[Samba] Fwd: Can somebody explain the file ownership of a

Kosala Atapattu kosala.atapattu at gmail.com
Mon Jan 30 21:22:35 UTC 2017 

Hi All,

We're implementing a fully integrated Samba setup with the Active directory
on IBM AIX. From AIX level we have established the single sign on against
Windows AD 2012R2. Currently the following user accounts and groups exists
on the AD domain.

# cat /etc/samba/smb.conf
[global]
        security = ADS
        workgroup = PAPERCLIP
        realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
        netbios name = UNIX732
        log file = /var/log/samba/%m.log
        log level = 5
        kerberos method = secrets and keytab

[Bio]
        comment = Bio
        path = /test/bio/
        valid users = @PAPERCLIP\bio2
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770

For the share "Bio" (\\UNIX732\Bio) we have a behavior we can't explain. In
the following ownership, for /tets/bio (755),

# ls -ld /test /test/bio

drwxr-x---    4 root     rocketry        256 Jan 27 15:18 /test
drwxr-xr-x    2 root     bio2            256 Jan 27 15:12 /test/bio

All works out fine!!!

 /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls

Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
  .                                   D        0  Fri Jan 27 15:12:32 2017
  ..                                  D        0  Fri Jan 27 15:18:51 2017

                360448 blocks of size 1024. 183756 blocks available

However if we change the ownership to 750, for /test/bio, we get the
following result.

# ls -ld /test /test/bio
drwxr-x---    4 root     rocketry        256 Jan 27 15:18 /test
drwxr-x---    2 root     bio2            256 Jan 27 15:12 /test/bio

# /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls
Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
NT_STATUS_ACCESS_DENIED listing \*

# lsuser -R LDAP wernher

wernher id=10013 pgrp=rocketry groups=rocketry,bio2 home=/home/wernher
shell=/bin/sh login=true su=true rlogin=true daemon=true admin=false
sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM
auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP OR compat logintimes=
loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0
maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0
mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0
histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1
data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000
time_last_login=1483494078 time_last_unsuccessful_login=1483494090
tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ssh
host_last_login=10.0.101.208 host_last_unsuccessful_login=10.0.101.208
unsuccessful_login_count=2 roles=

# smbd -b

Build environment:

   Built by:    jono at aix-test

   Built on:    Fri  6 Jan 11:54:17 NZDT 2017

   Built using: /opt/IBM/xlC/13.1.3/bin/xlc_r

   Build host:  AIX aix-test 1 7 00F893C24C00

   SRCDIR:      /home/jono/rpmbuild/BUILD/samba-4.5.1/source3

   BUILDDIR:    /home/jono/rpmbuild/BUILD/samba-4.5.1/source3


As you can see, the user "wernher" is part of the @PAPERCLIP/bio2 group
(MemberOf), and does not need to rely on the listing permission of world.

$ cat test

This is a test file!!!

$ id

uid=10013(wernher) gid=10004(rocketry) groups=10008(bio2)

$ pwd

/test/bio

$ ls -la

total 8

drwxr-xr-x    2 root     bio2            256 Jan 31 10:06 .

drwxr-x---    4 root     rocketry        256 Jan 27 15:18 ..

-rw-r--r--    1 root     system           23 Jan 31 10:06 test


Any pointers to why this behaviour would be highly appreciated.


*Kosala*

More information about the samba mailing list