Bob of Donelson Trophy
2015-Jan-08 15:41 UTC
[Samba] getting permissions denied on home folders
I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com
hai, Did you join the pc in the domain? And your logged in as Administrator? and you did setup exactly as the wiki example.. then.. it should work. So recheck your steps for the share and security settings. and if you have changed rights from windows, dont change any rights from within linux. that can messup the ACL/rights in windows again. If you only have windows clients, you can add these parameter to your share(s) acl_xattr:ignore system acl = yes Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: donderdag 8 januari 2015 16:42 >Aan: SAMBA MailList >Onderwerp: [Samba] getting permissions denied on home folders > > > >I have a fresh Debian based Samba server and Member server setup. > >I have configured profiles and they appear to be saving properly to the >member server. > >When I attempt to adjust file permissions (as instructed by the >Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" >complaints. These I believe (I could be wrong) relate to the file >permissions within Debian member server. > >When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both >the single 'dot' and double 'dot' hidden files that are listed there. >What should these permissions be? Or am I having some permissions issue >between the DC and the member server? >-- > >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [1] > >"Everyone deserves an award!!" > > >Links: >------ >[1] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 08/01/15 15:41, Bob of Donelson Trophy wrote:> > > I have a fresh Debian based Samba server and Member server setup. > > I have configured profiles and they appear to be saving properly to the > member server. > > When I attempt to adjust file permissions (as instructed by the > Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" > complaints. These I believe (I could be wrong) relate to the file > permissions within Debian member server. > > When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both > the single 'dot' and double 'dot' hidden files that are listed there. > What should these permissions be? Or am I having some permissions issue > between the DC and the member server?Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-) If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line: '!root = EXAMPLE\Administrator Administrator administrator' Rowland
Bob of Donelson Trophy
2015-Jan-08 18:37 UTC
[Samba] getting permissions denied on home folders
First, I keep forgetting that I need to change the email address to reply to the mailing list. Sorry about that, everyone. (Hard to follow a thread that is fragmented like this one now is.) I am focusing to intently on my problem. Rowland, changed to 0755 for the three directories you suggested and still getting "Access is denied" from my W7 client. I even restarted the server and still get "Access is denied." And 'profiles' appeared to be working fine . . . I cannot figure out why 'users' would be acting like this? The only difference I can see is that 'users' has a "sticky bit" and 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-01-08 11:59, Rowland Penny wrote:> On 08/01/15 17:28, Bob of Donelson Trophy wrote: > > Here is: > > root at dtmember01:~# getfacl /home/samba/DTDC01/users > getfacl: Removing leading '/' from absolute path names > # file: home/samba/DTDC01/users > # owner: root > # group: root > user::rwx > group::r-x > other::r-x > default:user::rwx > default:group::r-x > default:group:50010:rwx > default:mask::rwx > default:other::r-x > > And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] but, can't explore that until I fix this permissions "denied" issue. > > Now? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 11:14, Rowland Penny wrote: > On 08/01/15 17:02, Bob of Donelson Trophy wrote: > > Made the changes you suggested and still getting "Access is denied" on W7 client. > > Here is some info that might help: > > root at dtmember01:~# cat /etc/samba/samba_usermapping > !root = DTDC01Administrator Administrator administrator > root at dtmember01:~# ls -alh /home/samba/DTDC01/users > total 8.0K > drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . > drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .. > root at dtmember01:~# ls -alh /home/samba/DTDC01 > total 24K > drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . > drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. > drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata > drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles > drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users > > Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? > > Further suggestions or questions? > > OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' > > To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users > > Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] > > Rowland > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 10:49, Rowland Penny wrote: > On 08/01/15 16:38, Bob of Donelson Trophy wrote: > > Thanks Rowland, > > I have created both my DC and my MEMBER servers with Louis' scripts. > > On the MEMBER server, within the smb.conf is this > >>>>> snip <<<<< > > # user Administrator workaround, without it you are unable to set privileges > username map = /etc/samba/samba_usermapping > >>>>> snip <<<<< > > Then the /etc/samba/samba_usermapping file contains > > !root = DTDC01Administrator DTDC01administrator > > This would be the manner that the scripts created as I have not changed anything in the area, myself. What is "throwing me a curve" is the different file names. (Maybe I am over analyzing this but details are details.) > > So, your saying change my '/etc/samba/samba_usermapping' to? > > '!root = DTDC01Administrator Administrator administrator' > > (BTW, I only mentioned the hidden files as they were the only thing listed, as a way to reference the owner:group settings.) > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 10:07, Rowland Penny wrote: > > On 08/01/15 15:41, Bob of Donelson Trophy wrote: > I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? > > Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-) > > If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line: > > '!root = EXAMPLEAdministrator Administrator administrator' > > RowlandHi, what the file does is map anything from the right hand side of the equals sign to whoever is at the left hand side of the equals sign, the '!' sign means 'stop searching if a mapping is found in this line', you can have more than one line/user in the file. What I would do is add 'Administrator administrator' to your file and restart samba and try again. If you are using Louis's script, you will have this line in smb.conf: 'winbind use default domain = yes' , this means that you do not have to use the DOMAIN name and this may be your problem. Rowland OK, Louis seems to do things differently to me, he appears to be setting the 'sticky bit' on the following dirs: /home/samba/DOMAIN /home/samba/DOMAIN/users /home/samba/DOMAIN/profiles This is something that I have never done (and have never had problems through not doing it ), so you could try 'chmod 0755' on those three dirs and make sure that they are owned by root:root, then try again from windows. Rowland Links: ------ [1] http://www.donelsontrophy.com [2] https://wiki.samba.org/index.php/Setting_up_a_home_share
On 08/01/15 18:37, Bob of Donelson Trophy wrote:> > > First, I keep forgetting that I need to change the email address to > reply to the mailing list. Sorry about that, everyone. (Hard to follow a > thread that is fragmented like this one now is.) I am focusing to > intently on my problem. > > Rowland, changed to 0755 for the three directories you suggested and > still getting "Access is denied" from my W7 client. I even restarted the > server and still get "Access is denied." > > And 'profiles' appeared to be working fine . . . I cannot figure out why > 'users' would be acting like this? > > The only difference I can see is that 'users' has a "sticky bit" and > 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 11:59, Rowland Penny wrote: > >> On 08/01/15 17:28, Bob of Donelson Trophy wrote: >> >> Here is: >> >> root at dtmember01:~# getfacl /home/samba/DTDC01/users >> getfacl: Removing leading '/' from absolute path names >> # file: home/samba/DTDC01/users >> # owner: root >> # group: root >> user::rwx >> group::r-x >> other::r-x >> default:user::rwx >> default:group::r-x >> default:group:50010:rwx >> default:mask::rwx >> default:other::r-x >> >> And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] but, can't explore that until I fix this permissions "denied" issue. >> >> Now? >> >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 11:14, Rowland Penny wrote: >> On 08/01/15 17:02, Bob of Donelson Trophy wrote: >> >> Made the changes you suggested and still getting "Access is denied" on W7 client. >> >> Here is some info that might help: >> >> root at dtmember01:~# cat /etc/samba/samba_usermapping >> !root = DTDC01Administrator Administrator administrator >> root at dtmember01:~# ls -alh /home/samba/DTDC01/users >> total 8.0K >> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . >> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .. >> root at dtmember01:~# ls -alh /home/samba/DTDC01 >> total 24K >> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . >> drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. >> drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata >> drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles >> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users >> >> Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? >> >> Further suggestions or questions? >> >> OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' >> >> To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users >> >> Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] >> >> Rowland >> >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 10:49, Rowland Penny wrote: >> On 08/01/15 16:38, Bob of Donelson Trophy wrote: >> >> Thanks Rowland, >> >> I have created both my DC and my MEMBER servers with Louis' scripts. >> >> On the MEMBER server, within the smb.conf is this >> >>>>>> snip <<<<< >> # user Administrator workaround, without it you are unable to set privileges >> username map = /etc/samba/samba_usermapping >> >>>>>> snip <<<<< >> Then the /etc/samba/samba_usermapping file contains >> >> !root = DTDC01Administrator DTDC01administrator >> >> This would be the manner that the scripts created as I have not changed anything in the area, myself. What is "throwing me a curve" is the different file names. (Maybe I am over analyzing this but details are details.) >> >> So, your saying change my '/etc/samba/samba_usermapping' to? >> >> '!root = DTDC01Administrator Administrator administrator' >> >> (BTW, I only mentioned the hidden files as they were the only thing listed, as a way to reference the owner:group settings.) >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 10:07, Rowland Penny wrote: >> >> On 08/01/15 15:41, Bob of Donelson Trophy wrote: >> I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? >> >> Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-) >> >> If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line: >> >> '!root = EXAMPLEAdministrator Administrator administrator' >> >> Rowland > Hi, what the file does is map anything from the right hand side of the > equals sign to whoever is at the left hand side of the equals sign, the > '!' sign means 'stop searching if a mapping is found in this line', you > can have more than one line/user in the file. > > What I would do is add 'Administrator administrator' to your file and > restart samba and try again. > > If you are using Louis's script, you will have this line in smb.conf: > 'winbind use default domain = yes' , this means that you do not have to > use the DOMAIN name and this may be your problem. > > Rowland > > OK, Louis seems to do things differently to me, he appears to be > setting the 'sticky bit' on the following dirs: > > /home/samba/DOMAIN > /home/samba/DOMAIN/users > /home/samba/DOMAIN/profiles > > This is something that I have never done (and have never had problems > through not doing it ), so you could try 'chmod 0755' on those three > dirs and make sure that they are owned by root:root, then try again from > windows. > > Rowland > > > > Links: > ------ > [1] http://www.donelsontrophy.com > [2] https://wiki.samba.org/index.php/Setting_up_a_home_shareWhat is in smb.conf for the 'users' share ? Rowland