Hi folks, I am having a weird problem that I just recently noticed on this particular server runnng Samba 3.0.10 on Fedora Core 3 and am hoping someone could shed some light on this. We're using tdb for our backend database. The user "nsu" is a member of unix group admin. The unix group admin is mapped to "Domain Adminstrators". This works OK, in that when logging in on a workstation, I have local administrative privelege on that workstation. So far, so good. But here's the rub: when I attempt to, say, create a file within certain shares I have set up in smb.conf (see below), where I specifically set "write list = @admin" I receive a dialog from Windows: "Unable to create the file foo.txt Access is denied." Furthermore I notice some weird messages in /var/log/messages (last segment below). Of particular interest are the "transport endpoint is not connected" which we have seen before above, but more suspicious is the "get_alias_user_groups" errors which state that the gid does not exist for user nsu. I suspect this is somehow related, but I am not sure what this *really* means. I did attetmpt to delete and recreate the user nsu. I deleted from /etc/passwd and then from the tdb manually using pdbedit. I then re-created this user, thiking somehow this might fix this gid problem somehow. Didn't fix the share permission issue, though I can still log in with local admin rights on the workstation. This is really annoying!!! Can someone help???? Thanks! Morgan Toal Network Manager City of Burlington, Iowa -------------------------------------------------------------------------------------- Here is what net user info says about nsu: [root@pd1 xinetd.d]# net user info nsu root's password: [2005/04/14 10:21:13, 0] utils/net_ads.c:ads_startup(186) ads_connect: Transport endpoint is not connected Domain Admins (as an aside, I don't know what the ads_connect error means or if it is related to my issue.) -------------------------------------------------------------------------------------- Here is what net groupmap list says: [root@pd1 xinetd.d]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 seint (S-1-5-21-3505514775-834951346-1128776050-2157) -> seint Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1 Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> admin Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 chief (S-1-5-21-3505514775-834951346-1128776050-2005) -> chief cid (S-1-5-21-3505514775-834951346-1128776050-2045) -> cid Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 -------------------------------------------------------------------------------------- Here is what pdbedit -v -u nsu says: [root@pd1 xinetd.d]# pdbedit -v -u nsu Unix username: nsu NT username: Account Flags: [U ] User SID: S-1-5-21-3505514775-834951346-1128776050-2124 Primary Group SID: S-1-5-21-3505514775-834951346-1128776050-2127 Full Name: nsu account Home Directory: \\pd1\nsu HomeDir Drive: Z: Logon Script: logon.bat Profile Path: \\pd1\nsu\profile Domain: PD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 21:14:07 GMT Kickoff time: Mon, 18 Jan 2038 21:14:07 GMT Password last set: Thu, 14 Apr 2005 08:58:29 GMT Password can change: Thu, 14 Apr 2005 08:58:29 GMT Password must change: Mon, 18 Jan 2038 21:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -------------------------------------------------------------------------------------- Here is what smb.conf says: [root@pd1 xinetd.d]# more /etc/samba/smb.conf [global] log level = 1 workgroup = pd netbios name = pd1 passdb backend = tdbsam printcap name = cups add user script = /usr/sbin/useradd -m %u add group script = /usr/sbin/groupadd %g delete user script = /usr/sbin/userdel -r %u delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u logon script = logon.bat # logon path = \\%L\Profiles\%U logon drive = Z: logon home = \\%L\%U domain logons = Yes os level = 35 preferred master = Yes domain master = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 printing = cups wins support = no wins server = 192.168.18.14 host msdfs = yes ################################################################ ## Share Definitions ################################################################ [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon public = yes write list = @admin [public] comment = Public Stuff path = /home/samba/public public = yes writeable = yes force create mode = 0777 force directory mode = 0777 [system] comment = System Stuff path = /home/samba/system public = yes write list = @admin [chief] comment = Police Administration path = /home/samba/chief public = no valid users = @admin, @chief write list = @admin, @chief force group = chief force create mode = 0770 force directory mode = 0770 [seint] comment = Police Administration path = /home/samba/seint public = no valid users = @admin, @seint write list = @admin, @seint force group = seint force create mode = 0770 force directory mode = 0770 [dfs] comment = DFS Root path = /home/samba/dfs msdfs root = yes [tracs] comment = TRACS program data files path = /home/samba/tracs public = yes writeable = yes force group = nobody force create mode = 0777 [cid] comment = Criminal Investigation path = /home/samba/cid public = yes writeable = yes valid users = @admin, @cid write list = @admin, @cid force group = cid force create mode = 0770 force directory mode = 0770 -------------------------------------------------------------------------------------- Here is some of the stuff I see in /var/log/messages: [root@pd1 xinetd.d]# cat /var/log/messages | grep smb ...(snip) Apr 14 09:13:27 pd1 smb: nmbd startup succeeded Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:13:27 pd1 smbd[1449]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:13:27 pd1 smbd[1449]: [2005/04/14 09:13:27, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:13:27 pd1 smbd[1449]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] lib/util_sock.c:write_socket_data(430) Apr 14 09:13:28 pd1 smbd[1449]: write_socket_data: write failure. Error = Connection reset by peer Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] lib/util_sock.c:write_socket(455) Apr 14 09:13:28 pd1 smbd[1449]: write_socket: Error writing 4 bytes to socket 22: ERRNO = Connection reset by peer Apr 14 09:13:28 pd1 smbd[1449]: [2005/04/14 09:13:28, 0] lib/util_sock.c:send_smb(647) Apr 14 09:13:28 pd1 smbd[1449]: Error writing 4 bytes to client. -1. (Connection reset by peer) Apr 14 09:13:46 pd1 smbd[1451]: [2005/04/14 09:13:46, 0] rpc_server/srv_util.c:get_alias_user_groups(206) Apr 14 09:13:46 pd1 smbd[1451]: get_alias_user_groups: gid of user mtoal doesn't exist. Check your /etc/passwd and /etc/group files Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:18:12 pd1 smbd[1479]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:18:12 pd1 smbd[1479]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] lib/util_sock.c:write_socket_data(430) Apr 14 09:18:12 pd1 smbd[1479]: write_socket_data: write failure. Error = Connection reset by peer Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] lib/util_sock.c:write_socket(455) Apr 14 09:18:12 pd1 smbd[1479]: write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer Apr 14 09:18:12 pd1 smbd[1479]: [2005/04/14 09:18:12, 0] lib/util_sock.c:send_smb(647) Apr 14 09:18:12 pd1 smbd[1479]: Error writing 4 bytes to client. -1. (Connection reset by peer) Apr 14 09:25:14 pd1 smbd[1456]: [2005/04/14 09:25:14, 0] rpc_server/srv_util.c:get_alias_user_groups(206) Apr 14 09:25:14 pd1 smbd[1456]: get_alias_user_groups: gid of user nsu doesn't exist. Check your /etc/passwd and /etc/group files Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:52:59 pd1 smbd[1724]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] lib/util_sock.c:get_peer_addr(1000) Apr 14 09:52:59 pd1 smbd[1724]: getpeername failed. Error was Transport endpoint is not connected Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] lib/util_sock.c:write_socket_data(430) Apr 14 09:52:59 pd1 smbd[1724]: write_socket_data: write failure. Error = Connection reset by peer Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] lib/util_sock.c:write_socket(455) Apr 14 09:52:59 pd1 smbd[1724]: write_socket: Error writing 4 bytes to socket 22: ERRNO = Connection reset by peer Apr 14 09:52:59 pd1 smbd[1724]: [2005/04/14 09:52:59, 0] lib/util_sock.c:send_smb(647) Apr 14 09:52:59 pd1 smbd[1724]: Error writing 4 bytes to client. -1. (Connection reset by peer)
morgan toal
2005-Apr-14 18:19 UTC
[Samba] [SOLUTION] Re: weird problem with "access denied" on share
morgan toal wrote:> So far, so good. But here's the rub: when I attempt to, say, create a > file within certain shares I have set up in smb.conf (see below), where > I specifically set "write list = @admin" I receive a dialog from Windows: > > "Unable to create the file foo.txt Access is denied."Silly me. The files on the share in question were owned by root and were mode 770. I was so busy looking for the exotic, I never noticed the obvious... Everything works now as it should. Sorry to waste folks' time here.> Furthermore I notice some weird messages in /var/log/messages (last > segment below). Of particular interest are the "transport endpoint is > not connected" which we have seen before above, but more suspicious is > the "get_alias_user_groups" errors which state that the gid does not > exist for user nsu. I suspect this is somehow related, but I am not sure > what this *really* means.Though I would appreciate any comment folks might have on this point. Should I be concerned about these messgaes in the log? Thanks. mtoal