[Samba] Samba shared folders and windows 7 permissions dialog.
PF4Public
PF4Public at mail.ru
Wed Mar 22 15:12:07 UTC 2017
Was my wording bad or something?
20.03.2017 20:11, PF4Public wrote:
> Hi there
>
> Trying to solve an issue with samba and windows 7 permissions dialog. Problem is that
> sometimes windows 7 permissions dialog is lacking ldap users and groups.
> Looks like my problem is related to this one:
> https://forums.freenas.org/index.php?threads/users-and-groups-not-showing-up-in-windows-7.46023/
> Sadly there is no solution in that thread.
> Consider the following setup: linux debian with samba and ldap and several windows 7
> hosts. Ldap has user named "test" for my tests.
> Test 1
> Open test users home via samba: "\\samba\test" in windows 7 explorer. Create any
> files/folders there and open permissions dialog, switch to advanced user search. It does
> show ldap users and groups on one windows 7 host, but surprisingly does not on another
> windows 7 host even though both connect as user "test".
> Test 2
> Make sure that locally-logged in user belongs to local administrators group. Same result
> as with Test 1. One windows host shows all the users and groups from ldap, the other one
> does not. Even though that both hosts are logged in with local administrator account and
> connecting as same "test" user to samba.
> Test 3
> Lets take successful windows host and relogin to limited account. Now permissions dialog
> also lacks ldap users and groups. Elevating explorer.exe does not help by the way.
> Test 4
> Make samba more verbose: "log level = 10". Repeat the Test 1. I was overwhelmed while
> reading and comparing logfiles, but I notice a subtle difference there:
> successful windows host generates:
>
> [2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), real(10000, 0)]
> ../source3/auth/token_util.c:639(debug_unix_user_token)
>
> UNIX token of user 10000
>
> Primary group is 10002 and contains 1 supplementary groups
>
> Group[ 0]: 10002
>
> [2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), real(10000, 0)]
> ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user)
>
> Impersonated user: uid=(10000,10000), gid=(0,10002)
>
> [2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request)
>
> Requested samr rpc service
>
> [2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP)
>
> api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN
>
> [2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
>
> api_rpc_cmds[7].fn == 0x7fa14a7c6ed0
>
> [2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), real(10000, 0)]
> ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>
> samr_OpenDomain: struct samr_OpenDomain
>
> in: struct samr_OpenDomain
>
> connect_handle : *
>
> connect_handle: struct policy_handle
>
> handle_type : 0x00000000 (0)
>
> uuid : 00000021-0000-0000-d058-ad01b74e0000
>
> access_mask : 0x00000304 (772)
>
> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_1
>
> 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_2
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_USER
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
>
> 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
>
> 1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
>
> 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_3
>
>
> While the other gives:
>
> [2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), real(10000, 0)]
> ../source3/auth/token_util.c:639(debug_unix_user_token)
>
> UNIX token of user 10000
>
> Primary group is 10002 and contains 1 supplementary groups
>
> Group[ 0]: 10002
>
> [2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), real(10000, 0)]
> ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user)
>
> Impersonated user: uid=(10000,10000), gid=(0,10002)
>
> [2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request)
>
> Requested samr rpc service
>
> [2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP)
>
> api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN
>
> [2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), real(10000, 0),
> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
>
> api_rpc_cmds[7].fn == 0x7fa14a7c6ed0
>
> [2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), real(10000, 0)]
> ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>
> samr_OpenDomain: struct samr_OpenDomain
>
> in: struct samr_OpenDomain
>
> connect_handle : *
>
> connect_handle: struct policy_handle
>
> handle_type : 0x00000000 (0)
>
> uuid : 00000017-0000-0000-cf58-94fac9110000
>
> access_mask : 0x00000200 (512)
>
> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_1
>
> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_2
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_USER
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
>
> 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
>
> 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
>
> 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
>
> 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
>
> 0: SAMR_DOMAIN_ACCESS_SET_INFO_3
>
> Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows host from
> enumerating ldap users and groups? If that's true, then why is that happening to the
> same user on a different hosts? What is the origin of struct samr_OpenDomain and how
> does samba derive it?
>
> Or am I on a wrong track?
>
> Anyway any advice on this issue is welcome.
> Please help me resolve this nasty issue.
>
> Thanks in advance.
More information about the samba
mailing list