On 08/01/15 18:37, Bob of Donelson Trophy wrote:> > > First, I keep forgetting that I need to change the email address to > reply to the mailing list. Sorry about that, everyone. (Hard to follow a > thread that is fragmented like this one now is.) I am focusing to > intently on my problem. > > Rowland, changed to 0755 for the three directories you suggested and > still getting "Access is denied" from my W7 client. I even restarted the > server and still get "Access is denied." > > And 'profiles' appeared to be working fine . . . I cannot figure out why > 'users' would be acting like this? > > The only difference I can see is that 'users' has a "sticky bit" and > 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 11:59, Rowland Penny wrote: > >> On 08/01/15 17:28, Bob of Donelson Trophy wrote: >> >> Here is: >> >> root at dtmember01:~# getfacl /home/samba/DTDC01/users >> getfacl: Removing leading '/' from absolute path names >> # file: home/samba/DTDC01/users >> # owner: root >> # group: root >> user::rwx >> group::r-x >> other::r-x >> default:user::rwx >> default:group::r-x >> default:group:50010:rwx >> default:mask::rwx >> default:other::r-x >> >> And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] but, can't explore that until I fix this permissions "denied" issue. >> >> Now? >> >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 11:14, Rowland Penny wrote: >> On 08/01/15 17:02, Bob of Donelson Trophy wrote: >> >> Made the changes you suggested and still getting "Access is denied" on W7 client. >> >> Here is some info that might help: >> >> root at dtmember01:~# cat /etc/samba/samba_usermapping >> !root = DTDC01Administrator Administrator administrator >> root at dtmember01:~# ls -alh /home/samba/DTDC01/users >> total 8.0K >> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . >> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 .. >> root at dtmember01:~# ls -alh /home/samba/DTDC01 >> total 24K >> drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . >> drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. >> drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata >> drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles >> drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users >> >> Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? >> >> Further suggestions or questions? >> >> OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' >> >> To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users >> >> Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] >> >> Rowland >> >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 10:49, Rowland Penny wrote: >> On 08/01/15 16:38, Bob of Donelson Trophy wrote: >> >> Thanks Rowland, >> >> I have created both my DC and my MEMBER servers with Louis' scripts. >> >> On the MEMBER server, within the smb.conf is this >> >>>>>> snip <<<<< >> # user Administrator workaround, without it you are unable to set privileges >> username map = /etc/samba/samba_usermapping >> >>>>>> snip <<<<< >> Then the /etc/samba/samba_usermapping file contains >> >> !root = DTDC01Administrator DTDC01administrator >> >> This would be the manner that the scripts created as I have not changed anything in the area, myself. What is "throwing me a curve" is the different file names. (Maybe I am over analyzing this but details are details.) >> >> So, your saying change my '/etc/samba/samba_usermapping' to? >> >> '!root = DTDC01Administrator Administrator administrator' >> >> (BTW, I only mentioned the hidden files as they were the only thing listed, as a way to reference the owner:group settings.) >> --- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" >> >> On 2015-01-08 10:07, Rowland Penny wrote: >> >> On 08/01/15 15:41, Bob of Donelson Trophy wrote: >> I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? >> >> Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-) >> >> If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line: >> >> '!root = EXAMPLEAdministrator Administrator administrator' >> >> Rowland > Hi, what the file does is map anything from the right hand side of the > equals sign to whoever is at the left hand side of the equals sign, the > '!' sign means 'stop searching if a mapping is found in this line', you > can have more than one line/user in the file. > > What I would do is add 'Administrator administrator' to your file and > restart samba and try again. > > If you are using Louis's script, you will have this line in smb.conf: > 'winbind use default domain = yes' , this means that you do not have to > use the DOMAIN name and this may be your problem. > > Rowland > > OK, Louis seems to do things differently to me, he appears to be > setting the 'sticky bit' on the following dirs: > > /home/samba/DOMAIN > /home/samba/DOMAIN/users > /home/samba/DOMAIN/profiles > > This is something that I have never done (and have never had problems > through not doing it ), so you could try 'chmod 0755' on those three > dirs and make sure that they are owned by root:root, then try again from > windows. > > Rowland > > > > Links: > ------ > [1] http://www.donelsontrophy.com > [2] https://wiki.samba.org/index.php/Setting_up_a_home_shareWhat is in smb.conf for the 'users' share ? Rowland
Bob of Donelson Trophy
2015-Jan-08 19:10 UTC
[Samba] getting permissions denied on home folders
Part of the smb.conf [home] path = /home/samba/DTDC01/users comment = user folder 4 redirection read only = no Hum-m-m? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-01-08 12:56, Rowland Penny wrote:> On 08/01/15 18:37, Bob of Donelson Trophy wrote: > First, I keep forgetting that I need to change the email address to reply to the mailing list. Sorry about that, everyone. (Hard to follow a thread that is fragmented like this one now is.) I am focusing to intently on my problem. Rowland, changed to 0755 for the three directories you suggested and still getting "Access is denied" from my W7 client. I even restarted the server and still get "Access is denied." And 'profiles' appeared to be working fine . . . I cannot figure out why 'users' would be acting like this? The only difference I can see is that 'users' has a "sticky bit" and 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:59, Rowland Penny wrote: On 08/01/15 17:28, Bob of Donelson Trophy wrote: Here is: root at dtmember01:~# getfacl /home/samba/DTDC01/users getfacl: Removing leading '/' from absolute path names # file: home/samba/DTDC01/users # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:50010:rwx default:mask::rwx default:other::r-x And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] but, can't explore that until I fix this permissions "denied" issue. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:14, Rowland Penny wrote: On 08/01/15 17:02, Bob of Donelson Trophy wrote: Made the changes you suggested and still getting "Access is denied" on W7 client. Here is some info that might help: root at dtmember01:~# cat /etc/samba/samba_usermapping !root = DTDC01Administrator Administrator administrator root at dtmember01:~# ls -alh /home/samba/DTDC01/users total 8.0K drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . . root at dtmember01:~# ls -alh /home/samba/DTDC01 total 24K drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? Further suggestions or questions? OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] Rowland --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an awa rd!!" On 2015-01-08 10:49, Rowland Penny wrote: On 08/01/15 16:38, Bob of Donelson Trophy wrote: Thanks Rowland, I have created both my DC and my MEMBER servers with Louis' scripts. On the MEMBER server, within the smb.conf is this snip <<<<< # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping> snip <<<<<Then the /etc/samba/samba_usermapping file contains !root DTDC01Administrator DTDC01administrator This would be the manner that the scripts created as I have not changed anything in the area, myself. What is "throwing me a curve" is the different file names. (Maybe I am over analyzing this but details are details.) So, your saying change my '/etc/samba/samba_usermapping' to? '!root = DTDC01Administrator Administrator administrator' (BTW, I only mentioned the hidden files as they were the only thing listed, as a way to reference the owner:group settings.) --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 10:07, Rowland Penny wrote: On 08/01/15 15:41, Bob of Donelson Trophy wrote: I have a fresh Debian based Samba server and Member server setup. I have configured profiles and they appear to be saving properly to the member server. When I attempt to adjust file permissions (as instructed by the Sambawiki page "Samba & Windows Profiles") I am getting "Access Denied" complaints. These I believe (I could be wrong) relate to the file permissions within Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get root:root owning both the single 'dot' and double 'dot' hidden files that are listed there. What should these permissions be? Or am I having some permissions issue between the DC and the member server? Hi Bob, the 'hidden' dot files aren't really hidden, from your path, the '.' is 'users' and '..' is 'DOMAIN' :-) If, as seems, you created the directories as root, you should be good to go, I think that it may be a problem with who is trying to set the ACL's from windows. this needs to be Administrator, who should be mapped to root (yes the user who owns the directory on the member server) via a line in smb.conf and a file that the line refers to. i.e. 'username map = /etc/samba/user.map' and 'user.map' containing just one line: '!root = EXAMPLEAdministrator Administrator administrator' Rowland Hi, what the file does is map anything from the right hand side of the equals sign to whoever is at the left hand side of the equals sign, the '!' sign means 'stop searching if a mapping is found in this line', you can have more than one line/user in the file. What I would do is add 'Administrator administrator' to your file and restart samba and try again. If you are using Louis's script, you will have this line in smb.conf: 'winbind use default domain = yes' , this means that you do not have to use the DOMAIN name and this may be your problem. Rowland OK, Louis seems to do things differently to me, he appears to be setting the 'sticky bit' on the following dirs: /home/samba/DOMAIN /home/samba/DOMAIN/users /home/samba/DOMAIN/profiles This is something that I have never done (and have never had problems through not doing it ), so you could try 'chmod 0755' on those three dirs and make sure that they are owned by root:root, then try again from windows. Rowland Links: ------ [1] http://www.donelsontrophy.com [1] [2] https://wiki.samba.org/index.php/Setting_up_a_home_share [2] What is in smb.conf for the 'users' share ? Rowland Links: ------ [1] http://www.donelsontrophy.com [2] https://wiki.samba.org/index.php/Setting_up_a_home_share
On 08/01/15 19:10, Bob of Donelson Trophy wrote:> > > Part of the smb.conf > > [home] > path = /home/samba/DTDC01/users > comment = user folder 4 redirection > read only = no > > Hum-m-m? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-08 12:56, Rowland Penny wrote: > >> On 08/01/15 18:37, Bob of Donelson Trophy wrote: >> First, I keep forgetting that I need to change the email address to reply to the mailing list. Sorry about that, everyone. (Hard to follow a thread that is fragmented like this one now is.) I am focusing to intently on my problem. Rowland, changed to 0755 for the three directories you suggested and still getting "Access is denied" from my W7 client. I even restarted the server and still get "Access is denied." And 'profiles' appeared to be working fine . . . I cannot figure out why 'users' would be acting like this? The only difference I can see is that 'users' has a "sticky bit" and 'profiles' does not. But, 'users' needs a "sticky bit" doesn't it? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:59, Rowland Penny wrote: On 08/01/15 17:28, Bob of Donelson Trophy wrote: Here is: root at dtmember01:~# getfacl /home/samba/DTDC01/users getfacl: Removing leading '/' fr > om > absolute path names # file: home/samba/DTDC01/users # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:50010:rwx default:mask::rwx default:other::r-x And yes, I have looked at https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] but, can't explore that until I fix this permissions "denied" issue. Now? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-01-08 11:14, Rowland Penny wrote: On 08/01/15 17:02, Bob of Donelson Trophy wrote: Made the changes you suggested and still getting "Access is denied" on W7 client. Here is some info that might help: root at dtmember01:~# cat /etc/samba/samba_usermapping !root = DTDC01Administrator Administrator administrator root at dtmember01:~# ls -alh /home/samba/DTDC01/users total 8.0K drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 . drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . > . > root at dtmember01:~# ls -alh /home/samba/DTDC01 total 24K drwxr-xr-t 5 root root 4.0K Dec 31 15:38 . drwxr-xr-x 4 root root 4.0K Dec 31 15:38 .. drwxrwsr-x 2 root root 4.0K Dec 31 15:38 companydata drwxrwx--T 7 root 50005 4.0K Jan 4 12:10 profiles drwxr-xr-x+ 2 root root 4.0K Dec 31 15:38 users Does it matter . . . those tiny "plus" signs after some of the permissions? And the "50005" group? Further suggestions or questions? OK, the tiny "plus" signs mean that you have ACL's set on users, and 50005 comes from here: 'idmap config *:range = 50001-80000' and is a BUILTIN object. You can find out which with 'wbinfo -G 50005' To find out what ACL's are set on 'users': getfacl /home/samba/DTDC01/users Also, as we are discussing users home dirs, have you had a look here: https://wiki.samba.org/index.php/Setting_up_a_home_share [2] [2 [2]] Rowland --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an awa > rd!!" On > 2015-01-08 10:49, Rowland Penny wrote: On 08/01/15 16:38, Bob of Donelson Trophy wrote: Thanks Rowland, I have created both my DC and my MEMBER servers with Louis' scripts. On the MEMBER server, within the smb.conf is this snip <<<<< > # user Administrator workaround, without it you are unable to set > privileges username map = /etc/samba/samba_usermapping > >> snip <<<<< > Then the /etc/samba/samba_usermapping file contains !root > DTDC01Administrator DTDC01administrator This would be the manner that > the scripts created as I have not changed anything in the area, myself. > What is "throwing me a curve" is the different file names. (Maybe I am > over analyzing this but details are details.) So, your saying change my > '/etc/samba/samba_usermapping' to? '!root = DTDC01Administrator > Administrator administrator' (BTW, I only mentioned the hidden files as > they were the only thing listed, as a way to reference the owner:group > settings.) --- ------------------------- Bob Wooden of Donelson Trophy > 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone > deserves an award!!" On 2015-01-08 10:07, Rowland Penny wrote: On > 08/01/15 15:41, Bob of Donelson Trophy wrote: I have a fresh Debian > based Samba server and Member server setup. I have configured profiles > and they appear to be saving properly to the member server. When I > attempt to adjust file permissions (as instructed by the Sambawiki page > "Samba & Windows Profiles") I am getting "Access Denied" complaints. > These I believe (I could be wrong) relate to the file permissions within > Debian member server. When I 'ls -alh /home/samba/DOMAIN/users' I get > root:root owning both the single 'dot' and double 'dot' hidden files > that are listed there. What should these permissions be? Or am I having > some permissions issue between the DC and the member server? Hi Bob, the > 'hidden' dot files aren't really hidden, from your path, the '.' is > 'users' and '..' is 'DOMAIN' :-) If, as seems, you created the > directories as root, you should be good to go, I think that it may be a > problem with who is trying to set the ACL's from windows. this needs to > be Administrator, who should be mapped to root (yes the user who owns > the directory on the member server) via a line in smb.conf and a file > that the line refers to. i.e. 'username map = /etc/samba/user.map' and > 'user.map' containing just one line: '!root = EXAMPLEAdministrator > Administrator administrator' Rowland Hi, what the file does is map > anything from the right hand side of the equals sign to whoever is at > the left hand side of the equals sign, the '!' sign means 'stop > searching if a mapping is found in this line', you can have more than > one line/user in the file. What I would do is add 'Administrator > administrator' to your file and restart samba and try again. If you are > using Louis's script, you will have this line in smb.conf: 'winbind use > default domain = yes' , this means that you do not have to use the > DOMAIN name and this may be your problem. Rowland OK, Louis seems to do > things differently to me, he appears to be setting the 'sticky bit' on > the following dirs: /home/samba/DOMAIN /home/samba/DOMAIN/users > /home/samba/DOMAIN/profiles This is something that I have never done > (and have never had problems through not doing it ), so you could try > 'chmod 0755' on those three dirs and make sure that they are owned by > root:root, then try again from windows. Rowland Links: ------ [1] > http://www.donelsontrophy.com [1] [2] > https://wiki.samba.org/index.php/Setting_up_a_home_share [2] > > What is in smb.conf for the 'users' share ? > > Rowland > > > > Links: > ------ > [1] http://www.donelsontrophy.com > [2] https://wiki.samba.org/index.php/Setting_up_a_home_shareOk, have you tried what it says on this page: https://wiki.samba.org/index.php/Setting_up_a_home_share Specifically from 'Setting up the share and filesystem permissions' onwards When you create the share as root, you should get the correct permissions (0755) and you should then be able to connect to the share and set the ACL's You could check if the Administrators group has the 'SeDiskOperatorPrivilege': net rpc rights list accounts -Uadministrator If not, set the privilege: net rpc rights grant 'BUILTIN\Administrators' SeDiskOperatorPrivilege -Uadministrator Rowland