Nathan VanHoudnos
2007-Dec-12 20:21 UTC
[Samba] vfs_ChDir fails, even though the share is read-write for that user
Hi, I'm running Samba Version 3.0.25c on Solaris 10 8/07 on X86 hardware. It's successfully joined to AD. But, and there always is a but, if : * A user is a member of SomeGroup * and the share alllows SomeGroup to access it * and SomeGroup is NOT what the user has set as their Primary Group in Active Directory then * Samba will recognize that the user can access the share * but, vfs_ChDir will fail Consider a user, "vanhoudn", whose primary group is "WSG Staff". If the share config is set to: [arrakis] path = "/export/arrakis" comment = "Arraken Test share" writeable = yes valid users = @"UIUC+domain users" vfs objects = zfsacl nfs4: mode = special The logs will spit out: [2007/12/12 10:09:17, 10] smbd/share_access.c:(232) user_ok_token: share arrakis is ok for unix user UIUC+vanhoudn [2007/12/12 10:09:17, 10] smbd/share_access.c:(274) is_share_read_only_for_user: share arrakis is read-write for unix user UIUC+vanhoudn Which is good. And, we can see that samba is correctly finding all of the groups that this user is a member of... [2007/12/12 10:09:17, 5] auth/auth_util.c:(474) UNIX token of user 10000 Primary group is 10031 and contains 58 supplementary groups Group[ 0]: 10007 Group[ 1]: 10008 <etc> But, the access to the share will fail. The logs throw out this: [2007/12/12 10:09:17, 5] smbd/uid.c:(273) change_to_user uid=(0,10000) gid=(0,10031) [2007/12/12 10:09:17, 4] smbd/vfs.c:(665) vfs_ChDir to /export/arrakis [2007/12/12 10:09:17, 4] smbd/vfs.c:(665) vfs_ChDir to /export/arrakis [2007/12/12 10:09:17, 0] smbd/service.c:(184) chdir (/export/arrakis) failed [2007/12/12 10:09:17, 3] smbd/error.c:(106) error packet at smbd/process.c(991) cmd=50 (SMBtrans2) NT_STATUS_NETWORK_ACCESS_DENIED And I don't think it's because of filesystem permissions. ls gives: drwxrwx--- 2 root UIUC+domain users 8 Dec 4 14:12 arrakis The last log entry remains the same if the "vfs objects = zfsacl" and "nfs4: mode = special" lines are there or not. Any help would be greatly appreciated. Cheers, Nathan VanHoudnos
Jeremy Allison
2007-Dec-12 21:39 UTC
[Samba] vfs_ChDir fails, even though the share is read-write for that user
On Wed, Dec 12, 2007 at 02:21:43PM -0600, Nathan VanHoudnos wrote:> Hi, > > I'm running Samba Version 3.0.25c on Solaris 10 8/07 on X86 hardware. > It's successfully joined to AD. > > But, and there always is a but, if : > * A user is a member of SomeGroup > * and the share alllows SomeGroup to access it > * and SomeGroup is NOT what the user has set as their Primary Group in > Active Directory > then > * Samba will recognize that the user can access the share > * but, vfs_ChDir will fail > > Consider a user, "vanhoudn", whose primary group is "WSG Staff". > If the share config is set to: > [arrakis] > path = "/export/arrakis" > comment = "Arraken Test share" > writeable = yes > valid users = @"UIUC+domain users" > vfs objects = zfsacl > nfs4: mode = special > > The logs will spit out: > [2007/12/12 10:09:17, 10] smbd/share_access.c:(232) > user_ok_token: share arrakis is ok for unix user UIUC+vanhoudn > [2007/12/12 10:09:17, 10] smbd/share_access.c:(274) > is_share_read_only_for_user: share arrakis is read-write for unix user > UIUC+vanhoudn > > Which is good. And, we can see that samba is correctly finding all of > the groups that this user is a member of... > > [2007/12/12 10:09:17, 5] auth/auth_util.c:(474) > UNIX token of user 10000 > Primary group is 10031 and contains 58 supplementary groups > Group[ 0]: 10007 > Group[ 1]: 10008 > <etc>Doesn't Solaris still have a limit of 16 UNIX groups per process token ? Or did that get fixed ? That would explain this. Jeremy.