PF4Public
2017-Mar-20 17:11 UTC
[Samba] Samba shared folders and windows 7 permissions dialog.
Hi there Trying to solve an issue with samba and windows 7 permissions dialog. Problem is that sometimes windows 7 permissions dialog is lacking ldap users and groups. Looks like my problem is related to this one: https://forums.freenas.org/index.php?threads/users-and-groups-not-showing-up-in-windows-7.46023/ Sadly there is no solution in that thread. Consider the following setup: linux debian with samba and ldap and several windows 7 hosts. Ldap has user named "test" for my tests. Test 1 Open test users home via samba: "\\samba\test" in windows 7 explorer. Create any files/folders there and open permissions dialog, switch to advanced user search. It does show ldap users and groups on one windows 7 host, but surprisingly does not on another windows 7 host even though both connect as user "test". Test 2 Make sure that locally-logged in user belongs to local administrators group. Same result as with Test 1. One windows host shows all the users and groups from ldap, the other one does not. Even though that both hosts are logged in with local administrator account and connecting as same "test" user to samba. Test 3 Lets take successful windows host and relogin to limited account. Now permissions dialog also lacks ldap users and groups. Elevating explorer.exe does not help by the way. Test 4 Make samba more verbose: "log level = 10". Repeat the Test 1. I was overwhelmed while reading and comparing logfiles, but I notice a subtle difference there: successful windows host generates: [2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), real(10000, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 10000 Primary group is 10002 and contains 1 supplementary groups Group[ 0]: 10002 [2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), real(10000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(10000,10000), gid=(0,10002) [2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested samr rpc service [2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN [2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 [2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), real(10000, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000021-0000-0000-d058-ad01b74e0000 access_mask : 0x00000304 (772) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 While the other gives: [2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), real(10000, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 10000 Primary group is 10002 and contains 1 supplementary groups Group[ 0]: 10002 [2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), real(10000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(10000,10000), gid=(0,10002) [2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested samr rpc service [2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN [2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), real(10000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 [2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), real(10000, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000017-0000-0000-cf58-94fac9110000 access_mask : 0x00000200 (512) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows host from enumerating ldap users and groups? If that's true, then why is that happening to the same user on a different hosts? What is the origin of struct samr_OpenDomain and how does samba derive it? Or am I on a wrong track? Anyway any advice on this issue is welcome. Please help me resolve this nasty issue. Thanks in advance.
PF4Public
2017-Mar-22 15:12 UTC
[Samba] Samba shared folders and windows 7 permissions dialog.
Was my wording bad or something? 20.03.2017 20:11, PF4Public wrote:> Hi there > > Trying to solve an issue with samba and windows 7 permissions dialog. Problem is that > sometimes windows 7 permissions dialog is lacking ldap users and groups. > Looks like my problem is related to this one: > https://forums.freenas.org/index.php?threads/users-and-groups-not-showing-up-in-windows-7.46023/ > Sadly there is no solution in that thread. > Consider the following setup: linux debian with samba and ldap and several windows 7 > hosts. Ldap has user named "test" for my tests. > Test 1 > Open test users home via samba: "\\samba\test" in windows 7 explorer. Create any > files/folders there and open permissions dialog, switch to advanced user search. It does > show ldap users and groups on one windows 7 host, but surprisingly does not on another > windows 7 host even though both connect as user "test". > Test 2 > Make sure that locally-logged in user belongs to local administrators group. Same result > as with Test 1. One windows host shows all the users and groups from ldap, the other one > does not. Even though that both hosts are logged in with local administrator account and > connecting as same "test" user to samba. > Test 3 > Lets take successful windows host and relogin to limited account. Now permissions dialog > also lacks ldap users and groups. Elevating explorer.exe does not help by the way. > Test 4 > Make samba more verbose: "log level = 10". Repeat the Test 1. I was overwhelmed while > reading and comparing logfiles, but I notice a subtle difference there: > successful windows host generates: > > [2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), real(10000, 0)] > ../source3/auth/token_util.c:639(debug_unix_user_token) > > UNIX token of user 10000 > > Primary group is 10002 and contains 1 supplementary groups > > Group[ 0]: 10002 > > [2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), real(10000, 0)] > ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) > > Impersonated user: uid=(10000,10000), gid=(0,10002) > > [2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) > > Requested samr rpc service > > [2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) > > api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN > > [2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) > > api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 > > [2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), real(10000, 0)] > ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > > samr_OpenDomain: struct samr_OpenDomain > > in: struct samr_OpenDomain > > connect_handle : * > > connect_handle: struct policy_handle > > handle_type : 0x00000000 (0) > > uuid : 00000021-0000-0000-d058-ad01b74e0000 > > access_mask : 0x00000304 (772) > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > > 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > > 1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > > 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > > > While the other gives: > > [2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), real(10000, 0)] > ../source3/auth/token_util.c:639(debug_unix_user_token) > > UNIX token of user 10000 > > Primary group is 10002 and contains 1 supplementary groups > > Group[ 0]: 10002 > > [2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), real(10000, 0)] > ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) > > Impersonated user: uid=(10000,10000), gid=(0,10002) > > [2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) > > Requested samr rpc service > > [2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) > > api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN > > [2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), real(10000, 0), > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) > > api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 > > [2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), real(10000, 0)] > ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > > samr_OpenDomain: struct samr_OpenDomain > > in: struct samr_OpenDomain > > connect_handle : * > > connect_handle: struct policy_handle > > handle_type : 0x00000000 (0) > > uuid : 00000017-0000-0000-cf58-94fac9110000 > > access_mask : 0x00000200 (512) > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > > 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > > 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > > Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows host from > enumerating ldap users and groups? If that's true, then why is that happening to the > same user on a different hosts? What is the origin of struct samr_OpenDomain and how > does samba derive it? > > Or am I on a wrong track? > > Anyway any advice on this issue is welcome. > Please help me resolve this nasty issue. > > Thanks in advance.
L.P.H. van Belle
2017-Mar-22 15:51 UTC
[Samba] Samba shared folders and windows 7 permissions dialog.
I think bad breath... ;-) noo... just joking .. sorry , ... ;-) It is may be help full if you provide a bit more info. Like for example OS = Samba version = The smb.conf content. And what did you setup? AD DC server NT4 PDC server Standalone server? Member server? And based on what you already posted below. Im guessing an AD DC setup, but with the wrong backend setup. But you tell us.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens PF4Public via > samba > Verzonden: woensdag 22 maart 2017 16:12 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba shared folders and windows 7 permissions > dialog. > > Was my wording bad or something? > > > 20.03.2017 20:11, PF4Public wrote: > > Hi there > > > > Trying to solve an issue with samba and windows 7 permissions dialog. > Problem is that > > sometimes windows 7 permissions dialog is lacking ldap users and groups. > > Looks like my problem is related to this one: > > https://forums.freenas.org/index.php?threads/users-and-groups-not- > showing-up-in-windows-7.46023/ > > Sadly there is no solution in that thread. > > Consider the following setup: linux debian with samba and ldap and > several windows 7 > > hosts. Ldap has user named "test" for my tests. > > Test 1 > > Open test users home via samba: "\\samba\test" in windows 7 explorer. > Create any > > files/folders there and open permissions dialog, switch to advanced user > search. It does > > show ldap users and groups on one windows 7 host, but surprisingly does > not on another > > windows 7 host even though both connect as user "test". > > Test 2 > > Make sure that locally-logged in user belongs to local administrators > group. Same result > > as with Test 1. One windows host shows all the users and groups from > ldap, the other one > > does not. Even though that both hosts are logged in with local > administrator account and > > connecting as same "test" user to samba. > > Test 3 > > Lets take successful windows host and relogin to limited account. Now > permissions dialog > > also lacks ldap users and groups. Elevating explorer.exe does not help > by the way. > > Test 4 > > Make samba more verbose: "log level = 10". Repeat the Test 1. I was > overwhelmed while > > reading and comparing logfiles, but I notice a subtle difference there: > > successful windows host generates: > > > > [2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), > real(10000, 0)] > > ../source3/auth/token_util.c:639(debug_unix_user_token) > > > > UNIX token of user 10000 > > > > Primary group is 10002 and contains 1 supplementary groups > > > > Group[ 0]: 10002 > > > > [2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), > real(10000, 0)] > > ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) > > > > Impersonated user: uid=(10000,10000), gid=(0,10002) > > > > [2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] > ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) > > > > Requested samr rpc service > > > > [2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) > > > > api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN > > > > [2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) > > > > api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 > > > > [2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), > real(10000, 0)] > > ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > > > > samr_OpenDomain: struct samr_OpenDomain > > > > in: struct samr_OpenDomain > > > > connect_handle : * > > > > connect_handle: struct policy_handle > > > > handle_type : 0x00000000 (0) > > > > uuid : 00000021-0000-0000- > d058-ad01b74e0000 > > > > access_mask : 0x00000304 (772) > > > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > > > > 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > > > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > > > > 1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > > > > 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > > > > > > While the other gives: > > > > [2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), > real(10000, 0)] > > ../source3/auth/token_util.c:639(debug_unix_user_token) > > > > UNIX token of user 10000 > > > > Primary group is 10002 and contains 1 supplementary groups > > > > Group[ 0]: 10002 > > > > [2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), > real(10000, 0)] > > ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) > > > > Impersonated user: uid=(10000,10000), gid=(0,10002) > > > > [2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] > ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) > > > > Requested samr rpc service > > > > [2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) > > > > api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN > > > > [2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), > real(10000, 0), > > class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) > > > > api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 > > > > [2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), > real(10000, 0)] > > ../librpc/ndr/ndr.c:450(ndr_print_function_debug) > > > > samr_OpenDomain: struct samr_OpenDomain > > > > in: struct samr_OpenDomain > > > > connect_handle : * > > > > connect_handle: struct policy_handle > > > > handle_type : 0x00000000 (0) > > > > uuid : 00000017-0000-0000- > cf58-94fac9110000 > > > > access_mask : 0x00000200 (512) > > > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > > > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > > > > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > > > > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > > > > 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > > > > 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > > > > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > > > > Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows > host from > > enumerating ldap users and groups? If that's true, then why is that > happening to the > > same user on a different hosts? What is the origin of struct > samr_OpenDomain and how > > does samba derive it? > > > > Or am I on a wrong track? > > > > Anyway any advice on this issue is welcome. > > Please help me resolve this nasty issue. > > > > Thanks in advance. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
PF4Public
2017-Mar-22 16:20 UTC
[Samba] Samba shared folders and windows 7 permissions dialog.
"uname -a" gives Linux 4.9.0-1-amd64 #1 SMP Debian 4.9.2-2 (2017-01-12) x86_64 GNU/Linux "samba -V" : Version 4.5.6-Debian It is a standalone server with "security = user" and "passdb backend = ldapsam:ldap://localhost" The weirdness I described happens to any share, so I assume detailed share configuration is irrelevant. Apart from this weirdness all is fine. That is files are accessible in accordance with set permissions as well as permissions set from well-behaved windows 7 hosts are saved and taken into account. The only weird thing is that it is impossible to list all ldap users and groups on some windows hosts. Yet could not determine how they differ from those hosts, which do properly display ldap users and groups. Apart from the mentioned logfile differences. PS: sorry for double-reply. didn't "reply-all" at the first place. 22.03.2017 18:51, L.P.H. van Belle wrote:> I think bad breath... ;-) noo... just joking .. sorry , ... ;-) > > It is may be help full if you provide a bit more info. > > Like for example > OS > Samba version > The smb.conf content. > > And what did you setup? > AD DC server > NT4 PDC server > Standalone server? > Member server? > > And based on what you already posted below. > Im guessing an AD DC setup, but with the wrong backend setup. > But you tell us.. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens PF4Public via >> samba >> Verzonden: woensdag 22 maart 2017 16:12 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba shared folders and windows 7 permissions >> dialog. >> >> Was my wording bad or something? >> >> >> 20.03.2017 20:11, PF4Public wrote: >>> Hi there >>> >>> Trying to solve an issue with samba and windows 7 permissions dialog. >> Problem is that >>> sometimes windows 7 permissions dialog is lacking ldap users and groups. >>> Looks like my problem is related to this one: >>> https://forums.freenas.org/index.php?threads/users-and-groups-not- >> showing-up-in-windows-7.46023/ >>> Sadly there is no solution in that thread. >>> Consider the following setup: linux debian with samba and ldap and >> several windows 7 >>> hosts. Ldap has user named "test" for my tests. >>> Test 1 >>> Open test users home via samba: "\\samba\test" in windows 7 explorer. >> Create any >>> files/folders there and open permissions dialog, switch to advanced user >> search. It does >>> show ldap users and groups on one windows 7 host, but surprisingly does >> not on another >>> windows 7 host even though both connect as user "test". >>> Test 2 >>> Make sure that locally-logged in user belongs to local administrators >> group. Same result >>> as with Test 1. One windows host shows all the users and groups from >> ldap, the other one >>> does not. Even though that both hosts are logged in with local >> administrator account and >>> connecting as same "test" user to samba. >>> Test 3 >>> Lets take successful windows host and relogin to limited account. Now >> permissions dialog >>> also lacks ldap users and groups. Elevating explorer.exe does not help >> by the way. >>> Test 4 >>> Make samba more verbose: "log level = 10". Repeat the Test 1. I was >> overwhelmed while >>> reading and comparing logfiles, but I notice a subtle difference there: >>> successful windows host generates: >>> >>> [2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), >> real(10000, 0)] >>> ../source3/auth/token_util.c:639(debug_unix_user_token) >>> >>> UNIX token of user 10000 >>> >>> Primary group is 10002 and contains 1 supplementary groups >>> >>> Group[ 0]: 10002 >>> >>> [2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), >> real(10000, 0)] >>> ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) >>> >>> Impersonated user: uid=(10000,10000), gid=(0,10002) >>> >>> [2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] >> ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) >>> Requested samr rpc service >>> >>> [2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) >>> >>> api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN >>> >>> [2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) >>> >>> api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 >>> >>> [2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), >> real(10000, 0)] >>> ../librpc/ndr/ndr.c:450(ndr_print_function_debug) >>> >>> samr_OpenDomain: struct samr_OpenDomain >>> >>> in: struct samr_OpenDomain >>> >>> connect_handle : * >>> >>> connect_handle: struct policy_handle >>> >>> handle_type : 0x00000000 (0) >>> >>> uuid : 00000021-0000-0000- >> d058-ad01b74e0000 >>> access_mask : 0x00000304 (772) >>> >>> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 >>> >>> 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_USER >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS >>> >>> 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS >>> >>> 1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS >>> >>> 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 >>> >>> >>> While the other gives: >>> >>> [2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), >> real(10000, 0)] >>> ../source3/auth/token_util.c:639(debug_unix_user_token) >>> >>> UNIX token of user 10000 >>> >>> Primary group is 10002 and contains 1 supplementary groups >>> >>> Group[ 0]: 10002 >>> >>> [2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), >> real(10000, 0)] >>> ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) >>> >>> Impersonated user: uid=(10000,10000), gid=(0,10002) >>> >>> [2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] >> ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) >>> Requested samr rpc service >>> >>> [2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) >>> >>> api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN >>> >>> [2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), >> real(10000, 0), >>> class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) >>> >>> api_rpc_cmds[7].fn == 0x7fa14a7c6ed0 >>> >>> [2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), >> real(10000, 0)] >>> ../librpc/ndr/ndr.c:450(ndr_print_function_debug) >>> >>> samr_OpenDomain: struct samr_OpenDomain >>> >>> in: struct samr_OpenDomain >>> >>> connect_handle : * >>> >>> connect_handle: struct policy_handle >>> >>> handle_type : 0x00000000 (0) >>> >>> uuid : 00000017-0000-0000- >> cf58-94fac9110000 >>> access_mask : 0x00000200 (512) >>> >>> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 >>> >>> 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_USER >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP >>> >>> 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS >>> >>> 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS >>> >>> 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS >>> >>> 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT >>> >>> 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 >>> >>> Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows >> host from >>> enumerating ldap users and groups? If that's true, then why is that >> happening to the >>> same user on a different hosts? What is the origin of struct >> samr_OpenDomain and how >>> does samba derive it? >>> >>> Or am I on a wrong track? >>> >>> Anyway any advice on this issue is welcome. >>> Please help me resolve this nasty issue. >>> >>> Thanks in advance. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Samba shared folders and windows 7 permissions dialog.
- Samba shared folders and windows 7 permissions dialog.
- mod_auth_ntlm_winbind SSO
- Debian Jessie joining AD as member fails with "The object name is not found."
- winbind causing huge timeouts/delays since 4.8