[Samba] getting permissions denied on home folders

Bob of Donelson Trophy bob at donelsontrophy.net
Thu Jan 8 11:37:34 MST 2015 

 

First, I keep forgetting that I need to change the email address to
reply to the mailing list. Sorry about that, everyone. (Hard to follow a
thread that is fragmented like this one now is.) I am focusing to
intently on my problem. 

Rowland, changed to 0755 for the three directories you suggested and
still getting "Access is denied" from my W7 client. I even restarted the
server and still get "Access is denied." 

And 'profiles' appeared to be working fine . . . I cannot figure out why
'users' would be acting like this? 

The only difference I can see is that 'users' has a "sticky bit" and
'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-08 11:59, Rowland Penny wrote: 

> On 08/01/15 17:28, Bob of Donelson Trophy wrote: 
> 
> Here is: 
> 
> root at dtmember01:~# getfacl /home/samba/DTDC01/users
> getfacl: Removing leading '/' from absolute path names
> # file: home/samba/DTDC01/users
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
> default:user::rwx
> default:group::r-x
> default:group:50010:rwx
> default:mask::rwx
> default:other::r-x 
> 
> And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] but, can't explore that until I fix this permissions "denied" issue. 
> 
> Now? 
> 
> ---
> 
> -------------------------
> 
> Bob Wooden of Donelson Trophy
> 
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
> 
> "Everyone deserves an award!!"
> 
> On 2015-01-08 11:14, Rowland Penny wrote: 
> On 08/01/15 17:02, Bob of Donelson Trophy wrote: 
> 
> Made the changes you suggested and still getting "Access is denied" on W7 client. 
> 
> Here is some info that might help: 
> 
> root at dtmember01:~# cat /etc/samba/samba_usermapping
> !root = DTDC01Administrator Administrator administrator
> root at dtmember01:~# ls -alh /home/samba/DTDC01/users
> total 8.0K
> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 .
> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 ..
> root at dtmember01:~# ls -alh /home/samba/DTDC01
> total 24K
> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .
> drwxr-xr-x 4 root root 4.0K Dec 31 15:38 ..
> drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata
> drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles
> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users 
> 
> Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? 
> 
> Further suggestions or questions? 
> 
> OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005'
> 
> To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users
> 
> Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2]
> 
> Rowland
> 
> ---
> 
> -------------------------
> 
> Bob Wooden of Donelson Trophy
> 
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
> 
> "Everyone deserves an award!!"
> 
> On 2015-01-08 10:49, Rowland Penny wrote: 
> On 08/01/15 16:38, Bob of Donelson Trophy wrote: 
> 
> Thanks Rowland, 
> 
> I have created both my DC and my MEMBER servers with Louis' scripts. 
> 
> On the MEMBER server, within the smb.conf is this 
> 
>>>>> snip <<<<< 
> 
> # user Administrator workaround, without it you are unable to set privileges
> username map = /etc/samba/samba_usermapping 
> 
>>>>> snip <<<<< 
> 
> Then the /etc/samba/samba_usermapping file contains 
> 
> !root = DTDC01Administrator DTDC01administrator 
> 
> This would be the manner that the scripts created as I have not changed anything in the area, myself. What is "throwing me a curve" is the different file names. (Maybe I am over analyzing this but details are details.) 
> 
> So, your saying change my '/etc/samba/samba_usermapping' to? 
> 
> '!root = DTDC01Administrator Administrator administrator' 
> 
> (BTW, I only mentioned the hidden files as they were the only thing listed, as a way to reference the owner:group settings.) 
> ---
> 
> -------------------------
> 
> Bob Wooden of Donelson Trophy
> 
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
> 
> "Everyone deserves an award!!"
> 
> On 2015-01-08 10:07, Rowland Penny wrote: 
> 
> On 08/01/15 15:41, Bob of Donelson Trophy wrote:
> I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? 
> 
> Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-)
> 
> If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line:
> 
> '!root = EXAMPLEAdministrator Administrator administrator'
> 
> Rowland

 Hi, what the file does is map anything from the right hand side of the
equals sign to whoever is at the left hand side of the equals sign, the
'!' sign means 'stop searching if a mapping is found in this line', you
can have more than one line/user in the file.

 What I would do is add 'Administrator administrator' to your file and
restart samba and try again.

 If you are using Louis's script, you will have this line in smb.conf:
'winbind use default domain = yes' , this means that you do not have to
use the DOMAIN name and this may be your problem.

 Rowland

 OK, Louis seems to do things differently to me, he appears to be
setting the 'sticky bit' on the following dirs:

 /home/samba/DOMAIN
 /home/samba/DOMAIN/users
 /home/samba/DOMAIN/profiles

 This is something that I have never done (and have never had problems
through not doing it ), so you could try 'chmod 0755' on those three
dirs and make sure that they are owned by root:root, then try again from
windows.

 Rowland

 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://wiki.samba.org/index.php/Setting_up_a_home_share

More information about the samba mailing list