Holger Brückner
2003-Jun-10 14:29 UTC
[Samba] Access Denied setting Directory Access Permissions
Hello *, i've got a debian samba 3.0alpha23 with ldapsam. my problem is that i can't set directory permissions. i alwasy get access denied. what i have: svpdc:/etc/samba# smbgroupedit -v params.c:Parameter() - Ignoring badly formed line in configuration file: ldap trust ids NT group (SID) -> Unix group System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 kollegstufe (S-1-5-21-3839733233-2759951301-2176690758-3011) -> kollegstufe root (S-1-5-21-3839733233-2759951301-2176690758-1001) -> root Domain Admins (S-1-5-21-3839733233-2759951301-2176690758-512) -> root Domain Guests (S-1-5-21-3839733233-2759951301-2176690758-514) -> -1 Power Users (S-1-5-32-547) -> -1 stundenplan (S-1-5-21-3839733233-2759951301-2176690758-3013) -> stundenplan users (S-1-5-21-1904509300-1595774664-1972565418-1201) -> users Domain Admins (S-1-5-21-1904509300-1595774664-1972565418-512) -> root Domain Guests (S-1-5-21-4168099664-486183441-673156717-514) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Guests (S-1-5-21-1904509300-1595774664-1972565418-514) -> -1 sekretariat (S-1-5-21-3839733233-2759951301-2176690758-3007) -> sekretariat Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3839733233-2759951301-2176690758-513) -> users Backup Operators (S-1-5-32-551) -> -1 direktorat (S-1-5-21-3839733233-2759951301-2176690758-3009) -> direktorat Users (S-1-5-32-545) -> users i'm wondering why some groups are listed more than once. how can i find out which group is actually used and how do i get rid of the unused ones ? i know i can do smbgroupedit -x, but there i can't specify a SID. svpdc:~# pdbedit -v -l root params.c:Parameter() - Ignoring badly formed line in configuration file: ldap trust ids Unix username: root NT username: Account Flags: [U ] User ID/Group ID: 0/0 User SID: S-1-5-21-3839733233-2759951301-2176690758-1000 Primary Group SID: S-1-5-21-3839733233-2759951301-2176690758-1001 Full Name: root Home Directory: \\svpdc\root HomeDir Drive: Logon Script: Profile Path: \\svpdc\root\profile Domain: SVFMG Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set: Tue, 10 Jun 2003 16:15:24 GMT Password can change: Tue, 10 Jun 2003 16:15:24 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT so user root is not a member of the domain admins. this might be the reason why i get access denied trying to apply direcotry permissions. i though mapping group root to NT Domain Admin should be enough, but it doesn't seem to be. can anybody help me on this issue ?!? thanks a lot Holger Brueckner net-labs Systemhaus GmbH
Holger Brückner
2003-Jun-10 15:45 UTC
[Samba] Access Denied setting Directory Access Permissions
u upgraded to 3.0beta1, but i'm still having the same problem. On Tue, 2003-06-10 at 16:29, Holger Br?ckner wrote:> Hello *, > > i've got a debian samba 3.0alpha23 with ldapsam. > my problem is that i can't set directory permissions. i alwasy get > access denied. > > what i have: > > svpdc:/etc/samba# smbgroupedit -v > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > NT group (SID) -> Unix group > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > kollegstufe (S-1-5-21-3839733233-2759951301-2176690758-3011) -> > kollegstufe > root (S-1-5-21-3839733233-2759951301-2176690758-1001) -> root > Domain Admins (S-1-5-21-3839733233-2759951301-2176690758-512) -> root > Domain Guests (S-1-5-21-3839733233-2759951301-2176690758-514) -> -1 > Power Users (S-1-5-32-547) -> -1 > stundenplan (S-1-5-21-3839733233-2759951301-2176690758-3013) -> > stundenplan > users (S-1-5-21-1904509300-1595774664-1972565418-1201) -> users > Domain Admins (S-1-5-21-1904509300-1595774664-1972565418-512) -> root > Domain Guests (S-1-5-21-4168099664-486183441-673156717-514) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Domain Guests (S-1-5-21-1904509300-1595774664-1972565418-514) -> -1 > sekretariat (S-1-5-21-3839733233-2759951301-2176690758-3007) -> > sekretariat > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-3839733233-2759951301-2176690758-513) -> users > Backup Operators (S-1-5-32-551) -> -1 > direktorat (S-1-5-21-3839733233-2759951301-2176690758-3009) -> > direktorat > Users (S-1-5-32-545) -> users > > i'm wondering why some groups are listed more than once. how can i find > out which group is actually used and how do i get rid of the unused ones > ? i know i can do smbgroupedit -x, but there i can't specify a SID. > > svpdc:~# pdbedit -v -l root > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > Unix username: root > NT username: > Account Flags: [U ] > User ID/Group ID: 0/0 > User SID: S-1-5-21-3839733233-2759951301-2176690758-1000 > Primary Group SID: S-1-5-21-3839733233-2759951301-2176690758-1001 > Full Name: root > Home Directory: \\svpdc\root > HomeDir Drive: > Logon Script: > Profile Path: \\svpdc\root\profile > Domain: SVFMG > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Fri, 13 Dec 1901 21:45:51 GMT > Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT > Password last set: Tue, 10 Jun 2003 16:15:24 GMT > Password can change: Tue, 10 Jun 2003 16:15:24 GMT > Password must change: Fri, 13 Dec 1901 21:45:51 GMT > > so user root is not a member of the domain admins. this might be the > reason why i get access denied trying to apply direcotry permissions. > i though mapping group root to NT Domain Admin should be enough, but it > doesn't seem to be. > > can anybody help me on this issue ?!? > > thanks a lot > > Holger Brueckner > net-labs Systemhaus GmbH > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Greetings all .. Is it possible to use pam_smbpass with a smbpasswd backend for login on a linux machine. If yes, how will it figure out things like home directory and shell? Thanks, __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
On Tue, 10 Jun 2003, Sameer Zeidat wrote:> Greetings all .. > > Is it possible to use pam_smbpass with a smbpasswd backend for login on > a linux machine. If yes, how will it figure out things like home > directory and shell?Yes. You still need an /etc/passwd entry for each user though. The smbpasswd file does NOT replace /etc/passwd, unless you are using Winbind. If using Winbind then you will need to use pam_mount and / or pam_mkhomedir to handle home directories. The shell information is se either in smb.conf OR in your password backend. Obviously, the smbpasswd file does NOT store this information so this is only possible with the extended capability SAM formats (eg: tdbsam, ldapsam). - John T. -- John H Terpstra Email: jht@samba.org
Holger Brückner
2003-Jun-10 20:56 UTC
[Samba] Access Denied setting Directory Access Permissions
ok, i removed all ldap stuff .. but i still cannot set samba share acl's: svpdc:/data/download# smbcacls //svpdc/winkd test Password: REVISION:1 OWNER:SVFMG\root GROUP:SVFMG\root ACL:SVFMG\root:ALLOWED/0/RW ACL:SVFMG\root:ALLOWED/0/R ACL:\Everyone:ALLOWED/0/R svpdc:/data/download# smbcacls -A "ACL:SVFMG\kollegstufe:ALLOWED/0/RW" //svpdc/winkd test Password: svpdc:/data/download# echo $? 0 svpdc:/data/download# smbcacls //svpdc/winkd test Password: REVISION:1 OWNER:SVFMG\root GROUP:SVFMG\root ACL:SVFMG\root:ALLOWED/0/RW ACL:SVFMG\root:ALLOWED/0/R ACL:\Everyone:ALLOWED/0/R i still get something like "permissions not saved, cannot acces" if i try from a win2k box. can someone enlighten me ?!? this must somehow work. thanks Holger PS: if you need mor debugging messages just tell me. On Tue, 2003-06-10 at 16:29, Holger Br?ckner wrote:> Hello *, > > i've got a debian samba 3.0alpha23 with ldapsam. > my problem is that i can't set directory permissions. i alwasy get > access denied. > > what i have: > > svpdc:/etc/samba# smbgroupedit -v > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > NT group (SID) -> Unix group > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > kollegstufe (S-1-5-21-3839733233-2759951301-2176690758-3011) -> > kollegstufe > root (S-1-5-21-3839733233-2759951301-2176690758-1001) -> root > Domain Admins (S-1-5-21-3839733233-2759951301-2176690758-512) -> root > Domain Guests (S-1-5-21-3839733233-2759951301-2176690758-514) -> -1 > Power Users (S-1-5-32-547) -> -1 > stundenplan (S-1-5-21-3839733233-2759951301-2176690758-3013) -> > stundenplan > users (S-1-5-21-1904509300-1595774664-1972565418-1201) -> users > Domain Admins (S-1-5-21-1904509300-1595774664-1972565418-512) -> root > Domain Guests (S-1-5-21-4168099664-486183441-673156717-514) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Domain Guests (S-1-5-21-1904509300-1595774664-1972565418-514) -> -1 > sekretariat (S-1-5-21-3839733233-2759951301-2176690758-3007) -> > sekretariat > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-3839733233-2759951301-2176690758-513) -> users > Backup Operators (S-1-5-32-551) -> -1 > direktorat (S-1-5-21-3839733233-2759951301-2176690758-3009) -> > direktorat > Users (S-1-5-32-545) -> users > > i'm wondering why some groups are listed more than once. how can i find > out which group is actually used and how do i get rid of the unused ones > ? i know i can do smbgroupedit -x, but there i can't specify a SID. > > svpdc:~# pdbedit -v -l root > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > Unix username: root > NT username: > Account Flags: [U ] > User ID/Group ID: 0/0 > User SID: S-1-5-21-3839733233-2759951301-2176690758-1000 > Primary Group SID: S-1-5-21-3839733233-2759951301-2176690758-1001 > Full Name: root > Home Directory: \\svpdc\root > HomeDir Drive: > Logon Script: > Profile Path: \\svpdc\root\profile > Domain: SVFMG > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Fri, 13 Dec 1901 21:45:51 GMT > Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT > Password last set: Tue, 10 Jun 2003 16:15:24 GMT > Password can change: Tue, 10 Jun 2003 16:15:24 GMT > Password must change: Fri, 13 Dec 1901 21:45:51 GMT > > so user root is not a member of the domain admins. this might be the > reason why i get access denied trying to apply direcotry permissions. > i though mapping group root to NT Domain Admin should be enough, but it > doesn't seem to be. > > can anybody help me on this issue ?!? > > thanks a lot > > Holger Brueckner > net-labs Systemhaus GmbH > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Holger Brückner
2003-Jun-10 23:57 UTC
[Samba] Access Denied setting Directory Access Permissions
solved ... mounting with acl mount option helps where's the wall to bang my head ?!? On Tue, 2003-06-10 at 16:29, Holger Br?ckner wrote:> Hello *, > > i've got a debian samba 3.0alpha23 with ldapsam. > my problem is that i can't set directory permissions. i alwasy get > access denied. > > what i have: > > svpdc:/etc/samba# smbgroupedit -v > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > NT group (SID) -> Unix group > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > kollegstufe (S-1-5-21-3839733233-2759951301-2176690758-3011) -> > kollegstufe > root (S-1-5-21-3839733233-2759951301-2176690758-1001) -> root > Domain Admins (S-1-5-21-3839733233-2759951301-2176690758-512) -> root > Domain Guests (S-1-5-21-3839733233-2759951301-2176690758-514) -> -1 > Power Users (S-1-5-32-547) -> -1 > stundenplan (S-1-5-21-3839733233-2759951301-2176690758-3013) -> > stundenplan > users (S-1-5-21-1904509300-1595774664-1972565418-1201) -> users > Domain Admins (S-1-5-21-1904509300-1595774664-1972565418-512) -> root > Domain Guests (S-1-5-21-4168099664-486183441-673156717-514) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Domain Guests (S-1-5-21-1904509300-1595774664-1972565418-514) -> -1 > sekretariat (S-1-5-21-3839733233-2759951301-2176690758-3007) -> > sekretariat > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-3839733233-2759951301-2176690758-513) -> users > Backup Operators (S-1-5-32-551) -> -1 > direktorat (S-1-5-21-3839733233-2759951301-2176690758-3009) -> > direktorat > Users (S-1-5-32-545) -> users > > i'm wondering why some groups are listed more than once. how can i find > out which group is actually used and how do i get rid of the unused ones > ? i know i can do smbgroupedit -x, but there i can't specify a SID. > > svpdc:~# pdbedit -v -l root > params.c:Parameter() - Ignoring badly formed line in configuration file: > ldap trust ids > Unix username: root > NT username: > Account Flags: [U ] > User ID/Group ID: 0/0 > User SID: S-1-5-21-3839733233-2759951301-2176690758-1000 > Primary Group SID: S-1-5-21-3839733233-2759951301-2176690758-1001 > Full Name: root > Home Directory: \\svpdc\root > HomeDir Drive: > Logon Script: > Profile Path: \\svpdc\root\profile > Domain: SVFMG > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Fri, 13 Dec 1901 21:45:51 GMT > Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT > Password last set: Tue, 10 Jun 2003 16:15:24 GMT > Password can change: Tue, 10 Jun 2003 16:15:24 GMT > Password must change: Fri, 13 Dec 1901 21:45:51 GMT > > so user root is not a member of the domain admins. this might be the > reason why i get access denied trying to apply direcotry permissions. > i though mapping group root to NT Domain Admin should be enough, but it > doesn't seem to be. > > can anybody help me on this issue ?!? > > thanks a lot > > Holger Brueckner > net-labs Systemhaus GmbH > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba