtools installed and idmap.ldb being in
>> /var/lib/samba/private
>>
>> Search in there for 3000000
> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb xidNumber=3000000
> # record 1
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> # returned 1 records
> # 1 entries
> # 0 referrals
> root at samba:/# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
>
> This is however _not_ AD\Administrator:
> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb 
> objectsid=$(wbinfo -n Administrator | cut -f1 -d' ')
> # record 1
> dn: CN=S-1-5-21-820921042-1573760902-1500171102-500
> cn: S-1-5-21-820921042-1573760902-1500171102-500
> objectClass: sidMap
> objectSid: S-1-5-21-820921042-1573760902-1500171102-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-820921042-1573760902-1500171102-500
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> which has xid 0 as expected.
>
> It becomes stranger and stranger ...
>
> Regards,
>  - lars.
>
>
>
Well not really, the only member of the Administrators group is 
'Administrator' and somehow when winbind is not used 'Administrator' 
gets mapped to 3000000. The cure ? setup winbind in nsswitch.conf and 
use ACL's

You are going to have to do this for your unix users and it will make it 
easier if you also give your users uidNumber's

Rowland