[Samba] Samba 4 permissions error

Mueller mueller at tropenklinik.de
Thu Apr 28 06:31:24 UTC 2016 

This is a normal behaviour if you are using several dcs. Users und groups do have another gid/uid on each server
until you fix it manually. This was a hard experiennce and work even fo rme which I suggest that this should be 
the next goal for the samba 4 developers to solve and fix it in an easy way for the admins.  
In my opinion, if I run several dcs in a domain this should be done between the dcs automatically without intervention.

Greetings
Daniel

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 




-----Ursprüngliche Nachricht-----
Von: Rowland penny [mailto:rpenny at samba.org] 
Gesendet: Mittwoch, 27. April 2016 21:17
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba 4 permissions error

On 27/04/16 19:55, Jason Voorhees wrote:
>> OK, you have two DCs, on one, your user can access a share, you 
>> basically copy the shares to another DC (with all the same 
>> permissions etc) and your user cannot access the share on the second DC.
>>
>> How is AD set up ? are you using uidNumber & gidNumber attributes 
>> (you will have added them manually) or are you using the xidNumbers 
>> created automatically by Samba4.
> I'm not pretty sure about the difference, but I believe it's the 2nd 
> alternative. I guess you could check it from my configuration shown 
> lines below.
>
>> If you have modified the smb.conf on the second DC, can you post this.
>> Can you post the smb.conf from your zential machine.
>
> This is the content of my Zentyal's Samba configuration:
>
> [global]
>      workgroup = agn
>      realm = REALM.COM.PE
>      netbios name = fileserver
>      server string = Linux Active Directory
>      server role = dc
>      server role check:inhibit = yes
>      server services = -dns -winbindd +winbind
>      server signing = auto
>      dsdb:schema update allowed = yes
>      drs:max object sync = 1200
>      idmap_ldb:use rfc2307 = yes
>      interfaces = lo,eth0,eth0:0,eth0:0
>      bind interfaces only = yes
>      log level = 3
>      log file = /var/log/samba/samba.log
>      max log size = 100000
>      include = /etc/samba/shares.conf
> [netlogon]
>      path = /var/lib/samba/sysvol/agn.com.pe/scripts
>      browseable = no
>      read only = yes
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = no
>
> Here the contents of  /etc/samba/shares.conf:
>
> [homes]
>      comment = Directorios de usuario
>      path = /home/%S
>      read only = no
>      browseable = no
>      create mask = 0611
>      directory mask = 0711
>      vfs objects = acl_xattr full_audit recycle
>      full_audit:success = connect opendir disconnect unlink mkdir 
> rmdir open rename
>      full_audit:failure = connect opendir disconnect unlink mkdir 
> rmdir open rename
>      recycle: directory_mode = 0700
>      recycle: inherit_nt_acl = Yes
>      recycle: excludedir = /tmp|/var/tmp
>      recycle: versions = Yes
>      recycle: keeptree = Yes
>      recycle: repository = RecycleBin
>
> [agnofi]
>      comment = primer compartido
>      path = /home/samba/shares/agnofi
>      browseable = Yes
>      read only = No
>      force create mode = 0660
>      force directory mode = 0660
>      vfs objects = acl_xattr full_audit recycle
>      acl_xattr:ignore system acls = yes
>      full_audit:success = connect opendir disconnect unlink mkdir 
> rmdir open rename
>      full_audit:failure = connect opendir disconnect unlink mkdir 
> rmdir open rename
>      recycle: directory_mode = 0700
>      recycle: inherit_nt_acl = Yes
>      recycle: excludedir = /tmp|/var/tmp
>      recycle: versions = Yes
>      recycle: keeptree = Yes
>      recycle: repository = RecycleBin
>
> There a lot of other additional shares but all of them have the same 
> configuration except for the path.
>
> This is the configuration for my 2nd Samba DC:
>
> [global]
>      workgroup = AGN
>      realm = realm.com.pe
>      netbios name = FILESERVERSJL
>      server role = active directory domain controller
>      log file = /var/log/samba.log
>      log level = 3
>      include = /etc/samba/shares.conf
>      server services = -dns -winbindd +winbind
>      server signing = auto
>      dsdb:schema update allowed = yes
>      drs:max object sync = 1200
>      idmap_ldb:use rfc2307 = yes
> [netlogon]
>      path = /usr/local/samba-4.3.5/var/locks/sysvol/agn.com.pe/scripts
>      read only = No
> [sysvol]
>      path = /usr/local/samba-4.3.5/var/locks/sysvol
>      read only = No
>
> The contents of the /etc/samba/shares.conf is exactly the same as in 
> Zentyal's server because I copy this file using rsync.
>
> Hope this helps. Thanks a lot for your help.

No, I cannot tell what type of UIDs you are using from your smb.conf files, but I can make an educated guess, you are probably using 'xidNumber' attributes stored in 'idmap.ldb'.

Now there is an interesting fact about xidNumber attributes, there is a very good chance a user will get a different number on each DC and this could well be your problem.
It is further compounded (in my opinion) by the fact that zentyal appears to have turned of the better 'winbindd', in favour of the 'winbind' built into the 'samba' deamon.

If you want to be 100% certain that your users have the same UID on every Unix machine, you need to use 'uidNumber' attributes. You also need to use 'gidNumber' attributes for the groups.

Have a look here, please read the entire page: 
https://wiki.samba.org/index.php/Idmap_config_ad

You will undoubtedly have further questions, but lets deal with them once you have read the wiki page.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list