Hello, I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The authentication backend is Open LDAP. I want to create a group share (WTCCC) which should be accessible to a group of users (belonging to a group called WTCCC). The users' possess this group as their secondary group (NOT primary). And the share folder would have its gid bit set, so all the writes to the folder would be accessible further by only people belonging to WTCCC. Also I want a default umask of 770 for the shared folder too. Could someone suggest a share configuration that can do these? Currently, I have [JIAGEN1] comment = JIAGEN project share path = /export/newWTCCC valid write list = +WTCCC # acl check permissions = true # acl group control = yes browseable = Yes # read only = No inherit acls = Yes force group = +WTCCC writable = yes create mask = 0660 directory mask = 0770 But as soon as I change the ownership of /export/newWTCCC to root:WTCCC, the users are not able to access the share. But if I have the force group enabled, everyone is able to access the share (as it forces everyone to belong to the group, which should not be the case). Thanks, Prakash
Hi Dale, Thanks for the response. I changed my share configuration as below. But now I cannot authenticate. [JIAGEN1] comment = JIAGEN project share path = /export/newWTCCC valid users = +WTCCC write list = +WTCCC read only = No inherit acls = Yes force group = +WTCCC writable = yes create mask = 0660 directory mask = 0770 Any ideas why? I checked that the user is a part of the group (though not primary). bmifsrd2:~ # groups prakash prakash : users torque-users calendar-users irc-users WTCCC plone- managers plone-members fmadmin fmuser Thanks, Prakash On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote:> Prakash, > > You have inadvertently combined two parameters. There is no "valid > write list" parameter. > You should use > write list = +WTCCC > valid users = +WTCCC > > It should work after correcting the parameter. > > Good luck, > Dale > > Prakash Velayutham wrote: >> >> Hello, >> >> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The >> authentication backend is Open LDAP. >> >> I want to create a group share (WTCCC) which should be accessible >> to a group of users (belonging to a group called WTCCC). The users' >> possess this group as their secondary group (NOT primary). >> >> And the share folder would have its gid bit set, so all the writes >> to the folder would be accessible further by only people belonging >> to WTCCC. Also I want a default umask of 770 for the shared folder >> too. >> >> Could someone suggest a share configuration that can do these? >> >> Currently, I have >> >> [JIAGEN1] >> comment = JIAGEN project share >> path = /export/newWTCCC >> valid write list = +WTCCC >> # acl check permissions = true >> # acl group control = yes >> browseable = Yes >> # read only = No >> inherit acls = Yes >> force group = +WTCCC >> writable = yes >> create mask = 0660 >> directory mask = 0770 >> >> But as soon as I change the ownership of /export/newWTCCC to >> root:WTCCC, the users are not able to access the share. But if I >> have the force group enabled, everyone is able to access the share >> (as it forces everyone to belong to the group, which should not be >> the case). >> >> Thanks, >> Prakash
To add more info, I am seeing the following in the logs. So I am guessing authentication is working fine. It is something with regards to the group membership that is not. [2007/11/14 09:41:06, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [prakash] succeeded [2007/11/14 09:41:06, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [prakash] -> [prakash] -> [prakash] succeeded Thanks, Prakash On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote:> Prakash, > > You have inadvertently combined two parameters. There is no "valid > write list" parameter. > You should use > write list = +WTCCC > valid users = +WTCCC > > It should work after correcting the parameter. > > Good luck, > Dale > > Prakash Velayutham wrote: >> >> Hello, >> >> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The >> authentication backend is Open LDAP. >> >> I want to create a group share (WTCCC) which should be accessible >> to a group of users (belonging to a group called WTCCC). The users' >> possess this group as their secondary group (NOT primary). >> >> And the share folder would have its gid bit set, so all the writes >> to the folder would be accessible further by only people belonging >> to WTCCC. Also I want a default umask of 770 for the shared folder >> too. >> >> Could someone suggest a share configuration that can do these? >> >> Currently, I have >> >> [JIAGEN1] >> comment = JIAGEN project share >> path = /export/newWTCCC >> valid write list = +WTCCC >> # acl check permissions = true >> # acl group control = yes >> browseable = Yes >> # read only = No >> inherit acls = Yes >> force group = +WTCCC >> writable = yes >> create mask = 0660 >> directory mask = 0770 >> >> But as soon as I change the ownership of /export/newWTCCC to >> root:WTCCC, the users are not able to access the share. But if I >> have the force group enabled, everyone is able to access the share >> (as it forces everyone to belong to the group, which should not be >> the case). >> >> Thanks, >> Prakash
Hi Dale, samba-3.0.26a-0.2.91 This is what I am seeing in the logs. [2007/11/14 09:56:17, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [prakash] succeeded [2007/11/14 09:56:17, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [prakash] -> [prakash] -> [prakash] succeeded [2007/11/14 09:56:17, 5] auth/auth_util.c:free_user_info(2045) attempting to free (and zero) a user_info structure [2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) fetch gid from cache 544 -> S-1-5-32-544 [2007/11/14 09:56:17, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) fetch gid from cache 10002 -> S-1-5-32-545 [2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182) smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter => [(&(|(objectclass=sambaGroupMapping)(samba GroupType=4))(| (sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170) (sambaSIDList=S-1-22-2-1000)(sambaSI DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11) (sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1 015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004) (sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2- 1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2] [2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182) smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter => [(&(|(objectclass=sambaGroupMapping)(samba GroupType=4))(| (sambaSIDList=S-1-5-21-1913082429-4173022140-755955522-3170) (sambaSIDList=S-1-22-2-1000)(sambaSI DList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11) (sambaSIDList=S-1-22-2-1010)(sambaSIDList=S-1-22-2-1 015)(sambaSIDList=S-1-22-2-1050)(sambaSIDList=S-1-22-2-1004) (sambaSIDList=S-1-22-2-1011)(sambaSIDList=S-1-22-2- 1052)(sambaSIDList=S-1-22-2-1053)))], scope => [2] [2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-21-1913082429-4173022140-755955522-3170] [2007/11/14 09:56:17, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-1000] [2007/11/14 09:56:17, 5] lib/privileges.c:get_privileges_for_sids(460) get_privileges_for_sids: sid = S-1-1-0 Privilege set: SE_PRIV 0x0 0x0 0x0 0x0 .. more logs ... [2007/11/14 09:56:17, 4] smbd/reply.c:reply_tcon_and_X(506) Client requested device type [?????] for share [JIAGEN1] [2007/11/14 09:56:17, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service jiagen1 [2007/11/14 09:56:17, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +WTCCC does not start with 'S-'. [2007/11/14 09:56:17, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/11/14 09:56:17, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/11/14 09:56:17, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/11/14 09:56:17, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2007/11/14 09:56:17, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/11/14 09:56:17, 5] lib/smbldap.c:smbldap_search_ext(1182) smbldap_search_ext: base => [ou=PI-groups,o=tchrf,c=us], filter => [(&(objectClass=sambaGroupMapping)(|(displ ayName=WTCCC)(cn=WTCCC)))], scope => [2] [2007/11/14 09:56:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1008 [2007/11/14 09:56:17, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/11/14 09:56:17, 2] smbd/service.c:make_connection_snum(616) user 'prakash' (from session setup) not permitted to access this share (JIAGEN1) [2007/11/14 09:56:17, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [global] workgroup = WORKGROUPNAME netbios name = servername encrypt passwords = yes password server = * passdb backend = ldapsam:"ldaps://***.***.***" log level = 9 syslog = 0 name resolve order = wins bcast hosts ldap suffix = o=x,c=y ldap machine suffix = ou=xx ldap group suffix = ou=yy ldap user suffix = ou=xx ldap idmap suffix = ou=zz ldap admin dn = cn=Manager,o=x,c=y idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User security = user Any more ideas, please? Thanks, Prakash On Nov 14, 2007, at 10:13 AM, Dale Schroeder wrote:> Are there any errors in the logs? If not, try increasing your log > level to 10. > What does the global section of your smb.conf look like, and which > version of Samba are you running? > If it is an openldap problem, maybe one of the ldap experts (which I > am not) could spot it. > > Dale > > Prakash Velayutham wrote: >> >> To add more info, I am seeing the following in the logs. So I am >> guessing authentication is working fine. It is something with >> regards to the group membership that is not. >> >> [2007/11/14 09:41:06, 5] auth/auth.c:check_ntlm_password(296) >> check_ntlm_password: PAM Account for user [prakash] succeeded >> [2007/11/14 09:41:06, 2] auth/auth.c:check_ntlm_password(309) >> check_ntlm_password: authentication for user [prakash] -> >> [prakash] -> [prakash] succeeded >> >> Thanks, >> Prakash > > > Prakash Velayutham wrote: >> >> Hi Dale, >> >> Thanks for the response. I changed my share configuration as below. >> But now I cannot authenticate. >> >> [JIAGEN1] >> comment = JIAGEN project share >> path = /export/newWTCCC >> valid users = +WTCCC >> write list = +WTCCC >> read only = No >> inherit acls = Yes >> force group = +WTCCC >> writable = yes >> create mask = 0660 >> directory mask = 0770 >> >> Any ideas why? >> >> I checked that the user is a part of the group (though not primary). >> >> bmifsrd2:~ # groups prakash >> prakash : users torque-users calendar-users irc-users WTCCC plone- >> managers plone-members fmadmin fmuser >> >> Thanks, >> Prakash >> >> On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote: >> >>> Prakash, >>> >>> You have inadvertently combined two parameters. There is no >>> "valid write list" parameter. >>> You should use >>> write list = +WTCCC >>> valid users = +WTCCC >>> >>> It should work after correcting the parameter. >>> >>> Good luck, >>> Dale >>> >>> Prakash Velayutham wrote: >>>> >>>> Hello, >>>> >>>> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The >>>> authentication backend is Open LDAP. >>>> >>>> I want to create a group share (WTCCC) which should be accessible >>>> to a group of users (belonging to a group called WTCCC). The >>>> users' possess this group as their secondary group (NOT primary). >>>> >>>> And the share folder would have its gid bit set, so all the >>>> writes to the folder would be accessible further by only people >>>> belonging to WTCCC. Also I want a default umask of 770 for the >>>> shared folder too. >>>> >>>> Could someone suggest a share configuration that can do these? >>>> >>>> Currently, I have >>>> >>>> [JIAGEN1] >>>> comment = JIAGEN project share >>>> path = /export/newWTCCC >>>> valid write list = +WTCCC >>>> # acl check permissions = true >>>> # acl group control = yes >>>> browseable = Yes >>>> # read only = No >>>> inherit acls = Yes >>>> force group = +WTCCC >>>> writable = yes >>>> create mask = 0660 >>>> directory mask = 0770 >>>> >>>> But as soon as I change the ownership of /export/newWTCCC to >>>> root:WTCCC, the users are not able to access the share. But if I >>>> have the force group enabled, everyone is able to access the >>>> share (as it forces everyone to belong to the group, which should >>>> not be the case). >>>> >>>> Thanks, >>>> Prakash >> >> >> No virus found in this incoming message. >> Checked by AVG. >> Version: 7.5.503 / Virus Database: 269.15.31/1130 - Release Date: >> 11/14/2007 9:27 AM >>
Hello All, Wanted to update you all that this issue is resolved. This is my working configuration. [global] workgroup = WORKGROUPNAME netbios name = servername encrypt passwords = yes password server = * passdb backend = ldapsam:"ldaps://x.y.z" log level = 9 syslog = 0 name resolve order = wins bcast hosts ldap suffix = o=x,c=y ldap machine suffix = ou=xx ldap group suffix = ou=yy ldap user suffix = ou=xx ldap idmap suffix = ou=nn ldap admin dn = cn=Manager,o=x,c=y idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes winbind cache time = 5 printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User security = user [JIAGEN] comment = JIAGEN project share path = /export/WTCCC valid users = @WTCCC write list = +WTCCC read only = No inherit acls = Yes force group = +WTCCC writable = yes create mask = 0660 directory mask = 0770 I had some issue with server-side caching, which got resolved once I stopped nscd on the server. Now everything is peachy!!! Thanks, Prakash On Nov 14, 2007, at 10:13 AM, Dale Schroeder wrote:> Are there any errors in the logs? If not, try increasing your log > level to 10. > What does the global section of your smb.conf look like, and which > version of Samba are you running? > If it is an openldap problem, maybe one of the ldap experts (which I > am not) could spot it. > > Dale > > Prakash Velayutham wrote: >> >> To add more info, I am seeing the following in the logs. So I am >> guessing authentication is working fine. It is something with >> regards to the group membership that is not. >> >> [2007/11/14 09:41:06, 5] auth/auth.c:check_ntlm_password(296) >> check_ntlm_password: PAM Account for user [prakash] succeeded >> [2007/11/14 09:41:06, 2] auth/auth.c:check_ntlm_password(309) >> check_ntlm_password: authentication for user [prakash] -> >> [prakash] -> [prakash] succeeded >> >> Thanks, >> Prakash > > > Prakash Velayutham wrote: >> >> Hi Dale, >> >> Thanks for the response. I changed my share configuration as below. >> But now I cannot authenticate. >> >> [JIAGEN1] >> comment = JIAGEN project share >> path = /export/newWTCCC >> valid users = +WTCCC >> write list = +WTCCC >> read only = No >> inherit acls = Yes >> force group = +WTCCC >> writable = yes >> create mask = 0660 >> directory mask = 0770 >> >> Any ideas why? >> >> I checked that the user is a part of the group (though not primary). >> >> bmifsrd2:~ # groups prakash >> prakash : users torque-users calendar-users irc-users WTCCC plone- >> managers plone-members fmadmin fmuser >> >> Thanks, >> Prakash >> >> On Nov 14, 2007, at 8:57 AM, Dale Schroeder wrote: >> >>> Prakash, >>> >>> You have inadvertently combined two parameters. There is no >>> "valid write list" parameter. >>> You should use >>> write list = +WTCCC >>> valid users = +WTCCC >>> >>> It should work after correcting the parameter. >>> >>> Good luck, >>> Dale >>> >>> Prakash Velayutham wrote: >>>> >>>> Hello, >>>> >>>> I have a Samba PDC (3.x) running in a OpenSUSE 10.2 system. The >>>> authentication backend is Open LDAP. >>>> >>>> I want to create a group share (WTCCC) which should be accessible >>>> to a group of users (belonging to a group called WTCCC). The >>>> users' possess this group as their secondary group (NOT primary). >>>> >>>> And the share folder would have its gid bit set, so all the >>>> writes to the folder would be accessible further by only people >>>> belonging to WTCCC. Also I want a default umask of 770 for the >>>> shared folder too. >>>> >>>> Could someone suggest a share configuration that can do these? >>>> >>>> Currently, I have >>>> >>>> [JIAGEN1] >>>> comment = JIAGEN project share >>>> path = /export/newWTCCC >>>> valid write list = +WTCCC >>>> # acl check permissions = true >>>> # acl group control = yes >>>> browseable = Yes >>>> # read only = No >>>> inherit acls = Yes >>>> force group = +WTCCC >>>> writable = yes >>>> create mask = 0660 >>>> directory mask = 0770 >>>> >>>> But as soon as I change the ownership of /export/newWTCCC to >>>> root:WTCCC, the users are not able to access the share. But if I >>>> have the force group enabled, everyone is able to access the >>>> share (as it forces everyone to belong to the group, which should >>>> not be the case). >>>> >>>> Thanks, >>>> Prakash >> >> >> No virus found in this incoming message. >> Checked by AVG. >> Version: 7.5.503 / Virus Database: 269.15.31/1130 - Release Date: >> 11/14/2007 9:27 AM >>