Sabine Jordan
2005-Dec-13 07:43 UTC
[Samba] Samba 3.0.20 acls not working anymore and problem with winbindd_idmap.tdb
Hi Folks, I am experiencing some problems with samba 3.0.20 which I can not solve on my own. We have updated from samba 3.0.10 to samba 3.0.20, but I am not sure when the problems started. We had a problem with idmap - I had hoped to solve - before. Whenever we rebooted the server, all of the ACLs got jumbled up. I thought that our winbindd_idmap.tdb somehow got broken. I re-created it, but still the problem persists. We use winbindd to get all the Groups and Users from Active Directory, and we have 2 samba-servers joined to the same domain. Now I have found out that this could be the cause of the problem I have with my idmap. Is it a good idea to change winbindd configuration to windbindd with an NSS/LDAP backend-based idmap facility? How can I change form local tdb to ldap-tbs without using my user and group assignsments? I can not afford to loose all or mess up all the ALCs on the first server. I think this is a bigger issue and needs to be thought over carefully. But now to the other problem I have on the second and smaller samba-server. I have had some trouble concerning access rights where users were trying to save a file on a share getting "File exits" error messages. (But the file did not exist before!) After another attempt to save the same file the operation was successfull. I could not trace the problem after examining the acls with getfacl on the server. Everything seemed to be alright. Here's the global-section of my smb.conf: # Global parameters [global] workgroup = DTMS netbios name = MAX security = domain password server = skynet, orion, * server string = MAX rate one Fileserver domain master = no os level = 2 unix extensions = Yes encrypt passwords = yes interfaces = eth0 log level = 2 log file = /var/log/samba/%m max log size = 2048 syslog = 0 acl check permissions = yes #seems to change nothing... name resolve order = lmhosts hosts bcast wins support = no wins server = 192.168.9.4 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY # ******************************************************** # winbind section # ******************************************************** winbind uid = 10000-20000 winbind gid = 10000-20000 template shell = /bin/bash template homedir = /distributed/samba-freigaben/user/%U template shell = /bin/false nt acl support = yes winbind separator = + veto files = /*.eml/*.nws/riched20.dll/*.{*}/ winbind enum users = yes winbind enum groups = yes winbind use default domain = yes obey pam restrictions = yes Removing and resetting the acls with setfacl as well as rebooting the machine did not help either. I have tried to view the ACLS via mapped Share through windows, but I don't even see the ACLs there. I only see the local unix-rights (user and owner-group) I have tried to view and change ACLS for a file named glossar.htm with the following rights: max:~ # ls -la /distributed/samba-freigaben/marketing/glossar.htm -rwxrwxrwx+ 1 jordans Marketing_ges 26190 Apr 11 2001 /distributed/samba-freigaben/marketing/glossar.htm max:~ # getfacl /distributed/samba-freigaben/marketing/glossar.htm # file: distributed/samba-freigaben/marketing/glossar.htm # owner: jordans # group: Marketing_ges user::rwx group::rw- group:RO_Management:rwx group:RO_Technik:rwx group:RO_marketing_intern:rwx group:RO_marketing_extern:rwx mask::rwx other::rwx Here's the configuration for the share marketing where the file glossar.htm can be found: [marketing] comment = Marketing path = /distributed/samba-freigaben/marketing nt acl support = no writeable = yes browsable = yes valid users = @ntadmins @RO_Technik @RO_Management @RO_marketing_intern @marketing_extern admin users = @ntadmins [marketing_a] comment = Adminshare marketing copy = marketing nt acl support = yes browsable = no admin users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS valid users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS I have mapped the Adminshare, that I can see nt acls... But I don't see the ACLs, I just see the owner (JordanS) and group (Marketing_ges), as well as root/Max. Here are the IDs for this user and group: max:~ # getent passwd |grep 10002 jordans:x:10002:10000:Jordan, Sabine:/distributed/samba-freigaben/user/jordans:/bin/false max:~ # getent group |grep 10044 Marketing_ges:x:10044:HeideE,EhrlicC,GibmeiA,KrieseB,partnership,HoefliO,KoriteS,VorbecM,BarossM,ReiterB,DildeiF,LindemY,ConzenN,WirtzP,BockmaA,ZechliT,BuchD,JoergeM,PelkmaR,KottbusM,KartziO,LehmanM When I try to change permissions via file properties/security tab I get an Windows "Access Denied" - message... I have turned on Samba log (loglevel10) and here are some extracts from the messages I get. jordans opened file glossar.htm read=No write=No (numopen=3) [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) Transaction 4546 of length 76 [2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900) switch message SMBtrans2 (pid 23879) conn 0x837b740 [2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0 [2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2760) call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006 [2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2871) call_trans2qfilepathinfo glossar.htm (fnum = 10498) level=1006 call=7 total_data=0 [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) Transaction 4547 of length 300 [2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900) switch message SMBnttrans (pid 23879) conn 0x837b740 [2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0 [2005/12/09 10:13:16, 3] smbd/nttrans.c:call_nt_transact_set_security_desc(2081) call_nt_transact_set_security_desc: file = glossar.htm, sent 0x80000004 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache(158) fetch sid from uid cache 10002 -> S-1-5-21-1401254064-310468482-1167487308-4176 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(232) fetch sid from gid cache 10044 -> S-1-5-21-1401254064-310468482-1167487308-2745 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 10002 -> S-1-5-21-1401254064-310468482-1167487308-4176 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253) fetch gid from cache 10044 -> S-1-5-21-1401254064-310468482-1167487308-2745 [2005/12/09 10:13:16, 3] smbd/dosmode.c:unix_mode(121) unix_mode(glossar.htm) returning 0744 [2005/12/09 10:13:16, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2581) convert_canon_ace_to_posix_perms: Too many ACE entries for file glossar.htm to convert to posix perms. [2005/12/09 10:13:16, 3] smbd/posix_acls.c:set_nt_acl(3257) set_nt_acl: failed to convert file acl to posix permissions for file glossar.htm. [2005/12/09 10:13:16, 3] smbd/error.c:error_packet(147) error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) We use SuSE Linux 9.1 (i586) and kernel Linux max 2.4.25 with acl-support (also compiled for samba). Any ideas? It would be great if someone could offe me help. Thanks in advance, Sabine Jordan -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse f?r Mail, Message, More +++
Sabine Jordan
2005-Dec-13 22:40 UTC
[Samba] Samba 3.0.20 acls not working anymore and problem with winbindd_idmap.tdb
Hi Folks, I am experiencing some problems with samba 3.0.20 which I can not solve on my own. We have updated from samba 3.0.10 to samba 3.0.20, but I am not sure when the problems started. We had a problem with idmap - I had hoped to solve - before. Whenever we rebooted the server, all of the ACLs got jumbled up. I thought that our winbindd_idmap.tdb somehow got broken. I re-created it, but still the problem persists. We use winbindd to get all the Groups and Users from Active Directory, and we have 2 samba-servers joined to the same domain. Now I have found out that this could be the cause of the problem I have with my idmap. Is it a good idea to change winbindd configuration to windbindd with an NSS/LDAP backend-based idmap facility? How can I change form local tdb to ldap-tbs without using my user and group assignsments? I can not afford to loose all or mess up all the ALCs on the first server. I think this is a bigger issue and needs to be thought over carefully. But now to the other problem I have on the second and smaller samba-server. I have had some trouble concerning access rights where users were trying to save a file on a share getting "File exits" error messages. (But the file did not exist before!) After another attempt to save the same file the operation was successfull. I could not trace the problem after examining the acls with getfacl on the server. Everything seemed to be alright. Here's the global-section of my smb.conf: # Global parameters [global] workgroup = DTMS netbios name = MAX security = domain password server = skynet, orion, * server string = MAX rate one Fileserver domain master = no os level = 2 unix extensions = Yes encrypt passwords = yes interfaces = eth0 log level = 2 log file = /var/log/samba/%m max log size = 2048 syslog = 0 acl check permissions = yes #seems to change nothing... name resolve order = lmhosts hosts bcast wins support = no wins server = 192.168.9.4 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY # ******************************************************** # winbind section # ******************************************************** winbind uid = 10000-20000 winbind gid = 10000-20000 template shell = /bin/bash template homedir = /distributed/samba-freigaben/user/%U template shell = /bin/false nt acl support = yes winbind separator = + veto files = /*.eml/*.nws/riched20.dll/*.{*}/ winbind enum users = yes winbind enum groups = yes winbind use default domain = yes obey pam restrictions = yes Removing and resetting the acls with setfacl as well as rebooting the machine did not help either. I have tried to view the ACLS via mapped Share through windows, but I don't even see the ACLs there. I only see the local unix-rights (user and owner-group) I have tried to view and change ACLS for a file named glossar.htm with the following rights: max:~ # ls -la /distributed/samba-freigaben/marketing/glossar.htm -rwxrwxrwx+ 1 jordans Marketing_ges 26190 Apr 11 2001 /distributed/samba-freigaben/marketing/glossar.htm max:~ # getfacl /distributed/samba-freigaben/marketing/glossar.htm # file: distributed/samba-freigaben/marketing/glossar.htm # owner: jordans # group: Marketing_ges user::rwx group::rw- group:RO_Management:rwx group:RO_Technik:rwx group:RO_marketing_intern:rwx group:RO_marketing_extern:rwx mask::rwx other::rwx Here's the configuration for the share marketing where the file glossar.htm can be found: [marketing] comment = Marketing path = /distributed/samba-freigaben/marketing nt acl support = no writeable = yes browsable = yes valid users = @ntadmins @RO_Technik @RO_Management @RO_marketing_intern @marketing_extern admin users = @ntadmins [marketing_a] comment = Adminshare marketing copy = marketing nt acl support = yes browsable = no admin users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS valid users = @DTMS+Dom?nen-Admins DTMS+WenkP DTMS+JordanS I have mapped the Adminshare, that I can see nt acls... But I don't see the ACLs, I just see the owner (JordanS) and group (Marketing_ges), as well as root/Max. Here are the IDs for this user and group: max:~ # getent passwd |grep 10002 jordans:x:10002:10000:Jordan, Sabine:/distributed/samba-freigaben/user/jordans:/bin/false max:~ # getent group |grep 10044 Marketing_ges:x:10044:HeideE,EhrlicC,GibmeiA,KrieseB,partnership,HoefliO,KoriteS,VorbecM,BarossM,ReiterB,DildeiF,LindemY,ConzenN,WirtzP,BockmaA,ZechliT,BuchD,JoergeM,PelkmaR,KottbusM,KartziO,LehmanM When I try to change permissions via file properties/security tab I get an Windows "Access Denied" - message... I have turned on Samba log (loglevel10) and here are some extracts from the messages I get. jordans opened file glossar.htm read=No write=No (numopen=3) [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) Transaction 4546 of length 76 [2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900) switch message SMBtrans2 (pid 23879) conn 0x837b740 [2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0 [2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2760) call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006 [2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2871) call_trans2qfilepathinfo glossar.htm (fnum = 10498) level=1006 call=7 total_data=0 [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) Transaction 4547 of length 300 [2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900) switch message SMBnttrans (pid 23879) conn 0x837b740 [2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0 [2005/12/09 10:13:16, 3] smbd/nttrans.c:call_nt_transact_set_security_desc(2081) call_nt_transact_set_security_desc: file = glossar.htm, sent 0x80000004 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache(158) fetch sid from uid cache 10002 -> S-1-5-21-1401254064-310468482-1167487308-4176 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(232) fetch sid from gid cache 10044 -> S-1-5-21-1401254064-310468482-1167487308-2745 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 10002 -> S-1-5-21-1401254064-310468482-1167487308-4176 [2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253) fetch gid from cache 10044 -> S-1-5-21-1401254064-310468482-1167487308-2745 [2005/12/09 10:13:16, 3] smbd/dosmode.c:unix_mode(121) unix_mode(glossar.htm) returning 0744 [2005/12/09 10:13:16, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2581) convert_canon_ace_to_posix_perms: Too many ACE entries for file glossar.htm to convert to posix perms. [2005/12/09 10:13:16, 3] smbd/posix_acls.c:set_nt_acl(3257) set_nt_acl: failed to convert file acl to posix permissions for file glossar.htm. [2005/12/09 10:13:16, 3] smbd/error.c:error_packet(147) error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114) We use SuSE Linux 9.1 (i586) and kernel Linux max 2.4.25 with acl-support (also compiled for samba). Any ideas? It would be great if someone could offe me help. Thanks in advance, Sabine Jordan -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse f?r Mail, Message, More +++