samba - Jan 2017 - Fwd: Can somebody explain the file ownership of a

Hi All,

We're implementing a fully integrated Samba setup with the Active directory
on IBM AIX. From AIX level we have established the single sign on against
Windows AD 2012R2. Currently the following user accounts and groups exists
on the AD domain.

# cat /etc/samba/smb.conf
[global]
        security = ADS
        workgroup = PAPERCLIP
        realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
        netbios name = UNIX732
        log file = /var/log/samba/%m.log
        log level = 5
        kerberos method = secrets and keytab

[Bio]
        comment = Bio
        path = /test/bio/
        valid users = @PAPERCLIP\bio2
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770

For the share "Bio" (\\UNIX732\Bio) we have a behavior we can't
explain. In
the following ownership, for /tets/bio (755),

# ls -ld /test /test/bio

drwxr-x---    4 root     rocketry        256 Jan 27 15:18 /test
drwxr-xr-x    2 root     bio2            256 Jan 27 15:12 /test/bio

All works out fine!!!

 /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls

Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
  .                                   D        0  Fri Jan 27 15:12:32 2017
  ..                                  D        0  Fri Jan 27 15:18:51 2017

                360448 blocks of size 1024. 183756 blocks available

However if we change the ownership to 750, for /test/bio, we get the
following result.

# ls -ld /test /test/bio
drwxr-x---    4 root     rocketry        256 Jan 27 15:18 /test
drwxr-x---    2 root     bio2            256 Jan 27 15:12 /test/bio

# /usr/local/samba/bin/smbclient //UNIX732/Bio -U PAPERCLIP\\wernher -c ls
Enter PAPERCLIP\wernher's password:
Domain=[PAPERCLIP] OS=[Windows 6.1] Server=[Samba 4.5.1]
NT_STATUS_ACCESS_DENIED listing \*

# lsuser -R LDAP wernher

wernher id=10013 pgrp=rocketry groups=rocketry,bio2 home=/home/wernher
shell=/bin/sh login=true su=true rlogin=true daemon=true admin=false
sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM
auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP OR compat
logintimesloginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0
maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0
mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0
histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1
data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000
time_last_login=1483494078 time_last_unsuccessful_login=1483494090
tty_last_login=/dev/pts/2 tty_last_unsuccessful_login=ssh
host_last_login=10.0.101.208 host_last_unsuccessful_login=10.0.101.208
unsuccessful_login_count=2 roles
# smbd -b

Build environment:

   Built by:    jono at aix-test

   Built on:    Fri  6 Jan 11:54:17 NZDT 2017

   Built using: /opt/IBM/xlC/13.1.3/bin/xlc_r

   Build host:  AIX aix-test 1 7 00F893C24C00

   SRCDIR:      /home/jono/rpmbuild/BUILD/samba-4.5.1/source3

   BUILDDIR:    /home/jono/rpmbuild/BUILD/samba-4.5.1/source3


As you can see, the user "wernher" is part of the @PAPERCLIP/bio2
group
(MemberOf), and does not need to rely on the listing permission of world.

$ cat test

This is a test file!!!

$ id

uid=10013(wernher) gid=10004(rocketry) groups=10008(bio2)

$ pwd

/test/bio

$ ls -la

total 8

drwxr-xr-x    2 root     bio2            256 Jan 31 10:06 .

drwxr-x---    4 root     rocketry        256 Jan 27 15:18 ..

-rw-r--r--    1 root     system           23 Jan 31 10:06 test


Any pointers to why this behaviour would be highly appreciated.


*Kosala*

On Tue, 31 Jan 2017 10:22:35 +1300
Kosala Atapattu via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> We're implementing a fully integrated Samba setup with the Active
> directory on IBM AIX. From AIX level we have established the single
> sign on against Windows AD 2012R2. Currently the following user
> accounts and groups exists on the AD domain.
> 
> # cat /etc/samba/smb.conf
> [global]
>         security = ADS
>         workgroup = PAPERCLIP
>         realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
>         netbios name = UNIX732
>         log file = /var/log/samba/%m.log
>         log level = 5
>         kerberos method = secrets and keytab
> 
> [Bio]
>         comment = Bio
>         path = /test/bio/
>         valid users = @PAPERCLIP\bio2
>         writable = yes
>         read only = no
>         force create mode = 0660
>         create mask = 0777
>         directory mask = 0777
>         force directory mode = 0770
> 
I have never used AIX, but I would still expect to see something like
this in smb.conf:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

And this:

    idmap config PAPERCLIP : backend = ad
    idmap config PAPERCLIP : schema_mode = rfc2307
    idmap config PAPERCLIP : range = 10000-999999

Or this:

    idmap config PAPERCLIP : backend = rid
    idmap config PAPERCLIP : range = 10000-999999

I suggest you read this Samba wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Then come back with any questions you may have.

Rowland

Hi Rowland,

Thanx for the response. For certain configurations idmap would be suitable,
in our case we cannot use idmap, as the OS users are AD users, where UIDs
and GIDs are mapped through Unix Attributes from AD and Samba mix up the
GID permissions with idmap from the tdb backend end and map incorrect GIDs.

I do not think the problem we have is related to the IDMAP, in fact the
GIDs and UIDs are the same for Samba / AD and AIX since they'r the same.
Shares obey GID permisions and UID permissions, except that shares need to
be **world readable**, which is not ideal in our case. We're unable to
explain, why it's need to be world readable!!!

Ko


*Kosala*



On Tue, Jan 31, 2017 at 10:48 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 31 Jan 2017 10:22:35 +1300
> Kosala Atapattu via samba <samba at lists.samba.org> wrote:
>
> > Hi All,
> >
> > We're implementing a fully integrated Samba setup with the Active
> > directory on IBM AIX. From AIX level we have established the single
> > sign on against Windows AD 2012R2. Currently the following user
> > accounts and groups exists on the AD domain.
> >
> > # cat /etc/samba/smb.conf
> > [global]
> >         security = ADS
> >         workgroup = PAPERCLIP
> >         realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
> >         netbios name = UNIX732
> >         log file = /var/log/samba/%m.log
> >         log level = 5
> >         kerberos method = secrets and keytab
> >
> > [Bio]
> >         comment = Bio
> >         path = /test/bio/
> >         valid users = @PAPERCLIP\bio2
> >         writable = yes
> >         read only = no
> >         force create mode = 0660
> >         create mask = 0777
> >         directory mask = 0777
> >         force directory mode = 0770
> >
>
> I have never used AIX, but I would still expect to see something like
> this in smb.conf:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>
> And this:
>
>     idmap config PAPERCLIP : backend = ad
>     idmap config PAPERCLIP : schema_mode = rfc2307
>     idmap config PAPERCLIP : range = 10000-999999
>
> Or this:
>
>     idmap config PAPERCLIP : backend = rid
>     idmap config PAPERCLIP : range = 10000-999999
>
> I suggest you read this Samba wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Then come back with any questions you may have.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>