[Samba] Permission issue writing to demo share

Lars Hanke debian at lhanke.de
Fri Jun 27 13:25:15 MDT 2014 

Am 27.06.2014 20:28, schrieb Rowland Penny:
> On 27/06/14 19:21, Lars Hanke wrote:
>> Am 27.06.2014 19:57, schrieb Rowland Penny:
>>> On 27/06/14 18:45, Lars Hanke wrote:
>>>> Am 27.06.2014 19:22, schrieb Rowland Penny:
>>>>> On 27/06/14 18:17, Lars Hanke wrote:
>>>>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>>>>> [Demo]
>>>>>>>>>>         path = /srv/files/shares/Demo
>>>>>>>>>>         read only = no
>>>>>>>> I think to remember that it is not required for file share users to
>>>>>>>> have login permission to the file server. Am I wrong?
>>>>>>> Do you have any unix users, if not, then no, but you still need
>>>>>>> 'acl'
>>>>>>
>>>>>> I have much more unix users than Win users and I'm currently
>>>>>> trying to
>>>>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>>>>> least an option - has pros and cons as all other options as well.
>>>>>>
>>>>>> About the ACL stuff:
>>>>>>
>>>>>> getfacl /srv/files/shares/Demo/
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: srv/files/shares/Demo/
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> group::r-x
>>>>>> other::r-x
>>>>>>
>>>>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>>>>> been denied writing as well according to those ACL.
>>>>>>
>>>>>> root at samba:/# ls -la /srv/files/shares/Demo
>>>>>> total 8
>>>>>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>>>>>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>>>>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>>>>>
>>>>>> So, if this is an ACL or NSS issue, this at least doesn't explain
>>>>>> itself.
>>>>>>
>>>>>> Regards,
>>>>>>  - lars.
>>>>>>
>>>>> OK, this is the top of nsswitch.conf on my AD DC:
>>>>>
>>>>> passwd:         compat winbind
>>>>> group:          compat winbind
>>>>>
>>>>> And when I run ' getent passwd Administrator'
>>>>>
>>>>> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>>>>>
>>>>> Hmm userid '0' I wonder who he is???
>>>>
>>>> Well, I don't have winbind configured for NSS.
>>>> root at samba:/# getent passwd Administrator
>>>> root at samba:/# getent passwd AD/Administrator
>>>> root at samba:/#
>>>>
>>>> and AD\Administrator from my Win7 client was mapped to 3000000, not to
>>>> 0. This could only happen if samba running as root created the file
>>>> and changed ownership later. This was the general mechanism with
>>>> samba3, already.
>>>
>>> Try this:
>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>
>>> This relies on having ldbtools installed and idmap.ldb being in
>>> /var/lib/samba/private
>>>
>>> Search in there for 3000000
>> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb xidNumber=3000000
>> # record 1
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> root at samba:/# wbinfo -s S-1-5-32-544
>> BUILTIN\Administrators 4
>>
>> This is however _not_ AD\Administrator:
>> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb
>> objectsid=$(wbinfo -n Administrator | cut -f1 -d' ')
>> # record 1
>> dn: CN=S-1-5-21-820921042-1573760902-1500171102-500
>> cn: S-1-5-21-820921042-1573760902-1500171102-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-820921042-1573760902-1500171102-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-820921042-1573760902-1500171102-500
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> which has xid 0 as expected.
>>
>> It becomes stranger and stranger ...
>>
>> Regards,
>>  - lars.
>>
>>
>>
> Well not really, the only member of the Administrators group is
> 'Administrator' and somehow when winbind is not used 'Administrator'
> gets mapped to 3000000. The cure ? setup winbind in nsswitch.conf and
> use ACL's
>
> You are going to have to do this for your unix users and it will make it
> easier if you also give your users uidNumber's

Alright, since I do not want ordinary user to log in to my credential 
vault, I'll delegate file service to a member machine.

Is there any trouble to expect with samba 3.6.6 (except for the DNS 
issue) as the file server?

Kind regards,
  - lars.

More information about the samba mailing list