[Samba] Fwd: Can somebody explain the file ownership of a
Kosala Atapattu
kosala.atapattu at gmail.com
Mon Jan 30 21:22:35 UTC 2017
Hi All,
We're implementing a fully integrated Samba setup with the Active directory
on IBM AIX. From AIX level we have established the single sign on against
Windows AD 2012R2. Currently the following user accounts and groups exists
on the AD domain.
# cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = PAPERCLIP
realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
netbios name = UNIX732
log file = /var/log/samba/%m.log
log level = 5
kerberos method = secrets and keytab
[Bio]
comment = Bio
path = /test/bio/
valid users = @PAPERCLIP\bio2
writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
For the share "Bio" (\\UNIX732\Bio) we have a behavior we can't explain. In
the following ownership, for /tets/bio (755),
# ls -ld /test /test/bio
drwxr-x--- 4 root rocketry 256 Jan 27 15:18 /test
drwxr-xr-x 2 root bio2 256 Jan 27 15:12 /test/bio
All works out fine!!!
/usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls
Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
. D 0 Fri Jan 27 15:12:32 2017
.. D 0 Fri Jan 27 15:18:51 2017
360448 blocks of size 1024. 183756 blocks available
However if we change the ownership to 750, for /test/bio, we get the
following result.
# ls -ld /test /test/bio
drwxr-x--- 4 root rocketry 256 Jan 27 15:18 /test
drwxr-x--- 2 root bio2 256 Jan 27 15:12 /test/bio
# /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls
Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
NT_STATUS_ACCESS_DENIED listing \*
# lsuser -R LDAP wernher
wernher id=10013 pgrp=rocketry groups=rocketry,bio2 home=/home/wernher
shell=/bin/sh login=true su=true rlogin=true daemon=true admin=false
sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM
auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP OR compat logintimes=
loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0
maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0
mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0
histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1
data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000
time_last_login=1483494078 time_last_unsuccessful_login=1483494090
tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ssh
host_last_login=10.0.101.208 host_last_unsuccessful_login=10.0.101.208
unsuccessful_login_count=2 roles=
# smbd -b
Build environment:
Built by: jono at aix-test
Built on: Fri 6 Jan 11:54:17 NZDT 2017
Built using: /opt/IBM/xlC/13.1.3/bin/xlc_r
Build host: AIX aix-test 1 7 00F893C24C00
SRCDIR: /home/jono/rpmbuild/BUILD/samba-4.5.1/source3
BUILDDIR: /home/jono/rpmbuild/BUILD/samba-4.5.1/source3
As you can see, the user "wernher" is part of the @PAPERCLIP/bio2 group
(MemberOf), and does not need to rely on the listing permission of world.
$ cat test
This is a test file!!!
$ id
uid=10013(wernher) gid=10004(rocketry) groups=10008(bio2)
$ pwd
/test/bio
$ ls -la
total 8
drwxr-xr-x 2 root bio2 256 Jan 31 10:06 .
drwxr-x--- 4 root rocketry 256 Jan 27 15:18 ..
-rw-r--r-- 1 root system 23 Jan 31 10:06 test
Any pointers to why this behaviour would be highly appreciated.
*Kosala*
More information about the samba
mailing list