On 18/11/15 09:37, mourik jan c heupink wrote:> > > On 18-11-2015 10:13, L.P.H. van Belle wrote: >> Hai Mourik Jan/Victor. >> >>> MJ definitely understands the problem I'm facing.... >> Yes, and i do to but you wont listen... > > Could it perhaps be that the vital detail is that Viktor (and me too) > are not using windows (security tab) to manage the permissions / acls, > but instead use basic fs permissions? (do you, Viktor?) > > It is very reproducible here: machines without gid/uid cannot access > domain member servers using the machine account, the moment I add > gid/uid, they start to work.OK, I am trying to understand this as well, I take it that the uidNumber you add is a unique number that is inside the range you have set in smb.conf, but what about the gidNumber? do you set it to '515' and is this also inside the range? Who owns the share on the disk and what are the permissions, also what is the share in smb.conf. Rowland> > (I'm not trying to say that your solution is not the real answer, just > trying to find a reason for the behaviour we're seeing) > > MJ >
On 18-11-2015 10:59, Rowland Penny wrote:> OK, I am trying to understand this as well, I take it that the uidNumber > you add is a unique number that is inside the range you have set in > smb.conf, but what about the gidNumber? do you set it to '515' and is > this also inside the range?Yep. gidNumber 515, both inside the range yes. (range starts at 500)> Who owns the share on the disk and what are the permissions, also what > is the share in smb.conf.> [ninite] > guest ok = no > comment = Ninite Software Updater > path = /srv/ninite > read only = No > writable = yes > valid users = @"Domain Admins", @"Domain Computers" > create mask = 0775 > directory mask = 0775Permissions on disk:> drwxrwxr-x 5 root Domain Admins 4096 Jul 8 14:10 niniteMJ
On 18/11/15 10:24, mourik jan c heupink wrote:> > > On 18-11-2015 10:59, Rowland Penny wrote: >> OK, I am trying to understand this as well, I take it that the uidNumber >> you add is a unique number that is inside the range you have set in >> smb.conf, but what about the gidNumber? do you set it to '515' and is >> this also inside the range? > Yep. gidNumber 515, both inside the range yes. (range starts at 500) > >> Who owns the share on the disk and what are the permissions, also what >> is the share in smb.conf. > >> [ninite] >> guest ok = no >> comment = Ninite Software Updater >> path = /srv/ninite >> read only = No >> writable = yes >> valid users = @"Domain Admins", @"Domain Computers" >> create mask = 0775 >> directory mask = 0775 > > Permissions on disk: >> drwxrwxr-x 5 root Domain Admins 4096 Jul 8 14:10 ninite > > MJ >OK, I think I understand this, Mourik is setting this on the share: valid users = @"Domain Admins", @"Domain Computers" This means that only members of the 'Domain Admins' or 'Domain Computers' groups can connect to the share, whilst Louis has this showing in his ACLs from getfacl: Creator owner special. Only folders and files on underlying folders. Creator group special. Only folders and files on underlying folders. Verified users read+exec This folder underlying folders and files Domain Admins Full This folder underlying folders and files Domain users read+exec This folder underlying folders and files Domain computers read+exec This folder underlying folders and files Which gives (amongst others) 'Domain Admins' full control and 'Domain Computer' read+exec permissions. With Mourik's way of doing things, 'Domain Computers' must be known to Unix, hence the required gidNumber Louis's way will probably rely on winbind mapping 'Domain Computers' Rowland