[Samba] 4.4.14 on solaris, using ads, can't read/write as user

francis picabia fpicabia at gmail.com
Fri Jun 30 11:52:21 UTC 2017 

On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 29 Jun 2017 16:28:38 -0300
> francis picabia via samba <samba at lists.samba.org> wrote:
>
> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > Well, no it isn't actually on that page, you need to follow an
> > > hyperlink to this page:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > >
> > >
> > It is really confusing.  rid or tdb.  I don't know what it wants
> > because the second link has both.
>
> No, it isn't confusing, you need both.
>
> You need to have something like this in smb.conf:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 10000-999999
>
> The '*' range is for the 'BUILTIN' domain i.e. the Well Known SIDs
> The 'MYDOM' range is for YOUR domain
>
>
I'm using this config above currently and there is no change to the
ownership
or permissions issue.

I have in nsswitch.conf:

passwd:     files winbind
group:      files winbind

(shadow wasn't in nsswitch.conf on Solaris)

winbind and samba services are being restarted on every config change like
this:

svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
samba ; sleep 2; svcadm enable samba

krb5.conf is the config suggested in the samba doc you linked.

[libdefaults]
        default_realm = AD.MYDOM.CA
        dns_lookup_realm = false
        dns_lookup_kdc = true

Here is the tmp share currently:

[tmp]
        path = /tmp
        browseable = No
        read only = No

If I upload a new file to the tmp share, the ownership shows
the expected mapped user.

-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr

If I touch a file in /tmp using root shell, and chown it to the same user,
it cannot be overwritten or deleted.

ls in smbclient shows this for a file uploaded over samba:

2017.csr                            A     1112  Fri Jun 30 08:21:05 2017

A file chowned to the same fpicabia user on the system by root shows like
this:

doo.txt                             N        0  Fri Jun 30 08:21:29 2017

Here is the error on attempting to delete it:

smb: \> rm doo.txt
NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
NT_STATUS_ACCESS_DENIED listing \doo.txt

Here is what it looks like from root console:

# ls -l doo.txt 2017.csr
-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
-rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt

On the outside chance the owner 'x' bit mattered I did a chown u+x on
doo.txt
and it made no difference to the rm command within smbclient.

Is there something I'm missing about why this isn't the same user or
allowable file permissions for writing?

When I do a wbinfo -u | grep fpicabia

Do you expect it should return:

fpicabia
or
MYDOM\fpicabia

I wish smbclient had a 'whoami' command, versus 'who am i', so we could see
the mapping.
smbstatus shows Username without the domain and for smbclient Protocol has
NT1.

More information about the samba mailing list