[Samba] Domain Users cannot write to the share.
Leszek Szczepanowski
twinsen at mspanc.net
Mon Nov 28 19:36:31 UTC 2022
Hi,
I successfully made a GlusterFS+CTDB+Samba cluster, integrated to the AD.
I also made it to work with SELiunx after some investigation.
Now I have some final issues: AD users cannot write to the share, if it has
775 permission.
I tried to put ACLs, but always if 'other' is r-x, no one who is not in
'classic' gluster UNIX group, cannot write to the share. Here getfactl:
[root at fs01 symptoms]# getfacl /mnt/glusterfs/symptoms/
getfacl: Removing leading '/' from absolute path names
# file: mnt/glusterfs/symptoms/
# owner: gluster
# group: gluster
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:XXX\\domain\040users:rwx
default:mask::rwx
default:other::r-x
Here the content (when I did chmod 777 because nothing was working):
[root at fs01 symptoms]# ls -ln
total 659859
[...]
drwxrwxr-x+ 2 315360 300513 4096 Nov 28 20:04 blabla
drwxrwxr-x+ 2 315360 300513 4096 Nov 28 19:57 ble
-rwxrwxr-x. 1 1000 1000 0 Nov 15 15:09 test10
-rwxr--r--. 1 1001 1002 0 Nov 15 18:55 test99
drwxrwxr-x+ 2 315360 300513 4096 Nov 28 19:58 testy
drwxrwxr-x+ 2 315360 300513 4096 Nov 28 20:06 yuma
[...]
So, as you can see, AD user mapped as UID 315360 and GID 300513 can only
write, when this folder has 777. Here is the smb.cong (from registry):
[root at fs01 symptoms]# net conf list
[global]
logging = syslog
log level = 1
netbios name = fs
workgroup = XXX
clustering = yes
security = ads
realm = XXX.XXX.XXX
vfs objects = acl_xattr
map acl inherit = yes
idmap config XXX: backend = rid
idmap config * : range = 100000-299999
idmap config XXX: range = 300000-499999
idmap config * : backend = tdb
winbind rpc only = yes
kerberos method = secrets and keytab
[symptoms]
path = /mnt/glusterfs/symptoms/
guest ok = no
read only = no
browseable = yes
map acl inherit = yes
inherit acls = yes
[root at fs01 symptoms]# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Guests (S-1-5-32-546) -> BUILTIN\guests
Users (S-1-5-32-545) -> BUILTIN\users
Domain Users (S-1-5-21-76667877-53546716-1882380502-974) -> gluster
[root at fs01 symptoms]# id gluster
uid=974(gluster) gid=974(gluster) groups=974(gluster)
For all local UNIX user belonging to gluster group, either as GID or as
supplementary, write permission is granted (in case of 775). But not for AD
users. What am I doing wrong?
How to allow AD users to write, in case of standard UNIX permissions are
775?
--
Leszek A. Szczepanowski
twinsen at mspanc.net
More information about the samba
mailing list