samba - Nov 2005 - What file gets corrupted in Samba when perms stop working correctly?

I have a share which a group write list.
That group is mapped to a Linux group in /etc/group.
That group in Linux has two users.
The first user listed is suddenly unable to write, but the second one is.
With the affected user logged in to Win2K, ifmember /list shows they are a
member of the group, as does the working account.

I am guessing one of those .tdb files or something got scrambled on the server.
Any suggestions how to restore functionality?

-- 
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

Remove the upper case letters NOSPAM to contact me directly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Lueck wrote:

| I have a share which a group write list.
| That group is mapped to a Linux group in /etc/group.
| That group in Linux has two users.
| The first user listed is suddenly unable to write, but the
| second one is. With the affected user logged in to
| Win2K, ifmember /list shows they are a member of
| the group, as does the working account.
|
| I am guessing one of those .tdb files or something
| got scrambled on the server. Any suggestions how
| to restore functionality?

File Access checks is done by the OS.  There is no
associated tdb for file system perms.  The only possible
option might be if you tweaked the share permissions
(via server manager) in share_info.tdb.

Oh and this assumes that the group membership shows correctly
(as you have already tested).



cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDc0xtIR7qMdg1EfYRAjVWAJ4hst9EvGoco9snxMhfRS5auqC68gCfXGyW
Ngc34fD0Q2PqeGq6EeobaEU=KeAN
-----END PGP SIGNATURE-----

Think I found something... Jerry, seems like an old setting is leaking up
through the floor boards.

Before the "net rpc rights grant domain\\account
SeMachineAccountPrivilege" stuff existed, I used "admin users =
@domadmin" to get the job done. That unfortunately made accounts
"root" on the server.
So, admin users is now commented out and rpc rights has been in use since that
went production.

HOWEVER, here's the connection from my special account... (as it shows up in
lsof)

smbd       2614        root  cwd       DIR        8,9    4096  100663424
/srv/shares/stage

Sure looks like "admin users" is leaking through the floor boards
somehow. Obviously since "root" is not a member of the group which has
write perms, no write perms granted.

So, how else could this user become root on the server if "admin
users" is commented out? I properly see the user name for other connections
to the server.

-- 
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

Remove the upper case letters NOSPAM to contact me directly.

Michael Lueck wrote:
> But then, I AM going to upgrade the Samba version after the process gets 
> done, so then it is an all new ball game after that. ;-)
All right, general "Spring Cleaning" on my Samba configuration.
Updated to the 3.0.20b Debian Sarge packages. Saw various things I was not 100%
happy with, so did my best shot at putting things how I
think I want them, and for now the special account is able to read and write to
the special share. Time will tell.

Thanks as always Jerry! (Yeaaaa... I get to play with the NT service start/stop
code finally! Early Christmas present, right?!)

-- 
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

Remove the upper case letters NOSPAM to contact me directly.