[Samba] How to troubleshoot an ACL error?

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 4 10:18:52 MST 2014 

On 04/03/14 16:06, Peter Clark wrote:
> Hi,
>
> Apparently they're not the same:
>
> [root at c3po ~]# getent passwd pclark
> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash

Are you using fedora or centos or similar and is pclark a local user?

> [root at c3po ~]# wbinfo -n pclark
> S-1-5-21-3282403630-2364130862-3038773389-1105 SID_USER (1)
> [root at c3po ~]# ldbedit -e pico -H /usr/local/samba/private/idmap.ldb
> objectsid=S-1-5-21-3282403630-2364130862-3038773389-1105
> no matching records - cannot edit

So pclark is also a domain user, must be, he has a SID

>
> I'm sure it's likely that this is some sort of operator error. I thought
> winbind was supposed to take care of this kind of mapping? The AD user and
> computer control panel on a Windows system shows the correct Unix username
> and home dir for the user?

Winbind will take of this, but the user cannot be a local user on the 
server, he must only exist in AD. If the user is in AD then winbind 
idmapping will map the user to a xidNumber (this is what you should find 
in idmap.ldb), but this can be overridden by giving the user a uidNumber 
(see UNIX Attributes tab in ADUC), Domain Users must also be given a 
gidNumber and the user must also have this gidNumber, this is what 
'idmap_ldb:use rfc2307 = yes' in smb.conf is for.

Rowland

>
> On Tue, March 4, 2014 10:34 am, Rowland Penny wrote:
>> On 04/03/14 15:08, Peter Clark wrote:
>>> I'm running Version 4.2.0pre1-GIT-ca3998d on a Fedora 20 host. The
>>> output
>>> of testparm is:
>>>
>>> [global]
>>>           workgroup = SOMETHING
>>>           realm = SOMETHING.SOMETHING.COM
>>>           server role = active directory domain controller
>>>           passdb backend = samba_dsdb
>>>           server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc, dnsupdate, smb
>>>           dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>> eventlog6, backupkey, dnsserver, winreg, srvsvc
>>>           rpc_server:tcpip = no
>>>           rpc_daemon:spoolssd = embedded
>>>           rpc_server:spoolss = embedded
>>>           rpc_server:winreg = embedded
>>>           rpc_server:ntsvcs = embedded
>>>           rpc_server:eventlog = embedded
>>>           rpc_server:srvsvc = embedded
>>>           rpc_server:svcctl = embedded
>>>           rpc_server:default = external
>>>           idmap_ldb:use rfc2307 = yes
>>>           idmap config * : backend = tdb
>>>           map archive = No
>>>           map readonly = no
>>>           store dos attributes = Yes
>>>           vfs objects = dfs_samba4, acl_xattr
>>>
>>> [netlogon]
>>>           path =
>>> /usr/local/samba/var/locks/sysvol/something.something.com/scripts
>>>           read only = No
>>>
>>> [sysvol]
>>>           path = /usr/local/samba/var/locks/sysvol
>>>           read only = No
>>>
>>> [homes]
>>>           path = /home
>>>           read only = No
>>>
>>> I can run lists:
>>>
>>>    smbclient -L localhost -U%
>>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>>>
>>>           Sharename       Type      Comment
>>>           ---------       ----      -------
>>>           netlogon        Disk
>>>           sysvol          Disk
>>>           homes           Disk
>>>           IPC$            IPC       IPC Service
>>> localhost is an IPv6 address -- no workgroup available
>>> [pclark at c3po ~]$
>>>
>>> However when I log in as a user and try to go into my homedir:
>>>
>>> Domain=[SOMETHING] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
>>> smb: \> dir
>>>     .                                   D        0  Sun Mar  2 11:06:09
>>> 2014
>>>     ..                                  D        0  Mon Mar  3 03:44:25
>>> 2014
>>>     pclark                              D        0  Mon Mar  3 13:36:36
>>> 2014
>>>
>>>                   34001 blocks of size 8388608. 13463 blocks available
>>> smb: \> cd pclark
>>> cd \pclark\: NT_STATUS_INVALID_ACL
>>> smb: \>
>>>
>>> getfacl shows:
>>> getfacl pclark
>>> # file: pclark
>>> # owner: pclark
>>> # group: pclark
>>> user::rwx
>>> group::rwx
>>> other::r-x
>>>
>>>
>>> When I try and bring up the folder on a Windows system the security tab
>>> only has an X with an error message that says the "security information
>>> is
>>> unavailable or cannot be displayed", even when logged into the domain as
>>> Administrator.
>>>
>>> My drives are mounted with user_xattr,acl options in /etc/fstab. I'm not
>>> sure how to troubleshoot this further, any thoughts on how to reset the
>>> acl to a baseline that can be later edited (or, what did I do wrong
>>> here?)
>>> would be appreciated.
>>>
>>> Thanks,
>>>
>> OK, so you are trying to login to a share on the samba server?
>>
>> does your user have a uidNumber in AD? if so, is this the same number
>> that 'getent passwd pclark' shows on the samba4 server?
>>
>> Rowland
>

More information about the samba mailing list