[Samba] Cannot browse mode 0700 directories from Windows with security=ads

Rowland penny rpenny at samba.org
Fri Apr 15 15:06:53 UTC 2016 

On 15/04/16 15:20, Ian Collier wrote:
> We've had a samba server running for ages on CentOS 6 with samba 3.6.23.
> (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime
> we'd like to keep this one working.)
>
> The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows
> domain (AD) with identical usernames, and we are running Samba primarily
> to give Windows users access to some directories on Unix.  We have
> joined the Samba server to the Windows domain, and have "security=ads"
> in the config.  However, we also have some users who connect from Mac
> and Unix clients.  The usernames on the Samba server itself come from
> the Unix domain, so it's only using the Windows AD to validate people's
> passwords when they connect to Samba.
>
> We have been running happily without running winbindd on the Samba server
> and it's all been working perfectly.
>
> However, since the Badlock patches, the Samba server can no longer
> authenticate clients from Mac or Unix workstations.  I understand
> that this is a known issue, and the official answer is "run winbindd".
> Well OK, but unfortunately Winbind seems to have messed up all our
> access permissions.
>
> With Winbind running, all users can successfully connect, and all Unix
> users can access the correct shares, but Windows is telling some people
> "You do not have permission to access X" on some shares.
>
> The first thing we noticed is that users don't have access to directories
> that are shared using group permissions.  So if the directory is mode 0770,
> not owned by me, but owned by a group that I am a member of, I don't have
> access from Windows.
>
> If we put "force group = X" in the config for that share, where X is the
> group owner of the directory (that I am already a member of), I am allowed
> access again.  But I don't like to do this because it might grant access
> to some people who are not members of the group.
>
> I found from searching on this issue that the problem is likely related
> to the fact that the Windows AD groups are being used rather than the
> Unix groups, and that we should put "username map script = /bin/echo"
> in the config.
>
> With that in place, I can now browse any share with group permissions -
> great!  Unfortunately, this stops me from being able to access any
> folder that has mode 0700 from Windows even if I own it.
>
> ... What have I missed, and what do I need to look at?  BTW I have no
> idea what a SID or a RID is, but this does seem to be important somehow.
>
> Thanks
> Ian Collier
>

OK, the SID is what identifies the domain, it mostly looks like this:

S-1-5-21-1768301897-3342589593-1064908849

I say 'mostly' because there are some specialised SIDs used by the 
BUILTIN users & groups etc.

The RID is a unique number that identifies the user, group, etc object 
and usually starts from 1000 (again, there are exceptions, Administrator 
is always '500')

So, to identify a user, you would have the SID, with the RID on the end i.e.

S-1-5-21-1768301897-3342589593-1064908849-1000

You really shouldn't have to worry about any of this, because whatever 
tool you use to create a user or group etc, the SID-RID should be 
created automatically.

Having got that out of the way, can you post your smb.conf ?

Rowland

More information about the samba mailing list