[Samba] getting permissions denied on home folders

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 8 12:26:33 MST 2015


On 08/01/15 19:10, Bob of Donelson Trophy wrote:
>   
>
> Part of the smb.conf
>
> [home]
>   path = /home/samba/DTDC01/users
>   comment = user folder 4 redirection
>   read only = no
>
> Hum-m-m?
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-01-08 12:56, Rowland Penny wrote:
>
>> On 08/01/15 18:37, Bob of Donelson Trophy wrote:
>> First, I keep forgetting that I need to change the email address to reply to the mailing list. Sorry about that, everyone. (Hard to follow a thread that is fragmented like this one now is.) I am focusing to intently on my problem. Rowland, changed to 0755 for the three directories you suggested and still getting "Access is denied" from my W7 client. I even restarted the server and still get "Access is denied." And 'profiles' appeared to be working fine . . . I cannot figure out why 'users' would be acting like this? The only difference I can see is that 'users' has a "sticky bit" and 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:59, Rowland Penny wrote: On 08/01/15 17:28, Bob of Donelson Trophy wrote: Here is: root at dtmember01:~# getfacl /home/samba/DTDC01/users getfacl: Removing leading '/' fr
>   om
> absolute path names # file: home/samba/DTDC01/users # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:50010:rwx default:mask::rwx default:other::r-x And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] but, can't explore that until I fix this permissions "denied" issue. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:14, Rowland Penny wrote: On 08/01/15 17:02, Bob of Donelson Trophy wrote: Made the changes you suggested and still getting "Access is denied" on W7 client. Here is some info that might help: root at dtmember01:~# cat /etc/samba/samba_usermapping !root = DTDC01Administrator Administrator administrator root at dtmember01:~# ls -alh /home/samba/DTDC01/users total 8.0K drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .
>   .
> root at dtmember01:~# ls -alh /home/samba/DTDC01 total 24K drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? Further suggestions or questions? OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] Rowland --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an awa
>   rd!!" On
> 2015-01-08 10:49, Rowland Penny wrote: On 08/01/15 16:38, Bob of Donelson Trophy wrote: Thanks Rowland, I have created both my DC and my MEMBER servers with Louis' scripts. On the MEMBER server, within the smb.conf is this snip <<<<<
>   # user Administrator workaround, without it you are unable to set
> privileges username map = /etc/samba/samba_usermapping
>
>> snip <<<<<
>   Then the /etc/samba/samba_usermapping file contains !root =
> DTDC01Administrator DTDC01administrator This would be the manner that
> the scripts created as I have not changed anything in the area, myself.
> What is "throwing me a curve" is the different file names. (Maybe I am
> over analyzing this but details are details.) So, your saying change my
> '/etc/samba/samba_usermapping' to? '!root = DTDC01Administrator
> Administrator administrator' (BTW, I only mentioned the hidden files as
> they were the only thing listed, as a way to reference the owner:group
> settings.) --- ------------------------- Bob Wooden of Donelson Trophy
> 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone
> deserves an award!!" On 2015-01-08 10:07, Rowland Penny wrote: On
> 08/01/15 15:41, Bob of Donelson Trophy wrote: I have a fresh Debian
> based Samba server and Member server setup. I have configured profiles
> and they appear to be saving properly to the member server. When I
> attempt to adjust file permissions (as instructed by the Sambawiki page
> "Samba & Windows Profiles") I am getting "Access Denied" complaints.
> These I believe (I could be wrong) relate to the file permissions within
> Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get
> root:root owning both the single 'dot' and double 'dot' hidden files
> that are listed there. What should these permissions be? Or am I having
> some permissions issue between the DC and the member server? Hi Bob, the
> 'hidden' dot files aren't really hidden, from your path, the '.' is
> 'users' and '..' is 'DOMAIN' :-) If, as seems, you created the
> directories as root, you should be good to go, I think that it may be a
> problem with who is trying to set the ACL's from windows. this needs to
> be Administrator, who should be mapped to root (yes the user who owns
> the directory on the member server) via a line in smb.conf and a file
> that the line refers to. i.e. 'username map = /etc/samba/user.map' and
> 'user.map' containing just one line: '!root = EXAMPLEAdministrator
> Administrator administrator' Rowland Hi, what the file does is map
> anything from the right hand side of the equals sign to whoever is at
> the left hand side of the equals sign, the '!' sign means 'stop
> searching if a mapping is found in this line', you can have more than
> one line/user in the file. What I would do is add 'Administrator
> administrator' to your file and restart samba and try again. If you are
> using Louis's script, you will have this line in smb.conf: 'winbind use
> default domain = yes' , this means that you do not have to use the
> DOMAIN name and this may be your problem. Rowland OK, Louis seems to do
> things differently to me, he appears to be setting the 'sticky bit' on
> the following dirs: /home/samba/DOMAIN /home/samba/DOMAIN/users
> /home/samba/DOMAIN/profiles This is something that I have never done
> (and have never had problems through not doing it ), so you could try
> 'chmod 0755' on those three dirs and make sure that they are owned by
> root:root, then try again from windows. Rowland Links: ------ [1]
> http://www.donelsontrophy.com [1] [2]
> https://wiki.samba.org/index.php/Setting_up_a_home_share [2]
>
> What is in smb.conf for the 'users' share ?
>
> Rowland
>
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com
> [2] https://wiki.samba.org/index.php/Setting_up_a_home_share

Ok, have you tried what it says on this page: 
https://wiki.samba.org/index.php/Setting_up_a_home_share

Specifically from 'Setting up the share and filesystem permissions' onwards

When you create the share as root, you should get the correct 
permissions (0755) and you should then be able to connect to the share 
and set the ACL's

You could check if the Administrators group has the 
'SeDiskOperatorPrivilege':

net rpc rights list accounts -Uadministrator

If not, set the privilege:

net rpc rights grant 'BUILTIN\Administrators' SeDiskOperatorPrivilege 
-Uadministrator

Rowland



More information about the samba mailing list