Sabine Jordan
2005-Dec-13 07:43 UTC
[Samba] Samba 3.0.20 acls not working anymore and problem with winbindd_idmap.tdb
Hi Folks,
I am experiencing some problems with samba 3.0.20 which I can not solve
on my own. We have updated from samba 3.0.10 to samba 3.0.20, but I am
not sure when the problems started.
We had a problem with idmap - I had hoped to solve - before. Whenever
we rebooted the server, all of the ACLs got jumbled up. I thought that
our winbindd_idmap.tdb somehow got broken. I re-created it, but still
the problem persists. We use winbindd to get all the Groups and Users
from Active Directory, and we have 2 samba-servers joined to the same
domain. Now I have found out that this could be the cause of the
problem I have with my idmap. Is it a good idea to change winbindd
configuration to windbindd with an NSS/LDAP backend-based idmap
facility? How can I change form local tdb to ldap-tbs without using my
user and group assignsments? I can not afford to loose all or mess up
all the ALCs on the first server. I think this is a bigger issue and
needs to be thought over carefully.
But now to the other problem I have on the second and smaller
samba-server. I have had some trouble concerning access rights where
users were trying to save a file on a share getting "File exits" error
messages. (But the file did not exist before!) After another attempt to
save the same file the operation was successfull. I could not trace the
problem after examining the acls with getfacl on the server. Everything
seemed to be alright.
Here's the global-section of my smb.conf:
# Global parameters
[global]
workgroup = DTMS
netbios name = MAX
security = domain
password server = skynet, orion, *
server string = MAX rate one Fileserver
domain master = no
os level = 2
unix extensions = Yes
encrypt passwords = yes
interfaces = eth0
log level = 2
log file = /var/log/samba/%m
max log size = 2048
syslog = 0
acl check permissions = yes
#seems to change nothing...
name resolve order = lmhosts hosts bcast
wins support = no
wins server = 192.168.9.4
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
# ********************************************************
# winbind section
# ********************************************************
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
template homedir = /distributed/samba-freigaben/user/%U
template shell = /bin/false
nt acl support = yes
winbind separator = +
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
obey pam restrictions = yes
Removing and resetting the acls with setfacl as well as rebooting the
machine did not help either. I have tried to view the ACLS via mapped
Share through windows, but I don't even see the ACLs there. I only see
the local unix-rights (user and owner-group)
I have tried to view and change ACLS for a file named glossar.htm with
the following rights:
max:~ # ls -la /distributed/samba-freigaben/marketing/glossar.htm
-rwxrwxrwx+ 1 jordans Marketing_ges 26190 Apr 11 2001
/distributed/samba-freigaben/marketing/glossar.htm
max:~ # getfacl /distributed/samba-freigaben/marketing/glossar.htm
# file: distributed/samba-freigaben/marketing/glossar.htm
# owner: jordans
# group: Marketing_ges
user::rwx
group::rw-
group:RO_Management:rwx
group:RO_Technik:rwx
group:RO_marketing_intern:rwx
group:RO_marketing_extern:rwx
mask::rwx
other::rwx
Here's the configuration for the share marketing where the file
glossar.htm can be found:
[marketing]
comment = Marketing
path = /distributed/samba-freigaben/marketing
nt acl support = no
writeable = yes
browsable = yes
valid users = @ntadmins @RO_Technik @RO_Management
@RO_marketing_intern @marketing_extern
admin users = @ntadmins
[marketing_a]
comment = Adminshare marketing
copy = marketing
nt acl support = yes
browsable = no
admin users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS
valid users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS
I have mapped the Adminshare, that I can see nt acls... But I don't see
the ACLs, I just see the owner (JordanS) and group (Marketing_ges), as
well as root/Max.
Here are the IDs for this user and group:
max:~ # getent passwd |grep 10002
jordans:x:10002:10000:Jordan,
Sabine:/distributed/samba-freigaben/user/jordans:/bin/false
max:~ # getent group |grep
10044
Marketing_ges:x:10044:HeideE,EhrlicC,GibmeiA,KrieseB,partnership,HoefliO,KoriteS,VorbecM,BarossM,ReiterB,DildeiF,LindemY,ConzenN,WirtzP,BockmaA,ZechliT,BuchD,JoergeM,PelkmaR,KottbusM,KartziO,LehmanM
When I try to change permissions via file properties/security tab I get
an Windows "Access Denied" - message... I have turned on Samba log
(loglevel10) and here are some extracts from the messages I get.
jordans opened file glossar.htm read=No write=No (numopen=3)
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
Transaction 4546 of length 76
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
switch message SMBtrans2 (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2760)
call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2871)
call_trans2qfilepathinfo glossar.htm (fnum = 10498) level=1006 call=7
total_data=0
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
Transaction 4547 of length 300
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
switch message SMBnttrans (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3]
smbd/nttrans.c:call_nt_transact_set_security_desc(2081)
call_nt_transact_set_security_desc: file = glossar.htm, sent
0x80000004
[2005/12/09 10:13:16, 3]
passdb/lookup_sid.c:fetch_sid_from_uid_cache(158)
fetch sid from uid cache 10002 ->
S-1-5-21-1401254064-310468482-1167487308-4176
[2005/12/09 10:13:16, 3]
passdb/lookup_sid.c:fetch_sid_from_gid_cache(232)
fetch sid from gid cache 10044 ->
S-1-5-21-1401254064-310468482-1167487308-2745
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
fetch uid from cache 10002 ->
S-1-5-21-1401254064-310468482-1167487308-4176
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
fetch gid from cache 10044 ->
S-1-5-21-1401254064-310468482-1167487308-2745
[2005/12/09 10:13:16, 3] smbd/dosmode.c:unix_mode(121)
unix_mode(glossar.htm) returning 0744
[2005/12/09 10:13:16, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2581)
convert_canon_ace_to_posix_perms: Too many ACE entries for file
glossar.htm to convert to posix perms.
[2005/12/09 10:13:16, 3] smbd/posix_acls.c:set_nt_acl(3257)
set_nt_acl: failed to convert file acl to posix permissions for file
glossar.htm.
[2005/12/09 10:13:16, 3] smbd/error.c:error_packet(147)
error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
We use SuSE Linux 9.1 (i586) and kernel Linux max 2.4.25 with
acl-support (also compiled for samba).
Any ideas? It would be great if someone could offe me help.
Thanks in advance,
Sabine Jordan
--
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse f?r Mail, Message, More +++
Sabine Jordan
2005-Dec-13 22:40 UTC
[Samba] Samba 3.0.20 acls not working anymore and problem with winbindd_idmap.tdb
Hi Folks,
I am experiencing some problems with samba 3.0.20 which I can not solve
on my own. We have updated from samba 3.0.10 to samba 3.0.20, but I am
not sure when the problems started.
We had a problem with idmap - I had hoped to solve - before. Whenever
we rebooted the server, all of the ACLs got jumbled up. I thought that
our winbindd_idmap.tdb somehow got broken. I re-created it, but still
the problem persists. We use winbindd to get all the Groups and Users
from Active Directory, and we have 2 samba-servers joined to the same
domain. Now I have found out that this could be the cause of the
problem I have with my idmap. Is it a good idea to change winbindd
configuration to windbindd with an NSS/LDAP backend-based idmap
facility? How can I change form local tdb to ldap-tbs without using my
user and group assignsments? I can not afford to loose all or mess up
all the ALCs on the first server. I think this is a bigger issue and
needs to be thought over carefully.
But now to the other problem I have on the second and smaller
samba-server. I have had some trouble concerning access rights where
users were trying to save a file on a share getting "File exits" error
messages. (But the file did not exist before!) After another attempt to
save the same file the operation was successfull. I could not trace the
problem after examining the acls with getfacl on the server. Everything
seemed to be alright.
Here's the global-section of my smb.conf:
# Global parameters
[global]
workgroup = DTMS
netbios name = MAX
security = domain
password server = skynet, orion, *
server string = MAX rate one Fileserver
domain master = no
os level = 2
unix extensions = Yes
encrypt passwords = yes
interfaces = eth0
log level = 2
log file = /var/log/samba/%m
max log size = 2048
syslog = 0
acl check permissions = yes
#seems to change nothing...
name resolve order = lmhosts hosts bcast
wins support = no
wins server = 192.168.9.4
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
# ********************************************************
# winbind section
# ********************************************************
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
template homedir = /distributed/samba-freigaben/user/%U
template shell = /bin/false
nt acl support = yes
winbind separator = +
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
obey pam restrictions = yes
Removing and resetting the acls with setfacl as well as rebooting the
machine did not help either. I have tried to view the ACLS via mapped
Share through windows, but I don't even see the ACLs there. I only see
the local unix-rights (user and owner-group)
I have tried to view and change ACLS for a file named glossar.htm with
the following rights:
max:~ # ls -la /distributed/samba-freigaben/marketing/glossar.htm
-rwxrwxrwx+ 1 jordans Marketing_ges 26190 Apr 11 2001
/distributed/samba-freigaben/marketing/glossar.htm
max:~ # getfacl /distributed/samba-freigaben/marketing/glossar.htm
# file: distributed/samba-freigaben/marketing/glossar.htm
# owner: jordans
# group: Marketing_ges
user::rwx
group::rw-
group:RO_Management:rwx
group:RO_Technik:rwx
group:RO_marketing_intern:rwx
group:RO_marketing_extern:rwx
mask::rwx
other::rwx
Here's the configuration for the share marketing where the file
glossar.htm can be found:
[marketing]
comment = Marketing
path = /distributed/samba-freigaben/marketing
nt acl support = no
writeable = yes
browsable = yes
valid users = @ntadmins @RO_Technik @RO_Management
@RO_marketing_intern @marketing_extern
admin users = @ntadmins
[marketing_a]
comment = Adminshare marketing
copy = marketing
nt acl support = yes
browsable = no
admin users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS
valid users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS
I have mapped the Adminshare, that I can see nt acls... But I don't see
the ACLs, I just see the owner (JordanS) and group (Marketing_ges), as
well as root/Max.
Here are the IDs for this user and group:
max:~ # getent passwd |grep 10002
jordans:x:10002:10000:Jordan,
Sabine:/distributed/samba-freigaben/user/jordans:/bin/false
max:~ # getent group |grep
10044
Marketing_ges:x:10044:HeideE,EhrlicC,GibmeiA,KrieseB,partnership,HoefliO,KoriteS,VorbecM,BarossM,ReiterB,DildeiF,LindemY,ConzenN,WirtzP,BockmaA,ZechliT,BuchD,JoergeM,PelkmaR,KottbusM,KartziO,LehmanM
When I try to change permissions via file properties/security tab I get
an Windows "Access Denied" - message... I have turned on Samba log
(loglevel10) and here are some extracts from the messages I get.
jordans opened file glossar.htm read=No write=No (numopen=3)
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
Transaction 4546 of length 76
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
switch message SMBtrans2 (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2760)
call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2871)
call_trans2qfilepathinfo glossar.htm (fnum = 10498) level=1006 call=7
total_data=0
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
Transaction 4547 of length 300
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
switch message SMBnttrans (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3]
smbd/nttrans.c:call_nt_transact_set_security_desc(2081)
call_nt_transact_set_security_desc: file = glossar.htm, sent
0x80000004
[2005/12/09 10:13:16, 3]
passdb/lookup_sid.c:fetch_sid_from_uid_cache(158)
fetch sid from uid cache 10002 ->
S-1-5-21-1401254064-310468482-1167487308-4176
[2005/12/09 10:13:16, 3]
passdb/lookup_sid.c:fetch_sid_from_gid_cache(232)
fetch sid from gid cache 10044 ->
S-1-5-21-1401254064-310468482-1167487308-2745
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
fetch uid from cache 10002 ->
S-1-5-21-1401254064-310468482-1167487308-4176
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
fetch gid from cache 10044 ->
S-1-5-21-1401254064-310468482-1167487308-2745
[2005/12/09 10:13:16, 3] smbd/dosmode.c:unix_mode(121)
unix_mode(glossar.htm) returning 0744
[2005/12/09 10:13:16, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2581)
convert_canon_ace_to_posix_perms: Too many ACE entries for file
glossar.htm to convert to posix perms.
[2005/12/09 10:13:16, 3] smbd/posix_acls.c:set_nt_acl(3257)
set_nt_acl: failed to convert file acl to posix permissions for file
glossar.htm.
[2005/12/09 10:13:16, 3] smbd/error.c:error_packet(147)
error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
We use SuSE Linux 9.1 (i586) and kernel Linux max 2.4.25 with
acl-support (also compiled for samba).
Any ideas? It would be great if someone could offe me help.
Thanks in advance,
Sabine Jordan
--
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse f?r Mail, Message, More +++