[Samba] Cannot browse mode 0700 directories from Windows with security=ads
rpenny at samba.org
Fri Apr 15 15:06:53 UTC 2016
On 15/04/16 15:20, Ian Collier wrote:
> We've had a samba server running for ages on CentOS 6 with samba 3.6.23.
> (We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime
> we'd like to keep this one working.)
> The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows
> domain (AD) with identical usernames, and we are running Samba primarily
> to give Windows users access to some directories on Unix. We have
> joined the Samba server to the Windows domain, and have "security=ads"
> in the config. However, we also have some users who connect from Mac
> and Unix clients. The usernames on the Samba server itself come from
> the Unix domain, so it's only using the Windows AD to validate people's
> passwords when they connect to Samba.
> We have been running happily without running winbindd on the Samba server
> and it's all been working perfectly.
> However, since the Badlock patches, the Samba server can no longer
> authenticate clients from Mac or Unix workstations. I understand
> that this is a known issue, and the official answer is "run winbindd".
> Well OK, but unfortunately Winbind seems to have messed up all our
> access permissions.
> With Winbind running, all users can successfully connect, and all Unix
> users can access the correct shares, but Windows is telling some people
> "You do not have permission to access X" on some shares.
> The first thing we noticed is that users don't have access to directories
> that are shared using group permissions. So if the directory is mode 0770,
> not owned by me, but owned by a group that I am a member of, I don't have
> access from Windows.
> If we put "force group = X" in the config for that share, where X is the
> group owner of the directory (that I am already a member of), I am allowed
> access again. But I don't like to do this because it might grant access
> to some people who are not members of the group.
> I found from searching on this issue that the problem is likely related
> to the fact that the Windows AD groups are being used rather than the
> Unix groups, and that we should put "username map script = /bin/echo"
> in the config.
> With that in place, I can now browse any share with group permissions -
> great! Unfortunately, this stops me from being able to access any
> folder that has mode 0700 from Windows even if I own it.
> ... What have I missed, and what do I need to look at? BTW I have no
> idea what a SID or a RID is, but this does seem to be important somehow.
> Ian Collier
OK, the SID is what identifies the domain, it mostly looks like this:
I say 'mostly' because there are some specialised SIDs used by the
BUILTIN users & groups etc.
The RID is a unique number that identifies the user, group, etc object
and usually starts from 1000 (again, there are exceptions, Administrator
is always '500')
So, to identify a user, you would have the SID, with the RID on the end i.e.
You really shouldn't have to worry about any of this, because whatever
tool you use to create a user or group etc, the SID-RID should be
Having got that out of the way, can you post your smb.conf ?
More information about the samba