thr3ads.net - zfs discuss - [zfs-discuss] ZFS ACL/ACE issues with Samba

If this information is useful, please help other people find it:
Share via:

Eric Hill

2008-Nov-25 23:04 UTC

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

Solaris 10u4 x64 using included Samba 3.0.28

Samba is AD integrated, and I have a share configured as follows:
	[crlib1]
	        comment = Creative Lib1
	        path = /pool/creative/lib1
	        read only = No
	        vfs objects = zfsacl
	        acl check permissions = No
	        unix extensions = No
	        inherit permissions = Yes
	        map acl inherit = Yes

I have set both aclmode and aclinherit to be "passthrough" for the
LIB1 filesystem:
	pool/creative/lib1  aclmode        passthrough            local
	pool/creative/lib1  aclinherit     passthrough            local

I have a user, Tom.  Tom is a member of "Editors".  Another test user
"Sue" is a member of "Readers".  Both users are members of
other groups as well.  I configured the permissions on LIB1 for 777, and created
a test subfolder that I have applied permissions through Windows XP.  Windows
complained about reordering the permissions when I first set them, and now
doesn''t complain when opening the security tab, so I assume
they''re ordered correctly.

root at libsvr:/pool/creative/lib1# ls -dV Test/
d---------+  2 eric  domain users       4 Nov 25 21:36 Test/
    group:editors:rwxpd-aARWc--s:fd----:allow
    group:readers:r-x---a-R-c--s:fd----:allow
    group:domain admins:rwxpdDaARWcCos:fd----:allow
      user:eric:rwxpd-aARWc--s:fd----:allow
root at libsvr:/pool/creative/lib1# 

The server can see the group (group ID 15130) and can verify the user in AD is a
member of the group:

root at vault:/pool/creative/lib1# wbinfo --group-info=editors
editors:x:15130
root at vault:/pool/creative/lib1# wbinfo -r tom
15129
15018
15130
15166
15200
15127
15132
15027
15010
15120
15004
15041
15082
15133
15202
15001
root at vault:/pool/creative/lib1# 

My problem is that Tom is a member of Editors, but getting an Access Denied
message while trying to put a file into the Test folder.

The samba log for the client shows the following trace:

[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966323 of length
1604
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBsesssetupX
(pid 7616) conn 0x0
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] smbd/sesssetup.c:(1244)   wct=12 flg2=0xc807
[2008/11/25 22:42:18, 3] smbd/sesssetup.c:(1029)   Doing spnego session setup
[2008/11/25 22:42:18, 3] smbd/sesssetup.c:(1060)   NativeOS=[] NativeLanMan=[]
PrimaryDomain=[]
[2008/11/25 22:42:18, 3] smbd/sesssetup.c:(697)   reply_spnego_negotiate: Got
secblob of size 1471
[2008/11/25 22:42:18, 3] libads/kerberos_verify.c:(469)   ads_verify_ticket: did
not retrieve auth data. continuing without PAC
[2008/11/25 22:42:18, 3] smbd/sesssetup.c:(321)   Ticket name is [tom at
MY.DOMAIN]
[2008/11/25 22:42:18, 4] lib/substitute.c:(407)   Home server: vault
[2008/11/25 22:42:18, 4] lib/substitute.c:(407)   Home server: vault
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(208)   push_sec_ctx(0, 0) :
sec_ctx_stack_ndx = 1
[2008/11/25 22:42:18, 3] smbd/uid.c:(358)   push_conn_ctx(0) :
conn_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 1
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(356)   pop_sec_ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1069)   fetch sid from gid cache
15004 -> S-1-5-21-1409556225-1798326808-5522801-513
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1089)   fetch gid from cache 15000
-> S-1-5-32-544
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1089)   fetch gid from cache 15001
-> S-1-5-32-545
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(208)   push_sec_ctx(0, 0) :
sec_ctx_stack_ndx = 1
[2008/11/25 22:42:18, 3] smbd/uid.c:(358)   push_conn_ctx(0) :
conn_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 1
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(356)   pop_sec_ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-21-2469361529-1303801020-868054103-32338]
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-21-1409556225-1798326808-5522801-513]
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-2]
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-11]
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-21-1409556225-1798326808-5522801-5503]
[2008/11/25 22:42:18, 3] lib/privileges.c:(261)   get_privileges: No privileges
assigned to SID [S-1-5-32-545]
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1089)   fetch gid from cache 15004
-> S-1-5-21-1409556225-1798326808-5522801-513
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1012)   fetch uid from cache 15669
-> S-1-5-21-1409556225-1798326808-5522801-5503
[2008/11/25 22:42:18, 3] passdb/lookup_sid.c:(1089)   fetch gid from cache 15001
-> S-1-5-32-545
[2008/11/25 22:42:18, 3] smbd/password.c:(280)   User name: MYDOMAIN+tom Real
name: Tom Test
[2008/11/25 22:42:18, 3] smbd/password.c:(301)   UNIX uid 15669 is UNIX user
MYDOMAIN+tom, and will be vuid 139
[2008/11/25 22:42:18, 3] smbd/password.c:(332)   Adding homes service for user
''MYDOMAIN+tom'' using home directory:
''/home/MYDOMAIN/tom''
[2008/11/25 22:42:18, 3] param/loadparm.c:(2667)   adding home''s share
[tom] for user ''MYDOMAIN+tom'' at
''/pool/home/%S''
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966324 of length 84
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtconX (pid
7616) conn 0x0
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 4] smbd/reply.c:(506)   Client requested device type
[?????] for share [CRLIB1]
[2008/11/25 22:42:18, 3] smbd/service.c:(806)   Connect path is
''/pool/creative/lib1'' for service [crlib1]
[2008/11/25 22:42:18, 4] lib/sharesec.c:(132)   get_share_security: using
default secdesc for crlib1
[2008/11/25 22:42:18, 3] lib/util_seaccess.c:(250) [2008/11/25 22:42:18, 3]
lib/util_seaccess.c:(251)
  se_access_check: user sid is S-1-5-21-2469361529-1303801020-868054103-32338
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-5503
  se_access_check: also S-1-5-32-545
[2008/11/25 22:42:18, 3] smbd/vfs.c:(95)   Initialising default vfs hooks
[2008/11/25 22:42:18, 3] smbd/vfs.c:(128)   Initialising custom vfs hooks from
[/[Default VFS]/]
[2008/11/25 22:42:18, 3] smbd/vfs.c:(128)   Initialising custom vfs hooks from
[zfsacl]
[2008/11/25 22:42:18, 4] lib/sharesec.c:(132)   get_share_security: using
default secdesc for crlib1
[2008/11/25 22:42:18, 3] lib/util_seaccess.c:(250) [2008/11/25 22:42:18, 3]
lib/util_seaccess.c:(251)
  se_access_check: user sid is S-1-5-21-2469361529-1303801020-868054103-32338
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-5503
  se_access_check: also S-1-5-32-545
[2008/11/25 22:42:18, 4] lib/sharesec.c:(132)   get_share_security: using
default secdesc for crlib1
[2008/11/25 22:42:18, 3] lib/util_seaccess.c:(250) [2008/11/25 22:42:18, 3]
lib/util_seaccess.c:(251)
  se_access_check: user sid is S-1-5-21-2469361529-1303801020-868054103-32338
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1409556225-1798326808-5522801-5503
  se_access_check: also S-1-5-32-545
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (15669, 15004) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 1] smbd/service.c:(1033)   10.3.10.3 (10.3.10.3) connect
to service crlib1 initially as user MYDOMAIN+tom (uid=15669, gid=15004) (pid
7616) [2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 3] smbd/reply.c:(574)   tconX service=CRLIB1 
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966325 of length 92
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 3] smbd/sec_ctx.c:(241)   setting sec ctx (15669, 15004) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:18, 4] smbd/vfs.c:(665)   vfs_ChDir to /pool/creative/lib1
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966326 of length
104
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(1704)   call_trans2findfirst: dirtype =
16, maxentries = 1366, close_after_first=1, close_if_end = 2 requires_resume_key
= 4 level = 0x103, max_data_bytes = 16384
[2008/11/25 22:42:18, 3] smbd/dir.c:(515)   creating new dirptr 256 for path ./,
expect_close = 1
[2008/11/25 22:42:18, 4] smbd/trans2.c:(1837)   dptr_num is 256, wcard = Test,
attr = 22
[2008/11/25 22:42:18, 4] smbd/dir.c:(238)   closing dptr key 256
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(1906) cmd=50 (SMBtrans2) NT_STATUS_NO_SUCH_FILE
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966327 of length 45
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBclose (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/reply.c:(3329)   close directory fnum=10320
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966328 of length 98
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(3256)   call_trans2qfilepathinfo:
TRANSACT2_QPATHINFO: level = 1004
[2008/11/25 22:42:18, 3] smbd/trans2.c:(3292)   call_trans2qfilepathinfo:
SMB_VFS_STAT of Test failed (Permission denied) [2008/11/25 22:42:18, 3]
smbd/error.c:(56)   unix_error_packet: error string = Permission denied
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(3293) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966329 of length 92
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966330 of length
104
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(1704)   call_trans2findfirst: dirtype =
16, maxentries = 1366, close_after_first=1, close_if_end = 2 requires_resume_key
= 4 level = 0x103, max_data_bytes = 16384
[2008/11/25 22:42:18, 3] smbd/dir.c:(515)   creating new dirptr 256 for path ./,
expect_close = 1
[2008/11/25 22:42:18, 4] smbd/trans2.c:(1837)   dptr_num is 256, wcard = Test,
attr = 22
[2008/11/25 22:42:18, 4] smbd/dir.c:(238)   closing dptr key 256
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(1906) cmd=50 (SMBtrans2) NT_STATUS_NO_SUCH_FILE
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966331 of length 45
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBclose (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/reply.c:(3329)   close directory fnum=10321
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966332 of length
108
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(90)   unix_mode(Test) inheriting from .
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(99)   unix_mode(Test) inherit mode
40777
[2008/11/25 22:42:18, 3] smbd/dosmode.c:(142)   unix_mode(Test) returning 0766
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/nttrans.c(805) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966333 of length 92
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966334 of length
104
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(1704)   call_trans2findfirst: dirtype =
16, maxentries = 1366, close_after_first=1, close_if_end = 2 requires_resume_key
= 4 level = 0x103, max_data_bytes = 16384
[2008/11/25 22:42:18, 3] smbd/dir.c:(515)   creating new dirptr 256 for path ./,
expect_close = 1
[2008/11/25 22:42:18, 4] smbd/trans2.c:(1837)   dptr_num is 256, wcard = Test,
attr = 22
[2008/11/25 22:42:18, 4] smbd/dir.c:(238)   closing dptr key 256
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(1906) cmd=50 (SMBtrans2) NT_STATUS_NO_SUCH_FILE
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966335 of length 45
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBclose (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/reply.c:(3329)   close directory fnum=10322
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966336 of length 98
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(3256)   call_trans2qfilepathinfo:
TRANSACT2_QPATHINFO: level = 1004
[2008/11/25 22:42:18, 3] smbd/trans2.c:(3292)   call_trans2qfilepathinfo:
SMB_VFS_STAT of Test failed (Permission denied) [2008/11/25 22:42:18, 3]
smbd/error.c:(56)   unix_error_packet: error string = Permission denied
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(3293) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966337 of length 92
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966338 of length
104
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(1704)   call_trans2findfirst: dirtype =
16, maxentries = 1366, close_after_first=1, close_if_end = 2 requires_resume_key
= 4 level = 0x103, max_data_bytes = 16384
[2008/11/25 22:42:18, 3] smbd/dir.c:(515)   creating new dirptr 256 for path ./,
expect_close = 1
[2008/11/25 22:42:18, 4] smbd/trans2.c:(1837)   dptr_num is 256, wcard = Test,
attr = 22
[2008/11/25 22:42:18, 4] smbd/dir.c:(238)   closing dptr key 256
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(1906) cmd=50 (SMBtrans2) NT_STATUS_NO_SUCH_FILE
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966339 of length 45
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBclose (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/reply.c:(3329)   close directory fnum=10323
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966340 of length
108
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(90)   unix_mode(Test) inheriting from .
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(99)   unix_mode(Test) inherit mode
40777
[2008/11/25 22:42:18, 3] smbd/dosmode.c:(142)   unix_mode(Test) returning 0766
[2008/11/25 22:42:18, 4] smbd/open.c:(1605)   calling open_file with flags=0x2
flags2=0x300 mode=0766, access_mask = 0x30197, open_access_mask = 0x30197
[2008/11/25 22:42:18, 3] smbd/open.c:(301)   Error opening file Test
(NT_STATUS_FILE_IS_A_DIRECTORY) (local_flags=258) (flags=770) [2008/11/25
22:42:18, 3] smbd/error.c:(106)   error packet at smbd/nttrans.c(779) cmd=162
(SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966341 of length 92
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966342 of length
104
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBtrans2 (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/trans2.c:(1704)   call_trans2findfirst: dirtype =
16, maxentries = 1366, close_after_first=1, close_if_end = 2 requires_resume_key
= 4 level = 0x103, max_data_bytes = 16384
[2008/11/25 22:42:18, 3] smbd/dir.c:(515)   creating new dirptr 256 for path ./,
expect_close = 1
[2008/11/25 22:42:18, 4] smbd/trans2.c:(1837)   dptr_num is 256, wcard = Test,
attr = 22
[2008/11/25 22:42:18, 4] smbd/dir.c:(238)   closing dptr key 256
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/trans2.c(1906) cmd=50 (SMBtrans2) NT_STATUS_NO_SUCH_FILE
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966343 of length 45
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBclose (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 3] smbd/reply.c:(3329)   close directory fnum=10325
[2008/11/25 22:42:18, 3] smbd/process.c:(1068)   Transaction 966344 of length
108
[2008/11/25 22:42:18, 3] smbd/process.c:(926)   switch message SMBntcreateX (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:18, 4] smbd/uid.c:(183)   change_to_user: Skipping user change
- already user
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(90)   unix_mode(Test) inheriting from .
[2008/11/25 22:42:18, 2] smbd/dosmode.c:(99)   unix_mode(Test) inherit mode
40777
[2008/11/25 22:42:18, 3] smbd/dosmode.c:(142)   unix_mode(Test) returning 0766
[2008/11/25 22:42:18, 4] smbd/open.c:(1605)   calling open_file with flags=0x2
flags2=0x300 mode=0766, access_mask = 0x30196, open_access_mask = 0x30196
[2008/11/25 22:42:18, 3] smbd/open.c:(301)   Error opening file Test
(NT_STATUS_FILE_IS_A_DIRECTORY) (local_flags=258) (flags=770)
[2008/11/25 22:42:18, 3] smbd/error.c:(106)   error packet at
smbd/nttrans.c(779) cmd=162 (SMBntcreateX) NT_STATUS_FILE_IS_A_DIRECTORY
[2008/11/25 22:42:28, 3] smbd/process.c:(1068)   Transaction 966345 of length 39
[2008/11/25 22:42:28, 3] smbd/process.c:(926)   switch message SMBtdis (pid
7616) conn 0x84b11e8
[2008/11/25 22:42:28, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:28, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:28, 1] smbd/service.c:(1230)   10.3.10.3 (10.3.10.3) closed
connection to service crlib1
[2008/11/25 22:42:28, 3] smbd/connection.c:(69)   Yielding connection to crlib1
[2008/11/25 22:42:28, 4] smbd/vfs.c:(665)   vfs_ChDir to /
[2008/11/25 22:42:28, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:28, 3] smbd/process.c:(1068)   Transaction 966346 of length 43
[2008/11/25 22:42:28, 3] smbd/process.c:(926)   switch message SMBulogoffX (pid
7616) conn 0x0
[2008/11/25 22:42:28, 3] smbd/sec_ctx.c:(241)   setting sec ctx (0, 0) -
sec_ctx_stack_ndx = 0
[2008/11/25 22:42:28, 3] smbd/reply.c:(1560)   ulogoffX vuid=139

If I grant "everyone" permissions to write to the test folder, the
write succeeds, so I have to assume that the problem lies in either Samba or
Solaris respecting the non-default group the user is in.

Can anyone point me in the right direction here?  Much appreciated!
-- 
This message posted from opensolaris.org

Nils Goroll

2008-Nov-27 08:32 UTC

head link

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

Hi Eric and all,
> Can anyone point me in the right direction here?  Much appreciated!
I have worked on a similar issue this week.

Though I have not worked through all the information you have provided, could 
you please try the settings and source code changes I posted here:

http://www.mail-archive.com/samba at lists.samba.org/msg97466.html

Cheers, Nils

Scott Williamson

2008-Nov-27 15:24 UTC

head link

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

I have solaris 10 set to resolve user information from my directory (ldap).
I only get primary group information, not secondary. We use edirectory via
ldap and the attribute for group membersip is not the one that solaris looks
for.

If you run the id <username> on the box, does it show the users secondary
groups?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20081127/1200ed8e/attachment.html>

Nils Goroll

2008-Nov-27 15:32 UTC

head link

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

> If you run the id <username> on the box, does it show the users 
> secondary groups?
id never shows secondary groups.

Use id -a

Nils

Eric Hill

2008-Dec-01 20:37 UTC

head link

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

Well, there''s the problem...

#id -a tom
uid=15669(tom) gid=15004(domain users) groups=15004(domain users)
#

wbinfo -r shows the full list of groups, but id -a only lists "domain
users".  Since I''m trying to restrict permissions on other groups,
my access denied error message makes more sense.

Any thoughts on how come Solaris/id isn''t seeing the full group list
for the user?
-- 
This message posted from opensolaris.org

Scott Williamson

2008-Dec-01 22:02 UTC

head link

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

Hi,

On Mon, Dec 1, 2008 at 3:37 PM, Eric Hill <eric at ijack.net>
wrote:> Any thoughts on how come Solaris/id isn''t seeing the full group
list for the user?
Do an ldapsearch and dump the attributes for the group. If it is using
memberuid to list the members solaris should work, if you are using
uniquemember then it will not work.

As far as I remember.

zfs discuss - Nov 2008 - ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied

[zfs-discuss] ZFS ACL/ACE issues with Samba - Access Denied