Mauro Saitta
2003-Mar-24 16:49 UTC
[Samba] winbind and bad permissions mapping from NT to Samba
I'm installed Samba 2.2.8 with the intetion of use it as file share for
a NT Domain.
I have also an interest to the use of extended ACL so I recompiled the
kernel (2.4.20) with the acl patch and I added to my system acl, attr,
e2fsprogs and fileutils packages.
After all I join the samba server into the NT domain:
smbpasswd -j SAMBATEST -r SAMBA-SRV -U Administrator
where SAMBATEST is the NT domain and SAMBA-SRV is the PDC .
Then I configured winbind and pam to permit of use domain user on the
file sharing system.
So, if I log on to an NT4 workstation with the domain user Mauro which
is not administrator and I create a file named pippo.txt on the shared
partition, I observe that its permissions on the NT system are :
Everyone Special Access (RX)*
LAB5/Administrators Special Access (All)*
LAB5/Users Special Access (All)(All)
while on SAMBA-SRV if I run the command "ls -la" I observe that th
epermissions are correct:
-rwxr--r-- 1 SAMBATEST+Mauro SAMBATEST+Domain Users 0 03-21 17:52
pippo.txt
Why the domain user is not mapped correctly on both the systems?
Below I add my configurations:
1) smb.conf
[global]
workgroup = SAMBATEST
netbios name = LAB5
server string = Samba Server
security = DOMAIN
encrypt passwords = Yes
hosts equiv = SAMBA-SRV
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain admin group = root @sys
domain guest group = nobody @gust
add user script = /usr/local/samba/bin/adduser -d /dev/null -s
/bin/false -M %u delete user script /usr/local/samba/bin/yserdel
%u
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
.
.
.
[SHARE1]
comment = Risorsa Share
path = /opt/share1
admin users = root
read only = No
profile acls = Yes
2) /etc/pam.d/samba
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_pwdb.so use_first_pass
shadow nullok
account required /lib/security/pam_winbind.so
3) /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files nisplus dns wins
That's all.
Have you got any suggestions on what coud be the problem?
Thanks in advance for any help.
Mauro.
John H Terpstra
2003-Mar-24 17:55 UTC
[Samba] winbind and bad permissions mapping from NT to Samba
On Mon, 24 Mar 2003, Mauro Saitta wrote:> I'm installed Samba 2.2.8 with the intetion of use it as file share for > a NT Domain. > I have also an interest to the use of extended ACL so I recompiled the > kernel (2.4.20) with the acl patch and I added to my system acl, attr, > e2fsprogs and fileutils packages.Did you mount the file system with acl suppport? - John T.> > After all I join the samba server into the NT domain: > > smbpasswd -j SAMBATEST -r SAMBA-SRV -U Administrator > > where SAMBATEST is the NT domain and SAMBA-SRV is the PDC . > > Then I configured winbind and pam to permit of use domain user on the > file sharing system. > > So, if I log on to an NT4 workstation with the domain user Mauro which > is not administrator and I create a file named pippo.txt on the shared > partition, I observe that its permissions on the NT system are : > Everyone Special Access (RX)* > LAB5/Administrators Special Access (All)* > LAB5/Users Special Access (All)(All) > while on SAMBA-SRV if I run the command "ls -la" I observe that th > epermissions are correct: > -rwxr--r-- 1 SAMBATEST+Mauro SAMBATEST+Domain Users 0 03-21 17:52 > pippo.txt > > Why the domain user is not mapped correctly on both the systems? > > Below I add my configurations: > > 1) smb.conf > > [global] > workgroup = SAMBATEST > netbios name = LAB5 > server string = Samba Server > security = DOMAIN > encrypt passwords = Yes > hosts equiv = SAMBA-SRV > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > domain admin group = root @sys > domain guest group = nobody @gust > add user script = /usr/local/samba/bin/adduser -d /dev/null -s > /bin/false -M %u delete user script > /usr/local/samba/bin/yserdel %u > winbind uid = 10000-20000 > winbind gid = 10000-20000 > template shell = /bin/bash > . > . > . > > [SHARE1] > comment = Risorsa Share > path = /opt/share1 > admin users = root > read only = No > profile acls = Yes > > > 2) /etc/pam.d/samba > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_pwdb.so use_first_pass > shadow nullok > account required /lib/security/pam_winbind.so > > > 3) /etc/nsswitch.conf > > passwd: files winbind > shadow: files winbind > group: files winbind > > hosts: files nisplus dns wins > > > > That's all. > > Have you got any suggestions on what coud be the problem? > > Thanks in advance for any help. > > Mauro. > > >-- John H Terpstra Email: jht@samba.org
I've probably posted this before and don't recall getting a response.
Anyway, I am running Mandrake 9.0 and Samba 2.2.6 on my "server". The
server
has 3 NICs for internet, wired internal net, and wireless internal net.
The problem: my Win98SE laptop cannot always see the server and thus does
not always have access to the printers attached to the server. Network
Neighborhood also seems to not function correctly as sometimes I see some
systems there and sometimes not and it seems to go up and down at random.
However, I don't seem to have any trouble using "Find>Computer"
function
(other than with the server).
I also see this in my logs:
Mar 20 11:06:47 Server nmbd[1792]: Doing a node status request to the
domain
master browser at IP 192.168.240.8 failed.
Mar 20 11:21:52 Server nmbd[1792]: Doing a node status request to the
domain
master browser at IP 192.168.240.8 failed.
Mar 20 11:36:54 Server nmbd[1792]: Doing a node status request to the
domain
master browser at IP 192.168.240.8 failed.
And received no response from the list. 240.8 is the ip of my Win98SE
laptop. How it's being identified as a master browser is anyone's guess
as
it most certainly is NOT a MB.
I also see this which is similar to the above:
Mar 20 11:21:52 Server nmbd[1792]: [2003/03/20 11:21:52, 0]
nmbd/nmbd_browsesyn
c.c:get_domain_master_name_node_status_fail(509)
Mar 20 11:21:52 Server nmbd[1792]:
get_domain_master_name_node_status_fail:
Mar 20 11:21:52 Server nmbd[1792]: Doing a node status request to the
domain
master browser at IP 192.168.240.8 failed.
Mar 20 11:21:52 Server nmbd[1792]: Cannot get workgroup name.
I posted my smb.conf file previously, but I'll do so again.
# Samba config file created using SWAT
# from localhost.Engineering (127.0.0.1)
# Date: 2003/02/02 20:18:31
# Global parameters
[global]
workgroup = workgroupname
server string = Samba Server %v
interfaces = 192.168.1.0/24 192.168.240.0/24
security = SHARE
encrypt passwords = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = lpstat
os level = 65
preferred master = Yes
domain master = Yes
local master = Yes
dns proxy = No
wins support = Yes
remote announce = 192.168.1.255 192.168.240.255
printing = cups
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p -o raw %s # using cups own drivers
(use g
eneric PostScript on clients).
lpq command = lpstat -o %p
lprm command = cancel %p-%j
browseable = No
[paul]
comment = Paul's Service
path = /home/paul
valid users = paul
read only = No
[HP812C]
path = /var/spool/samba
read only = No
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p -o raw %s # using cups own drivers
(use g
eneric PostScript on clients).
lpq command = lpstat -o %p
lprm command = cancel %p-%j
printer name = HP812C
oplocks = Yes
I would very much appreciate some help on this as it is highly annoying that
my wireless network is unreliable only as it pertains to Samba. Please
advise. Thanks.
Paul Nixon