albanperso-zatoo at yahoo.com ()
2008-08-18 19:53:52 UTC
Hi experts
I have a trouble in access rights
I am running Samba
3.0.31 on Solaris 10 x86 64 bits as member server of an Active
Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
I set rights to access a sub folder of a Samba share. On Solaris the user
"toto" jdoe can write a new file. From Windows, the same user can't.
Itlooks like OK when the primary group (grp1) of the user is the group
that own the subtree but not when this owner group is a secondary group
(grp2).
It is OK If I set explicitly the user right from MS Windows
I can't change the access rights to the group from MS Windows
I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue
Thanks for help
Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data)
************ An extract from my smb.conf ************
[global]
## part windows ##
host msdfs = no
netbios name = machines01
netbios aliases = 2store
server string = 2store
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
security = ADS
use kerberos keytab = yes
obey pam restrictions = Yes
use spnego = yes
client use spnego = yes
password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
# unix extensions = no
machine password timeout = 0
# logon path = \\machines01\profiles\%U
template shell = /bin/bash
hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0
## part samba engine ##
max log size = 50000
log level = 10
syslog = 0
log file = /var/log/samba/%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
## part ldap et idmap ##
ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
ldap idmap suffix = ou=idmap
ldap ssl = no
idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local
#idmap backend = idmap_rid:MYDOMAIN=10000-20000
#idmap backend = ad
idmap uid = 10000-20000
idmap gid = 10000-20000
#idmap config MYDOMAIN:schema_mode = rfc2307
## part winbind ##
winbind nss info = rfc2307
winbind cache time = 5
winbind refresh tickets = Yes
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
winbind enum groups = Yes
winbind enum users = Yes
[data]
comment = Samba data folder
path = /samba/data
read only = No
create mask = 0740
directory mask = 0750
guest ok = Yes
************ Check the Unix name resolution ************
getent passwd jdoe
jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh
getent group grp2
grp2::10004:myadmin,jdoe,demo1,demo2,demo3
************ I can check that Samba can resolve if the user is member of the group ************
/usr/local/samba/bin/net ads user info jdoe
grp2
grp1
/usr/local/samba/bin/wbinfo -G 10004
S-1-5-21-2269603188-533060101-51835291-1642
/usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
10004
/usr/local/samba/bin/wbinfo -R 10004
winbind_lookup_rids failed
Could not lookup RIDs 10004
************ Review of the access rights ************
ls -al /samba/data/level1/level2/level3/level4
drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 .
drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 ..
drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general
-rwxr-----+ 1 jdoe grp2 0 Aug 15 11:18 New Text Document from Windows.txt
-rwxrw---- 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt
*** ACTION: I try on Unix to change the group owner of ".." by grp2 but that remove all jdoe access from Windows
************ Test POSIX ACLs ************
getfacl -a /samba/data/level1/level2/level3/level4/
# file: /samba/data/level1/level2/level3/level4/
# owner: myadmin
# group: grp2
user::rwx
group::rwx #effective:rwx
other:r-x
getfacl -a /samba/data/level1/level2/level3
# file: /samba/data/level1/level2/level3
# owner: myadmin
# group: grp1
user::rwx
group::r-x #effective:r-x
mask:r-x
other:---
getfacl -a /samba/data/level1/level2
# file: /samba/data/level1/level2
# owner: myadmin
# group: grp1
user::rwx
group::r-x #effective:r-x
other:r-x
getfacl -a /samba/data/level1
# file: /samba/data/level1
# owner: root
# group: root
user::rwx
group::r-x #effective:r-x
mask:r-x
other:r-x
getfacl -a /samba/data
# file: /samba/data
# owner: myadmin
# group: grp1
user::rwx
user:user123:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:r-x
************ From MS Windows side ************
properties/security
The group is in the "group and user names" list
there is no check box in the Allow or deny clomn
Advanced/permissions
Type Name Permission Inherited from Apply to
Allow smb_ins (MYDOMAIN/smb_ins) <not inherited> This folder only
****** ACTION:
When I try to force the situation returns to the original state with no error
checking allow inheritable and/or Replace permissions has no effect on nany combination
When I add the user with access right, it is OK
************ Some extract the Samba log level 10 ************
[2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = ntuser.man
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440)
New file ntuser.man
[2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
unix_mode(jdoe/ntuser.man) returning 0700
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)
open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
access_mask=0x1 share_access=0x7 create_disposition = 0x1
create_options=0x140 unix mode=0700 oplock_request=3
[2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file doesn't exist.
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
size=35
smb_com=0xa2
smb_rcls=52
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=3
smb_pid=588
smb_uid=101
smb_mid=1024
smt_wct=0
smb_bcc=0
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32.
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
get_windows_lock_count for file = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32.
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
get_windows_lock_count for file = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
I have a trouble in access rights
I am running Samba
3.0.31 on Solaris 10 x86 64 bits as member server of an Active
Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
I set rights to access a sub folder of a Samba share. On Solaris the user
"toto" jdoe can write a new file. From Windows, the same user can't.
Itlooks like OK when the primary group (grp1) of the user is the group
that own the subtree but not when this owner group is a secondary group
(grp2).
It is OK If I set explicitly the user right from MS Windows
I can't change the access rights to the group from MS Windows
I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue
Thanks for help
Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data)
************ An extract from my smb.conf ************
[global]
## part windows ##
host msdfs = no
netbios name = machines01
netbios aliases = 2store
server string = 2store
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
security = ADS
use kerberos keytab = yes
obey pam restrictions = Yes
use spnego = yes
client use spnego = yes
password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
# unix extensions = no
machine password timeout = 0
# logon path = \\machines01\profiles\%U
template shell = /bin/bash
hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0
## part samba engine ##
max log size = 50000
log level = 10
syslog = 0
log file = /var/log/samba/%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
## part ldap et idmap ##
ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
ldap idmap suffix = ou=idmap
ldap ssl = no
idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local
#idmap backend = idmap_rid:MYDOMAIN=10000-20000
#idmap backend = ad
idmap uid = 10000-20000
idmap gid = 10000-20000
#idmap config MYDOMAIN:schema_mode = rfc2307
## part winbind ##
winbind nss info = rfc2307
winbind cache time = 5
winbind refresh tickets = Yes
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
winbind enum groups = Yes
winbind enum users = Yes
[data]
comment = Samba data folder
path = /samba/data
read only = No
create mask = 0740
directory mask = 0750
guest ok = Yes
************ Check the Unix name resolution ************
getent passwd jdoe
jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh
getent group grp2
grp2::10004:myadmin,jdoe,demo1,demo2,demo3
************ I can check that Samba can resolve if the user is member of the group ************
/usr/local/samba/bin/net ads user info jdoe
grp2
grp1
/usr/local/samba/bin/wbinfo -G 10004
S-1-5-21-2269603188-533060101-51835291-1642
/usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
10004
/usr/local/samba/bin/wbinfo -R 10004
winbind_lookup_rids failed
Could not lookup RIDs 10004
************ Review of the access rights ************
ls -al /samba/data/level1/level2/level3/level4
drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 .
drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 ..
drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general
-rwxr-----+ 1 jdoe grp2 0 Aug 15 11:18 New Text Document from Windows.txt
-rwxrw---- 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt
*** ACTION: I try on Unix to change the group owner of ".." by grp2 but that remove all jdoe access from Windows
************ Test POSIX ACLs ************
getfacl -a /samba/data/level1/level2/level3/level4/
# file: /samba/data/level1/level2/level3/level4/
# owner: myadmin
# group: grp2
user::rwx
group::rwx #effective:rwx
other:r-x
getfacl -a /samba/data/level1/level2/level3
# file: /samba/data/level1/level2/level3
# owner: myadmin
# group: grp1
user::rwx
group::r-x #effective:r-x
mask:r-x
other:---
getfacl -a /samba/data/level1/level2
# file: /samba/data/level1/level2
# owner: myadmin
# group: grp1
user::rwx
group::r-x #effective:r-x
other:r-x
getfacl -a /samba/data/level1
# file: /samba/data/level1
# owner: root
# group: root
user::rwx
group::r-x #effective:r-x
mask:r-x
other:r-x
getfacl -a /samba/data
# file: /samba/data
# owner: myadmin
# group: grp1
user::rwx
user:user123:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:r-x
************ From MS Windows side ************
properties/security
The group is in the "group and user names" list
there is no check box in the Allow or deny clomn
Advanced/permissions
Type Name Permission Inherited from Apply to
Allow smb_ins (MYDOMAIN/smb_ins) <not inherited> This folder only
****** ACTION:
When I try to force the situation returns to the original state with no error
checking allow inheritable and/or Replace permissions has no effect on nany combination
When I add the user with access right, it is OK
************ Some extract the Samba log level 10 ************
[2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = ntuser.man
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440)
New file ntuser.man
[2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
unix_mode(jdoe/ntuser.man) returning 0700
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)
open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
access_mask=0x1 share_access=0x7 create_disposition = 0x1
create_options=0x140 unix mode=0700 oplock_request=3
[2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file doesn't exist.
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
size=35
smb_com=0xa2
smb_rcls=52
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=3
smb_pid=588
smb_uid=101
smb_mid=1024
smt_wct=0
smb_bcc=0
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32.
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
get_windows_lock_count for file = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347)
open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1
[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1
[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, flags = 00 mode = 0700, fd = 32.
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
get_windows_lock_count for file = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file
[2008/08/15 12:25:22, 5] smbd/files.c:file_free(454)
freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr