Kosala Atapattu
2017-Jan-30 21:22 UTC
[Samba] Fwd: Can somebody explain the file ownership of a
Hi All, We're implementing a fully integrated Samba setup with the Active directory on IBM AIX. From AIX level we have established the single sign on against Windows AD 2012R2. Currently the following user accounts and groups exists on the AD domain. # cat /etc/samba/smb.conf [global] security = ADS workgroup = PAPERCLIP realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/> netbios name = UNIX732 log file = /var/log/samba/%m.log log level = 5 kerberos method = secrets and keytab [Bio] comment = Bio path = /test/bio/ valid users = @PAPERCLIP\bio2 writable = yes read only = no force create mode = 0660 create mask = 0777 directory mask = 0777 force directory mode = 0770 For the share "Bio" (\\UNIX732\Bio) we have a behavior we can't explain. In the following ownership, for /tets/bio (755), # ls -ld /test /test/bio drwxr-x--- 4 root rocketry 256 Jan 27 15:18 /test drwxr-xr-x 2 root bio2 256 Jan 27 15:12 /test/bio All works out fine!!! /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls Enter PAPERCLIP\wernher's password: Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1] . D 0 Fri Jan 27 15:12:32 2017 .. D 0 Fri Jan 27 15:18:51 2017 360448 blocks of size 1024. 183756 blocks available However if we change the ownership to 750, for /test/bio, we get the following result. # ls -ld /test /test/bio drwxr-x--- 4 root rocketry 256 Jan 27 15:18 /test drwxr-x--- 2 root bio2 256 Jan 27 15:12 /test/bio # /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls Enter PAPERCLIP\wernher's password: Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1] NT_STATUS_ACCESS_DENIED listing \* # lsuser -R LDAP wernher wernher id=10013 pgrp=rocketry groups=rocketry,bio2 home=/home/wernher shell=/bin/sh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP OR compat logintimesloginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1483494078 time_last_unsuccessful_login=1483494090 tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ssh host_last_login=10.0.101.208 host_last_unsuccessful_login=10.0.101.208 unsuccessful_login_count=2 roles # smbd -b Build environment: Built by: jono at aix-test Built on: Fri 6 Jan 11:54:17 NZDT 2017 Built using: /opt/IBM/xlC/13.1.3/bin/xlc_r Build host: AIX aix-test 1 7 00F893C24C00 SRCDIR: /home/jono/rpmbuild/BUILD/samba-4.5.1/source3 BUILDDIR: /home/jono/rpmbuild/BUILD/samba-4.5.1/source3 As you can see, the user "wernher" is part of the @PAPERCLIP/bio2 group (MemberOf), and does not need to rely on the listing permission of world. $ cat test This is a test file!!! $ id uid=10013(wernher) gid=10004(rocketry) groups=10008(bio2) $ pwd /test/bio $ ls -la total 8 drwxr-xr-x 2 root bio2 256 Jan 31 10:06 . drwxr-x--- 4 root rocketry 256 Jan 27 15:18 .. -rw-r--r-- 1 root system 23 Jan 31 10:06 test Any pointers to why this behaviour would be highly appreciated. *Kosala*
Rowland Penny
2017-Jan-30 21:48 UTC
[Samba] Fwd: Can somebody explain the file ownership of a
On Tue, 31 Jan 2017 10:22:35 +1300 Kosala Atapattu via samba <samba at lists.samba.org> wrote:> Hi All, > > We're implementing a fully integrated Samba setup with the Active > directory on IBM AIX. From AIX level we have established the single > sign on against Windows AD 2012R2. Currently the following user > accounts and groups exists on the AD domain. > > # cat /etc/samba/smb.conf > [global] > security = ADS > workgroup = PAPERCLIP > realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/> > netbios name = UNIX732 > log file = /var/log/samba/%m.log > log level = 5 > kerberos method = secrets and keytab > > [Bio] > comment = Bio > path = /test/bio/ > valid users = @PAPERCLIP\bio2 > writable = yes > read only = no > force create mode = 0660 > create mask = 0777 > directory mask = 0777 > force directory mode = 0770 >I have never used AIX, but I would still expect to see something like this in smb.conf: idmap config *:backend = tdb idmap config *:range = 2000-9999 And this: idmap config PAPERCLIP : backend = ad idmap config PAPERCLIP : schema_mode = rfc2307 idmap config PAPERCLIP : range = 10000-999999 Or this: idmap config PAPERCLIP : backend = rid idmap config PAPERCLIP : range = 10000-999999 I suggest you read this Samba wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Then come back with any questions you may have. Rowland
Kosala Atapattu
2017-Jan-31 02:39 UTC
[Samba] Fwd: Can somebody explain the file ownership of a
Hi Rowland, Thanx for the response. For certain configurations idmap would be suitable, in our case we cannot use idmap, as the OS users are AD users, where UIDs and GIDs are mapped through Unix Attributes from AD and Samba mix up the GID permissions with idmap from the tdb backend end and map incorrect GIDs. I do not think the problem we have is related to the IDMAP, in fact the GIDs and UIDs are the same for Samba / AD and AIX since they'r the same. Shares obey GID permisions and UID permissions, except that shares need to be **world readable**, which is not ideal in our case. We're unable to explain, why it's need to be world readable!!! Ko *Kosala* On Tue, Jan 31, 2017 at 10:48 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 31 Jan 2017 10:22:35 +1300 > Kosala Atapattu via samba <samba at lists.samba.org> wrote: > > > Hi All, > > > > We're implementing a fully integrated Samba setup with the Active > > directory on IBM AIX. From AIX level we have established the single > > sign on against Windows AD 2012R2. Currently the following user > > accounts and groups exists on the AD domain. > > > > # cat /etc/samba/smb.conf > > [global] > > security = ADS > > workgroup = PAPERCLIP > > realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/> > > netbios name = UNIX732 > > log file = /var/log/samba/%m.log > > log level = 5 > > kerberos method = secrets and keytab > > > > [Bio] > > comment = Bio > > path = /test/bio/ > > valid users = @PAPERCLIP\bio2 > > writable = yes > > read only = no > > force create mode = 0660 > > create mask = 0777 > > directory mask = 0777 > > force directory mode = 0770 > > > > I have never used AIX, but I would still expect to see something like > this in smb.conf: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > And this: > > idmap config PAPERCLIP : backend = ad > idmap config PAPERCLIP : schema_mode = rfc2307 > idmap config PAPERCLIP : range = 10000-999999 > > Or this: > > idmap config PAPERCLIP : backend = rid > idmap config PAPERCLIP : range = 10000-999999 > > I suggest you read this Samba wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Then come back with any questions you may have. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >