[Samba] How to troubleshoot an ACL error?
rowlandpenny at googlemail.com
Tue Mar 4 13:18:29 MST 2014
On 04/03/14 19:11, Peter Clark wrote:
> On Tue, March 4, 2014 12:18 pm, Rowland Penny wrote:
>> On 04/03/14 16:06, Peter Clark wrote:
>>> Apparently they're not the same:
>>> [root at c3po ~]# getent passwd pclark
>>> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
>> Are you using fedora or centos or similar and is pclark a local user?
> Fedora 20, yes, 'pclark' is also a local user.
Thought so, remove the local user, you cannot have the same user in AD
and as a local user.
>>> [root at c3po ~]# wbinfo -n pclark
>>> S-1-5-21-3282403630-2364130862-3038773389-1105 SID_USER (1)
>>> [root at c3po ~]# ldbedit -e pico -H /usr/local/samba/private/idmap.ldb
>>> no matching records - cannot edit
>> So pclark is also a domain user, must be, he has a SID
> Yes, I created a domain user with a login 'pclark' with ADUC.
OK, use this user.
>>> I'm sure it's likely that this is some sort of operator error. I thought
>>> winbind was supposed to take care of this kind of mapping? The AD user
>>> computer control panel on a Windows system shows the correct Unix
>>> and home dir for the user?
>> Winbind will take of this, but the user cannot be a local user on the
>> server, he must only exist in AD. If the user is in AD then winbind
>> idmapping will map the user to a xidNumber (this is what you should find
>> in idmap.ldb), but this can be overridden by giving the user a uidNumber
>> (see UNIX Attributes tab in ADUC), Domain Users must also be given a
>> gidNumber and the user must also have this gidNumber, this is what
>> 'idmap_ldb:use rfc2307 = yes' in smb.conf is for.
> Alright, I'll try and reset the ADUC tab for the pclark user to have
> 500:500 like the local user and see how that goes.
Note that I never said this, but you might want to also set up sssd on
the samba4 server.
> However, why can't the Administrator login get the security attributes of
> that share either?
It is probably because you are using [homes], this does not work with
> smbclient -U administrator \\\\localhost\\homes
> Enter administrator's password:
> Domain=[PHOUSE] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
> smb: \> dir
> . D 0 Tue Mar 4 09:51:42 2014
> .. D 0 Tue Mar 4 03:30:54 2014
> pclark D 0 Tue Mar 4 14:10:10 2014
> 34001 blocks of size 8388608. 13438 blocks available
> smb: \> cd pclark
> cd \pclark\: NT_STATUS_INVALID_ACL
> smb: \>
More information about the samba