Marc Mühlfeld
2006-Sep-11 23:25 UTC
[Samba] Winbind: User can read a file on server but not on a share
Hello,
I have two Domains (DOM1 and DOM2). Each trust each other. Now I configured
winbind on PDC1 with the following settings:
winbind separator = +
idmap backend = ldap:ldap://192.168.1.4
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
On PDC1 i can see the users of DOM2 now:
# wbinfo -u
DOM2+user2
.....
Nsswitch is configured to use winbind too.
I put DOM2+user2 in a global group (mygroup) on DOM1:
# id DOM2+user2
uid=10000(DOM2+user2) gid=10006(DOM2+domain users) groups=10006(DOM2+domain
users),1031(mygroup)
I put a file on a share of PDC1 that is readable for mygroup:
# ls -la /share/test.txt
-rw-r----- 1 root mygroup 8 Sep 11 00:16 /share/test.txt
And here`s my problem:
When I do "su - DOM2+user2" on PDC1 I can read the content of this
file (because of being a member of the group that has read rights on the file).
But when I access the file from a machine out of DOM2, I get a permission denied
error message.
Heres the output of log level = 10:
[2006/09/11 03:47:47, 10] lib/util.c:dump_data(2058)
[000] 00 5C 00 54 00 45 00 53 00 54 00 2E 00 54 00 58 .\.T.E.S .T...T.X
[010] 00 54 00 00 00 .T...
[2006/09/11 03:47:47, 3] smbd/process.c:switch_message(993)
switch message SMBntcreateX (pid 22401) conn 0x8033e648
[2006/09/11 03:47:47, 4] smbd/uid.c:change_to_user(222)
change_to_user: Skipping user change - already user
[2006/09/11 03:47:47, 10] smbd/nttrans.c:reply_ntcreate_and_X(506)
reply_ntcreateX: flags = 0x16, access_mask = 0x20089 file_attributes = 0x80,
share_access = 0x3, create_disposition = 0x1 create_options = 0x4140 root_dir_f
id = 0x0
[2006/09/11 03:47:47, 5] smbd/filename.c:unix_convert(108)
unix_convert called on file "TEST.TXT"
[2006/09/11 03:47:47, 10] smbd/statcache.c:stat_cache_lookup(248)
stat_cache_lookup: lookup succeeded for name [TEST.TXT] -> [test.txt]
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1677)
is_in_path: test.txt
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1697)
is_in_path: match not found
[2006/09/11 03:47:47, 2] smbd/dosmode.c:unix_mode(70)
unix_mode(test.txt) inheriting from .
[2006/09/11 03:47:47, 2] smbd/dosmode.c:unix_mode(78)
unix_mode(test.txt) inherit mode 40755
[2006/09/11 03:47:47, 3] smbd/dosmode.c:unix_mode(121)
unix_mode(test.txt) returning 0644
[2006/09/11 03:47:47, 10] smbd/open.c:open_file_ntcreate(1091)
open_file_ntcreate: fname=test.txt, dos_attrs=0x80 access_mask=0x20089
share_access=0x3 create_disposition = 0x1 create_options=0x4140 unix mode=0644
oplock
_request=3
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1677)
is_in_path: test.txt
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1697)
is_in_path: match not found
[2006/09/11 03:47:47, 8] smbd/dosmode.c:dos_mode(300)
dos_mode: test.txt
[2006/09/11 03:47:47, 8] smbd/dosmode.c:dos_mode_from_sbuf(167)
dos_mode_from_sbuf returning
[2006/09/11 03:47:47, 8] smbd/dosmode.c:dos_mode(334)
dos_mode returning
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1677)
is_in_path: test.txt
[2006/09/11 03:47:47, 8] lib/util.c:is_in_path(1697)
is_in_path: match not found
[2006/09/11 03:47:47, 10] smbd/open.c:open_file_ntcreate(1259)
open_file_ntcreate: fname=test.txt, after mapping access_mask=0x20089
[2006/09/11 03:47:47, 5] smbd/files.c:file_new(128)
allocated file structure 8902, fnum = 12998 (1 used)
[2006/09/11 03:47:47, 4] smbd/open.c:open_file_ntcreate(1490)
calling open_file with flags=0x0 flags2=0x0 mode=0644
[2006/09/11 03:47:47, 10] smbd/open.c:fd_open(55)
fd_open: name test.txt, flags = 00 mode = 0644, fd = -1. Permission denied
[2006/09/11 03:47:47, 3] smbd/open.c:open_file(276)
Error opening file test.txt (Permission denied) (local_flags=0) (flags=0)
[2006/09/11 03:47:47, 5] smbd/files.c:file_free(450)
freed files structure 12998 (0 used)
[2006/09/11 03:47:47, 10] smbd/trans2.c:set_bad_path_error(2623)
set_bad_path_error: err = 13 bad_path = 0
[2006/09/11 03:47:47, 3] smbd/error.c:unix_error_packet(90)
unix_error_packet: error string = Permission denied
[2006/09/11 03:47:47, 3] smbd/error.c:error_packet(146)
error packet at smbd/trans2.c(2632) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
Maybe anybody can tell me what I did wrong.
Best regards
Marc
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
Felipe Augusto van de Wiel
2006-Sep-13 13:31 UTC
[Samba] Winbind: User can read a file on server but not on a share
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2006 08:24 PM, Marc M?hlfeld escreveu:> Hello, > > I have two Domains (DOM1 and DOM2). Each trust each other. Now I > configured winbind on PDC1 with the following settings:Are you sure about the trust part? Can you send the steps you made to establish the inter domain trust relationship?> winbind separator = + > idmap backend = ldap:ldap://192.168.1.4 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/bash > > > On PDC1 i can see the users of DOM2 now: > > # wbinfo -u > DOM2+user2 > ..... > > > Nsswitch is configured to use winbind too. > > > I put DOM2+user2 in a global group (mygroup) on DOM1: > > # id DOM2+user2 > uid=10000(DOM2+user2) gid=10006(DOM2+domain users) groups=10006(DOM2+domain users),1031(mygroup)Hmmm, why mygroup is not in the form "DOM1+mygroup"?> I put a file on a share of PDC1 that is readable for mygroup: > > # ls -la /share/test.txt > -rw-r----- 1 root mygroup 8 Sep 11 00:16 /share/test.txt > > > And here`s my problem: > > When I do "su - DOM2+user2" on PDC1 I can read the content of > this file (because of being a member of the group that has > read rights on the file). But when I access the file from a > machine out of DOM2, I get a permission denied error message.[...]> Maybe anybody can tell me what I did wrong. > > Best regards > MarcCan you send the smb.conf from both servers? Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFCAgLCj65ZxU4gPQRApSVAJ0ZyDIuTbTg0pL9jzynpS1Ngl5mzgCgqO+K In8bK+leooy52YE1/HiPHNs=w8+b -----END PGP SIGNATURE-----
Marc Mühlfeld
2006-Sep-15 01:52 UTC
Re: [Samba] Winbind: User can read a file on server but not on a share
Felipe Augusto van de Wiel schrieb:> Are you sure about the trust part?Yes. I followed the howtos. And I have both domains in my logon window and can see and search both domains in security dialog. But meanwhile I found some information on the web that its not posible to run winbind on a samba PDC: http://www.gatago.com/linux/samba/14515423.html> Gerald (Jerry) Carter Date: 14-12-2005 > winbindd on a PDC only alloocates Unix ids for users and groups from > trusted domains. Not its own domain.So this don`t seem to be a way to set rights on a file/directory on one of my PDCs that can be accessed by users out of both domains. :-( What kind of ways do left to do this? Best regards Marc _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066