[Samba] getting permissions denied on home folders

Bob of Donelson Trophy bob at donelsontrophy.net
Thu Jan 8 12:10:56 MST 2015 

 

Part of the smb.conf 

[home]
 path = /home/samba/DTDC01/users
 comment = user folder 4 redirection
 read only = no 

Hum-m-m? 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-08 12:56, Rowland Penny wrote: 

> On 08/01/15 18:37, Bob of Donelson Trophy wrote:
> First, I keep forgetting that I need to change the email address to reply to the mailing list. Sorry about that, everyone. (Hard to follow a thread that is fragmented like this one now is.) I am focusing to intently on my problem. Rowland, changed to 0755 for the three directories you suggested and still getting "Access is denied" from my W7 client. I even restarted the server and still get "Access is denied." And 'profiles' appeared to be working fine . . . I cannot figure out why 'users' would be acting like this? The only difference I can see is that 'users' has a "sticky bit" and 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:59, Rowland Penny wrote: On 08/01/15 17:28, Bob of Donelson Trophy wrote: Here is: root at dtmember01:~# getfacl /home/samba/DTDC01/users getfacl: Removing leading '/' fr
 om
absolute path names # file: home/samba/DTDC01/users # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:50010:rwx default:mask::rwx default:other::r-x And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] but, can't explore that until I fix this permissions "denied" issue. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:14, Rowland Penny wrote: On 08/01/15 17:02, Bob of Donelson Trophy wrote: Made the changes you suggested and still getting "Access is denied" on W7 client. Here is some info that might help: root at dtmember01:~# cat /etc/samba/samba_usermapping !root = DTDC01Administrator Administrator administrator root at dtmember01:~# ls -alh /home/samba/DTDC01/users total 8.0K drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .
 .
root at dtmember01:~# ls -alh /home/samba/DTDC01 total 24K drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? Further suggestions or questions? OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] Rowland --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an awa
 rd!!" On
2015-01-08 10:49, Rowland Penny wrote: On 08/01/15 16:38, Bob of Donelson Trophy wrote: Thanks Rowland, I have created both my DC and my MEMBER servers with Louis' scripts. On the MEMBER server, within the smb.conf is this snip <<<<<
 # user Administrator workaround, without it you are unable to set
privileges username map = /etc/samba/samba_usermapping 

> snip <<<<<
 Then the /etc/samba/samba_usermapping file contains !root =
DTDC01Administrator DTDC01administrator This would be the manner that
the scripts created as I have not changed anything in the area, myself.
What is "throwing me a curve" is the different file names. (Maybe I am
over analyzing this but details are details.) So, your saying change my
'/etc/samba/samba_usermapping' to? '!root = DTDC01Administrator
Administrator administrator' (BTW, I only mentioned the hidden files as
they were the only thing listed, as a way to reference the owner:group
settings.) --- ------------------------- Bob Wooden of Donelson Trophy
615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone
deserves an award!!" On 2015-01-08 10:07, Rowland Penny wrote: On
08/01/15 15:41, Bob of Donelson Trophy wrote: I have a fresh Debian
based Samba server and Member server setup. I have configured profiles
and they appear to be saving properly to the member server. When I
attempt to adjust file permissions (as instructed by the Sambawiki page
"Samba & Windows Profiles") I am getting "Access Denied" complaints.
These I believe (I could be wrong) relate to the file permissions within
Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get
root:root owning both the single 'dot' and double 'dot' hidden files
that are listed there. What should these permissions be? Or am I having
some permissions issue between the DC and the member server? Hi Bob, the
'hidden' dot files aren't really hidden, from your path, the '.' is
'users' and '..' is 'DOMAIN' :-) If, as seems, you created the
directories as root, you should be good to go, I think that it may be a
problem with who is trying to set the ACL's from windows. this needs to
be Administrator, who should be mapped to root (yes the user who owns
the directory on the member server) via a line in smb.conf and a file
that the line refers to. i.e. 'username map = /etc/samba/user.map' and
'user.map' containing just one line: '!root = EXAMPLEAdministrator
Administrator administrator' Rowland Hi, what the file does is map
anything from the right hand side of the equals sign to whoever is at
the left hand side of the equals sign, the '!' sign means 'stop
searching if a mapping is found in this line', you can have more than
one line/user in the file. What I would do is add 'Administrator
administrator' to your file and restart samba and try again. If you are
using Louis's script, you will have this line in smb.conf: 'winbind use
default domain = yes' , this means that you do not have to use the
DOMAIN name and this may be your problem. Rowland OK, Louis seems to do
things differently to me, he appears to be setting the 'sticky bit' on
the following dirs: /home/samba/DOMAIN /home/samba/DOMAIN/users
/home/samba/DOMAIN/profiles This is something that I have never done
(and have never had problems through not doing it ), so you could try
'chmod 0755' on those three dirs and make sure that they are owned by
root:root, then try again from windows. Rowland Links: ------ [1]
http://www.donelsontrophy.com [1] [2]
https://wiki.samba.org/index.php/Setting_up_a_home_share [2] 

What is in smb.conf for the 'users' share ?

Rowland

 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://wiki.samba.org/index.php/Setting_up_a_home_share

More information about the samba mailing list