[Samba] Permission issue writing to demo share

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 27 13:43:00 MDT 2014 

On 27/06/14 20:25, Lars Hanke wrote:
> Am 27.06.2014 20:28, schrieb Rowland Penny:
>> On 27/06/14 19:21, Lars Hanke wrote:
>>> Am 27.06.2014 19:57, schrieb Rowland Penny:
>>>> On 27/06/14 18:45, Lars Hanke wrote:
>>>>> Am 27.06.2014 19:22, schrieb Rowland Penny:
>>>>>> On 27/06/14 18:17, Lars Hanke wrote:
>>>>>>> Am 27.06.2014 19:03, schrieb Rowland Penny:
>>>>>>>> On 27/06/14 18:00, Lars Hanke wrote:
>>>>>>>>>>> [Demo]
>>>>>>>>>>>         path = /srv/files/shares/Demo
>>>>>>>>>>>         read only = no
>>>>>>>>> I think to remember that it is not required for file share 
>>>>>>>>> users to
>>>>>>>>> have login permission to the file server. Am I wrong?
>>>>>>>> Do you have any unix users, if not, then no, but you still need
>>>>>>>> 'acl'
>>>>>>>
>>>>>>> I have much more unix users than Win users and I'm currently
>>>>>>> trying to
>>>>>>> figure out how to set up the new infrastructure. Dropping NFS is at
>>>>>>> least an option - has pros and cons as all other options as well.
>>>>>>>
>>>>>>> About the ACL stuff:
>>>>>>>
>>>>>>> getfacl /srv/files/shares/Demo/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: srv/files/shares/Demo/
>>>>>>> # owner: root
>>>>>>> # group: root
>>>>>>> user::rwx
>>>>>>> group::r-x
>>>>>>> other::r-x
>>>>>>>
>>>>>>> But from a POSIX perspective AD\Administrator = 3000000 should have
>>>>>>> been denied writing as well according to those ACL.
>>>>>>>
>>>>>>> root at samba:/# ls -la /srv/files/shares/Demo
>>>>>>> total 8
>>>>>>> drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
>>>>>>> drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
>>>>>>> -rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
>>>>>>>
>>>>>>> So, if this is an ACL or NSS issue, this at least doesn't explain
>>>>>>> itself.
>>>>>>>
>>>>>>> Regards,
>>>>>>>  - lars.
>>>>>>>
>>>>>> OK, this is the top of nsswitch.conf on my AD DC:
>>>>>>
>>>>>> passwd:         compat winbind
>>>>>> group:          compat winbind
>>>>>>
>>>>>> And when I run ' getent passwd Administrator'
>>>>>>
>>>>>> DOMAIN\Administrator:*:0:10000::/home/Administrator:/bin/bash
>>>>>>
>>>>>> Hmm userid '0' I wonder who he is???
>>>>>
>>>>> Well, I don't have winbind configured for NSS.
>>>>> root at samba:/# getent passwd Administrator
>>>>> root at samba:/# getent passwd AD/Administrator
>>>>> root at samba:/#
>>>>>
>>>>> and AD\Administrator from my Win7 client was mapped to 3000000, 
>>>>> not to
>>>>> 0. This could only happen if samba running as root created the file
>>>>> and changed ownership later. This was the general mechanism with
>>>>> samba3, already.
>>>>
>>>> Try this:
>>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>>
>>>> This relies on having ldbtools installed and idmap.ldb being in
>>>> /var/lib/samba/private
>>>>
>>>> Search in there for 3000000
>>> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb 
>>> xidNumber=3000000
>>> # record 1
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000000
>>> distinguishedName: CN=S-1-5-32-544
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>> root at samba:/# wbinfo -s S-1-5-32-544
>>> BUILTIN\Administrators 4
>>>
>>> This is however _not_ AD\Administrator:
>>> root at samba:/# ldbsearch -H /srv/files/private/idmap.ldb
>>> objectsid=$(wbinfo -n Administrator | cut -f1 -d' ')
>>> # record 1
>>> dn: CN=S-1-5-21-820921042-1573760902-1500171102-500
>>> cn: S-1-5-21-820921042-1573760902-1500171102-500
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-820921042-1573760902-1500171102-500
>>> type: ID_TYPE_UID
>>> xidNumber: 0
>>> distinguishedName: CN=S-1-5-21-820921042-1573760902-1500171102-500
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> which has xid 0 as expected.
>>>
>>> It becomes stranger and stranger ...
>>>
>>> Regards,
>>>  - lars.
>>>
>>>
>>>
>> Well not really, the only member of the Administrators group is
>> 'Administrator' and somehow when winbind is not used 'Administrator'
>> gets mapped to 3000000. The cure ? setup winbind in nsswitch.conf and
>> use ACL's
>>
>> You are going to have to do this for your unix users and it will make it
>> easier if you also give your users uidNumber's
>
> Alright, since I do not want ordinary user to log in to my credential 
> vault, I'll delegate file service to a member machine.
>
Never does this, but I am fairly sure that you can use PAM to stop users 
logging into the server.

> Is there any trouble to expect with samba 3.6.6 (except for the DNS 
> issue) as the file server?
>

Well, the only problem is that the 3.6 series will reach EOL sometime 
this year, I think that you are using debian wheezy, so what about 4.1.7 
from backports ?

Rowland

> Kind regards,
>  - lars.
>

More information about the samba mailing list