Bryan Collins
2007-Aug-16 02:24 UTC
[Samba] samba3.0.25b group permissions problem via AD+Winbind
Hi Samba people,
I'm having a strange problem with Samba 3.0.25b running on solaris 9
with native ADS and Winbind.
A domain user (no /etc/passwd entry), jlunch, can write to directories
via the unix shell that has
group permissions he is part of without any issues.
However, doing the same via a samba share (share1) in the same folder
(folder1), returns permission denied.
It almost appears as if the samba process is dropping the secondary
group memberships when the process switches to that user.
The group permission on the share allows access to map the share, but
the underlying filesystem is preventing write access, even though the
permissions allow it.
The user can write to folders via samba if they own the folder, or if
the group permission is "domain users" (primary group), or the user
is set to have write access via solaris ACLs, which is set via the
Security tab under folder properties.
The group 107657(bss) is an AD group.
cut&paste of various tasks included below.
On another note, ps seems to display a padded out UID instead of the
resolved username from winbind.
Can anyone help out with this permission problem?
Its currently preventing me from shifting over to using ADS+Winbind from
the old method of requiring unix accounts for every AD user.
I can provide more logs off-list if it will help diagnose.
Thanks
Bry
-------------
nsswitch.conf
passwd: files winbind
group: files winbind
#ps -ef | grep smb
root 7968 7964 0 11:15:37 ? 0:00 /opt/samba/sbin/smbd -D
root 7964 1 0 11:15:37 ? 0:00 /opt/samba/sbin/smbd -D
root 8060 25653 0 11:18:53 pts/1 0:00 grep smb
0105216 7972 7964 2 11:15:48 ? 0:05 /opt/samba/sbin/smbd -D
#ls -ld /www/devel/test/folder1
drwxrwsr-x 5 root bss 512 Aug 14 16:25
/www/devel/test/folder1
#getent passwd jlunch
jlunch:*:105216:100513:Joe
Lunchbucket:/export/home/DOMAIN/jlunch:/bin/bash
#getent group bss
bss:x:107657:jlunch
su - jlunch
bash-2.05$ cd /www/devel/test/folder1
bash-2.05$ touch testfile
bash-2.05$ ls -l testfile
-rw-r--r-- 1 jlunch bss 0 Aug 16 11:05 testfile
bash-2.05$ id -a
uid=105216(jlunch) gid=100513(domain users) groups=100513(domain
users),1008(div3),108521(d4),108536(d3),107657(bss) [chopped]
smb.conf:
[global]
workgroup = DOMAIN
password server = mydc.xxx.xxx.xx
security = ADS
realm = DOMAIN.xxx.xxx.xx
allow trusted domains = No
encrypt passwords = Yes
idmap domains = DOMAIN
idmap config DOMAIN:default = yes
idmap config DOMAIN:backend = rid
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:range = 100000-999999
debug level = 10
template homedir = /export/home/%D/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind use default domain = Yes
[share1]
comment = test share
path = /www/devel
read only = No
valid users = @DOMAIN\bss, +itstaff
[2007/08/16 11:15:49, 1] smbd/service.c:make_connection_snum(1033)
xxx.x.xxx.xx (xxx.x.xxx.xx) connect to service www-devel initially as
user DOMAIN\jlunch (uid=105216, gid=100513) (pid 7972)
....
[2007/08/16 11:15:49, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 105216
Primary group is 100513 and contains 26 supplementary groups
Group[ 0]: 108521
Group[ 1]: 108536
Group[ 2]: 107657
.....
[2007/08/16 11:15:57, 4] smbd/open.c:open_file_ntcreate(1605)
calling open_file with flags=0x2 flags2=0x500 mode=0664, access_mask 0x2019f,
open_access_mask = 0x2019f
[2007/08/16 11:15:57, 10] smbd/open.c:fd_open(67)
fd_open: name test/folder1/New Text Document (2).txt, flags = 02402
mode = 0664, fd = -1. Permission denied
[2007/08/16 11:15:57, 3] smbd/open.c:open_file(301)
Error opening file test/folder1/New Text Document (2).txt
(NT_STATUS_ACCESS_DENIED) (local_flags=1282) (flags=1282)
[2007/08/16 11:15:57, 5] smbd/files.c:file_free(454)
freed files structure 6714 (2 used)
[2007/08/16 11:15:57, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(817) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
Maybe Matching Threads
Wisdom of the Ancients
