[Samba] Permission issue writing to demo share
steve at steve-ss.com
Fri Jun 27 12:32:21 MDT 2014
On Fri, 2014-06-27 at 19:45 +0200, Lars Hanke wrote:
> Am 27.06.2014 19:22, schrieb Rowland Penny:
> > On 27/06/14 18:17, Lars Hanke wrote:
> >> Am 27.06.2014 19:03, schrieb Rowland Penny:
> >>> On 27/06/14 18:00, Lars Hanke wrote:
> >>>>>> [Demo]
> >>>>>> path = /srv/files/shares/Demo
> >>>>>> read only = no
> >>>> I think to remember that it is not required for file share users to
> >>>> have login permission to the file server. Am I wrong?
> >>> Do you have any unix users, if not, then no, but you still need 'acl'
> >> I have much more unix users than Win users and I'm currently trying to
> >> figure out how to set up the new infrastructure. Dropping NFS is at
> >> least an option - has pros and cons as all other options as well.
> >> About the ACL stuff:
> >> getfacl /srv/files/shares/Demo/
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: srv/files/shares/Demo/
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> group::r-x
> >> other::r-x
> >> But from a POSIX perspective AD\Administrator = 3000000 should have
> >> been denied writing as well according to those ACL.
> >> root at samba:/# ls -la /srv/files/shares/Demo
> >> total 8
> >> drwxr-xr-x 2 root root 35 Jun 27 14:24 .
> >> drwxr-xr-x 3 root root 17 Jun 13 13:19 ..
> >> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
> >> So, if this is an ACL or NSS issue, this at least doesn't explain itself.
> >> Regards,
> >> - lars.Erstellt von Admin.txt
> > OK, this is the top of nsswitch.conf on my AD DC:
> > passwd: compat winbind
> > group: compat winbind
> > And when I run ' getent passwd Administrator'
> > DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
> > Hmm userid '0' I wonder who he is???
> Well, I don't have winbind configured for NSS.
> root at samba:/# getent passwd AdministratorErstellt von Admin.txt
> root at samba:/# getent passwd AD/Administrator
> root at samba:/#
> and AD\Administrator from my Win7 client was mapped to 3000000, not to
> 0. This could only happen if samba running as root created the file and
> changed ownership later. This was the general mechanism with samba3,
> So I suspect the permission issue on the front-end authorization, rather
> than on the POSIX backend.
> - lars.
Lars, you need to be in a position to be able to do e.g.
chown DOMAIN\\lars\ Erstellt\ von\ Admin.txt
You need winbind to do that.
In the mid term, you may wish to add:
idmap_ldb:use rfc2307 = Yes
This way the uid:gid pair for your domain users can be extracted from AD
rather than an external database. In the longer term, you will be able
to setup the DC just as you would a fileserver. Even now it may be worth
your while setting up say a vm as a file server. Then you can use all
the usual winbind stanzas and none of this would be necessary.
More information about the samba