[Samba] Samba 4 permissions error

Rowland penny rpenny at samba.org
Wed Apr 27 19:17:15 UTC 2016 

On 27/04/16 19:55, Jason Voorhees wrote:
>> OK, you have two DCs, on one, your user can access a share, you basically
>> copy the shares to another DC (with all the same permissions etc) and your
>> user cannot access the share on the second DC.
>>
>> How is AD set up ? are you using uidNumber & gidNumber attributes (you will
>> have added them manually) or are you using the xidNumbers created
>> automatically by Samba4.
> I'm not pretty sure about the difference, but I believe it's the 2nd
> alternative. I guess you could check it from my configuration shown
> lines below.
>
>> If you have modified the smb.conf on the second DC, can you post this.
>> Can you post the smb.conf from your zential machine.
>
> This is the content of my Zentyal's Samba configuration:
>
> [global]
>      workgroup = agn
>      realm = REALM.COM.PE
>      netbios name = fileserver
>      server string = Linux Active Directory
>      server role = dc
>      server role check:inhibit = yes
>      server services = -dns -winbindd +winbind
>      server signing = auto
>      dsdb:schema update allowed = yes
>      drs:max object sync = 1200
>      idmap_ldb:use rfc2307 = yes
>      interfaces = lo,eth0,eth0:0,eth0:0
>      bind interfaces only = yes
>      log level = 3
>      log file = /var/log/samba/samba.log
>      max log size = 100000
>      include = /etc/samba/shares.conf
> [netlogon]
>      path = /var/lib/samba/sysvol/agn.com.pe/scripts
>      browseable = no
>      read only = yes
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = no
>
> Here the contents of  /etc/samba/shares.conf:
>
> [homes]
>      comment = Directorios de usuario
>      path = /home/%S
>      read only = no
>      browseable = no
>      create mask = 0611
>      directory mask = 0711
>      vfs objects = acl_xattr full_audit recycle
>      full_audit:success = connect opendir disconnect unlink mkdir rmdir
> open rename
>      full_audit:failure = connect opendir disconnect unlink mkdir rmdir
> open rename
>      recycle: directory_mode = 0700
>      recycle: inherit_nt_acl = Yes
>      recycle: excludedir = /tmp|/var/tmp
>      recycle: versions = Yes
>      recycle: keeptree = Yes
>      recycle: repository = RecycleBin
>
> [agnofi]
>      comment = primer compartido
>      path = /home/samba/shares/agnofi
>      browseable = Yes
>      read only = No
>      force create mode = 0660
>      force directory mode = 0660
>      vfs objects = acl_xattr full_audit recycle
>      acl_xattr:ignore system acls = yes
>      full_audit:success = connect opendir disconnect unlink mkdir rmdir
> open rename
>      full_audit:failure = connect opendir disconnect unlink mkdir rmdir
> open rename
>      recycle: directory_mode = 0700
>      recycle: inherit_nt_acl = Yes
>      recycle: excludedir = /tmp|/var/tmp
>      recycle: versions = Yes
>      recycle: keeptree = Yes
>      recycle: repository = RecycleBin
>
> There a lot of other additional shares but all of them have the same
> configuration except for the path.
>
> This is the configuration for my 2nd Samba DC:
>
> [global]
>      workgroup = AGN
>      realm = realm.com.pe
>      netbios name = FILESERVERSJL
>      server role = active directory domain controller
>      log file = /var/log/samba.log
>      log level = 3
>      include = /etc/samba/shares.conf
>      server services = -dns -winbindd +winbind
>      server signing = auto
>      dsdb:schema update allowed = yes
>      drs:max object sync = 1200
>      idmap_ldb:use rfc2307 = yes
> [netlogon]
>      path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts
>      read only = No
> [sysvol]
>      path = /usr/local/samba-4.3.5/var/locks/sysvol
>      read only = No
>
> The contents of the /etc/samba/shares.conf is exactly the same as in
> Zentyal's server because I copy this file using rsync.
>
> Hope this helps. Thanks a lot for your help.

No, I cannot tell what type of UIDs you are using from your smb.conf 
files, but I can make an educated guess, you are probably using 
'xidNumber' attributes stored in 'idmap.ldb'.

Now there is an interesting fact about xidNumber attributes, there is a 
very good chance a user will get a different number on each DC and this 
could well be your problem.
It is further compounded (in my opinion) by the fact that zentyal 
appears to have turned of the better 'winbindd', in favour of the 
'winbind' built into the 'samba' deamon.

If you want to be 100% certain that your users have the same UID on 
every Unix machine, you need to use 'uidNumber' attributes. You also 
need to use 'gidNumber' attributes for the groups.

Have a look here, please read the entire page: 
https://wiki.samba.org/index.php/Idmap_config_ad

You will undoubtedly have further questions, but lets deal with them 
once you have read the wiki page.

Rowland

More information about the samba mailing list