Hamish
2005-Jul-08 15:19 UTC
[Samba] Strange winbind behavior with netbios name, perfect with ip address
Hi all This is a bit of a continuation of an old thread, which I have had no joy in fixing. We have a samba server authenticating against a W2k3 server in security = ADS mode. If there is a file in a share, owned by user."domain users" and chmod 700, it would normally be ONLY readable by that user. This is true only if the user goes to \\ip.add.of.srv\share - if he goes to \\servername\share, he cannot read the file. If the user goes to \\servername\share and creates a file, it is owned by him, so the server can distinguish the username. If i set the permissions g+r on the file, then the user can see the file just fine. Unfortunately so can anyone in "domain users" - this is not good for files which need to be readable only for the user. I am completely stumped, can anyone shed any light on this? Setup: SuSE Linux 9.0 (i586) samba Version 3.0.14a-SUSE winbindd Version 3.0.14a-SUSE Cheers, Hamish -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050708/eaf0a037/attachment.bin
Martin Zielinski
2005-Jul-11 08:57 UTC
[Samba] Strange winbind behavior with netbios name, perfect with ip address
Hi! Please verify, that in both cases kerberos authentication is used. I'm not shure, if this the reason on your case, but maybe it's worth a look - as I found completly different behaviour, when using ip-addresses or hostnames to access a member server: When joining the AD domain, a ticket with the hostname of the Samba machine is created on the AD-Server. When you connect to the server via \\ip-address\sharename, the client tries to receive a ticket for a server with the name "ip-address (e.g. 192.168.3.188)". The server does not have a ticket for this name (only for the hostname) and returns a "have no ticket for this" error to the client. Now your client tries the next method: NTLM, which might succeed. In the other case, the AD-Server might pass your client a ticket, which fails to be used for some reason. In this case, your client cannot get its required access rights. I've had cases where AD was completly broken - but I didn't recongize it because I allways used \\ip-address\ to connect to the server. Bye, Martin Hamish wrote:> Hi all > This is a bit of a continuation of an old thread, which I have had no joy in > fixing. We have a samba server authenticating against a W2k3 server in > security = ADS mode. > > If there is a file in a share, owned by user."domain users" and chmod 700, it > would normally be ONLY readable by that user. > > This is true only if the user goes to \\ip.add.of.srv\share - if he goes to > \\servername\share, he cannot read the file. > > If the user goes to \\servername\share and creates a file, it is owned by him, > so the server can distinguish the username. > > If i set the permissions g+r on the file, then the user can see the file just > fine. Unfortunately so can anyone in "domain users" - this is not good for > files which need to be readable only for the user. > > I am completely stumped, can anyone shed any light on this? > > Setup: > SuSE Linux 9.0 (i586) > samba Version 3.0.14a-SUSE > winbindd Version 3.0.14a-SUSE > > Cheers, > Hamish >-- Martin Zielinski mz@seh.de Software Development SEH Computertechnik GmbH www.seh.de