Google
  Web www.spinics.net

Re: Re : Samba 3.0.x access rights issue with secondary groups or Unix rights

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Someone more knowledgeable may correct me, but I'd guess you have to fix that, if Solaris isn't picking up secondary groups for a user, I'd think Samba won't find 
them either.
On my systems id -a returns all the groups, it's just the groups command when run as a non root user that doesn't work on my systems with groups configured in ldap and 
this seems enough to stop Samba picking up my secondary groups. Your systems
seems to be misbehaving in the opposite way.
If I fix mine, I'll let you know what was wrong, I may just go back to NIS groups 
in nsswitch.conf.

Cheers,
         Duncan



albanperso-zatoo@xxxxxxxxx wrote:

details on grous command


To have the secondary groups, I have to enter "id -a" logged as the user

As root, It doesn't work. "id -a jdoe" just returns the primary group



----- Message d'origine ----

De : Duncan Brannen <dbb@xxxxxxxxxxxxxxxx>
À : albanperso-zatoo@xxxxxxxxx
Cc : samba@xxxxxxxxxxxxxxx
Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s
Objet : Re:  Samba 3.0.x access rights issue with secondary groups or Unix rights


Hi,
I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working with Samba 3.0.28 and groups nis in nsswitch.conf) 
Solaris 10 SPARC
Everything looks ok, getent, groups etc when logged in as root, but if I su to the user 
not getting any groups and type


groups

I don't see any groups there bar the primary one.

Are you seeing the same thing?  IE if you're logged in as root and type

groups jdoe

You see all of jdoe's groups

but if you su to jdoe and type

groups

You only see the primary group?

Just a long shot but might push you in the right direction?


Cheers,
          Duncan


albanperso-zatoo@xxxxxxxxx wrote:

Hi experts

I have a trouble in access rights

I am running Samba
3.0.31 on Solaris 10 x86 64 bits as member server of an Active
Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix
I set rights to access a sub folder of a Samba share. On Solaris the user
"toto" jdoe can write a new file. From Windows, the same user can't.
Itlooks like OK when the primary group (grp1) of the user is the group
that own the subtree but not when this owner group is a secondary group
(grp2).
It is OK If I set explicitly the user right from MS Windows
I can't change the access rights to the group from MS Windows
I suspect Unix ownership or ACL to be the root cause but I can't exclude a 
Samba issue

Thanks for help
he parts that take place and no 
useful info, so just go to the valuable data)

************ An extract from my smb.conf ************

[global]
## part windows ##
        host msdfs = no
        netbios name = machines01
        netbios aliases = 2store
        server string = 2store
        workgroup = MYDOMAIN
        realm = MYDOMAIN.LOCAL
        security = ADS
        use kerberos keytab = yes
        obey pam restrictions = Yes
        use spnego = yes
        client use spnego = yes
        password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local
#       unix extensions = no
        machine password timeout = 0
#       logon path = \\machines01\profiles\%U
        template shell = /bin/bash
hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 
192.168.11.0/255.255.255.0

## part samba engine ##
        max log size = 50000
        log level = 10
        syslog = 0
        log file = /var/log/samba/%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
## part ldap et idmap ##
        ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local"
        ldap idmap suffix = ou=idmap
        ldap ssl = no
idmap backend = ldap:ldap://machinew01.MYDOMAIN.local 
ldap:ldap://machinew07.MYDOMAIN.local

        #idmap backend =
0-20000
        #idmap backend = ad
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        #idmap config MYDOMAIN:schema_mode = rfc2307
## part winbind ##
        winbind nss info = rfc2307
        winbind cache time = 5
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes
        winbind enum groups = Yes
        winbind enum users = Yes

[data]
        comment = Samba data folder
        path = /samba/data
        read o

ctory mask = 0750

        guest ok = Yes




************ Check the Unix name resolution ************
getent passwd jdoe
jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh


getent group grp2
grp2::10004:myadmin,jdoe,demo1,demo2,demo3
************ I can check that Samba can resolve if the user is member of the 
group ************

/usr/local/samba/bin/net ads user info jdoe
grp2
grp1


/usr/local/samba/bin/wbinfo -G 10004
S-1-5-21-2269603188-533060101-51835291-1642

/usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642
10004


/usr/local/samba/bin/wbinfo -R 10004
winbind_lookup_rids failed
Could not lookup RIDs 10004



************ Review of the access rights ************

ls -al /samba/data/level1/level2/level3/level4
drwxrwsr-x+ 19 myadmin grp2      512 Aug 15 11:18 .
drwxr-x---   9 myadmin grp1     512 Aug 12 16:06 ..
drwxrws---+  3 myadmin grp2      512 Jun 27 10:58 general
-rwxr-----+ 1 jdoe grp2 0 Aug 15 11:18 New Text Document from 
Windows.txt

-rwxrw----   1 jdoe     grp2       44 Aug 15 11:14 newdocfromunix.txt
*** ACTION: I try on Unix to change the group owner of ".." by grp2 but that 
remove all jdoe access from Windows

************ Test POSIX ACLs ************
getfacl -a /samba/data/level1/level2/level3/level4/

# file: /samba/data/level1/level2/level3/level4/
# owner: myadmin
# group: grp2
user::rwx
group::rwx              #effective:rwx
other:r-x


getfacl -a /samba/data/level1/leve
vel3

# file: /samba/data/level1/level2/level3
# owner: myadmin
# group: grp1
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:---


getfacl -a /samba/data/level1/level2

# file: /samba/data/level1/level2
# owner: myadmin
# group: grp1
user::rwx
group::r-x              #effective:r-x
other:

mba/data/level1

# file: /samba/data/level1
# owner: root
# group: root
user::rwx
group::r-x              #effective:r-x
mask:r-x
other:r-x


getfacl -a /samba/data

# file: /samba/data
# owner: myadmin
# group: grp1
user::rwx
user:user123:rwx            #effective:rwx
group::r-x              #effective:r-x
mask:rwx
other:r-x



************ From MS Windows side ************

properties/security
The group is in the "group and user names" list
there is no check box in the Allow or deny clomn

Advanced/permissions

Type    Name    Permission    Inherited from    Apply to
Allow    smb_ins (MYDOMAIN/smb_ins)        This folder only
****** ACTION: When I try to force the situation returns to the original state with no error checking allow inheritable and/or Replace permissions has no effect on nany 
combination

When I add the user with access right, it is OK




************ Some extract the Samba log level 10 ************

[2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe]
[2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246)
unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = 
ntuser.man

[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled ntuser.man ?
[200
mangle_hash2.c:is_mangled_component(215)
  is_mangled_component ntuser.man (len 10) ?
[2008/08/15 1

ntuser.man

[2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142)
  unix_mode(jdoe/ntuser.man) returning 0700
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184)

open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0
access_mask=0x1 share_access=0x7 create_disposition = 0x1
create_options=0x140 unix mode=0700 oplock_request=3
[2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264)
open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file 
doesn't exist.

[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) 
NT_STATUS_OBJECT_NAME_NOT_FOUND

[2008/08/15 12:25:22, 5] lib/util.c:show_msg(484)
[2008/08/15 12:25:22, 5] lib/util.c:show_msg(494)
  size=35
  smb_com=0xa2
  smb_rcls=52
  smb_reh=0
  smb_err=49152
    smb_flg=136
  smb_flg2=51201
  smb_tid=3
  smb_pid=588
  smb_uid=101
  smb_mid=1024
  smt_wct=0
  smb_bcc=0
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347) open_file_ntcreate: fname=jdoe/Application 
Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1

[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
  allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, 
open_access_mask = 0x1

[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs,
flags = 00 mode = 0700, fd = 32. 
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
  get_windows_lock_count for file  = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454) 
  freed files structure 5428 (4 used

6)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) 
NT_STATUS_FILE_IS_A_DIRECTORY
[2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347) open_file_ntcreate: fname=jdoe/Application 
Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1

[2008/08/15 12:25:22, 5] smbd/files.c:file_new(123)
  allocated file structure 1332, fnum = 5428 (5 used)
[2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, 
open_access_mask = 0x1

[2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67)
fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs,
flags = 00 mode = 0700, fd = 32. 
[2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545)
  get_windows_lock_count for file  = 0
[2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559)
delete_windows_lock_ref_count for file [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454) 
  freed files structure 5428 (4 used)
[2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) 
NT_STATUS_FILE_IS_A_DIRECTORY
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente 
http://mail.yahoo.fr

--
The University of St Andrews is a charity registered in Scotland : No SC013532
_____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr 


--
The University of St Andrews is a charity registered in Scotland : No SC013532

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Linux]     [Info Cyrus]     [LARTC]     [Christmas Music]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux