francis picabia
2017-Jun-29 17:06 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
Thanks for your help. Here is a sanitized config from our dev system where I'm testing the Solaris patch. [global] workgroup = MYDOM netbios name = norm security = ADS log file = /var/log/samba/%m.log max log size = 50 dns proxy = no loglevel = 3 template shell = /usr/bin/bash winbind use default domain = true winbind enum users = yes winbind enum groups = yes winbind nested groups = yes encrypt passwords = yes realm = AD.MYDOM.CA idmap config * : range = 16777216-33554431 idmap config * : backend = rid nt acl support = no unix extensions = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes #============================ Share Definitions ============================= [homes] comment = Home Directories path = %H browseable = no valid users = MYDOM\%U create mask = 0750 directory mask = 0750 wide links = Yes guest ok = no read only = no [tmp] path = /tmp public = no browseable = no read only = no As this is now, I was experimenting with not controlling the access to /tmp New files can be copied there by the connected user, and they are showing expected ownership. Reading 700 files owned by the user isn't working from smbclient nor Windows. The version of AD is under Windows 2012R2 On Thu, Jun 29, 2017 at 1:30 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 29 Jun 2017 13:14:58 -0300 > francis picabia via samba <samba at lists.samba.org> wrote: > > > On production, we have Samba share on Solaris and ADS config > > working already using 3.6.25 > > > > On a dev box used to test patches, I've spent a day and > > some time on a Oracle support ticket trying to get > > this working again under 4.4.14 > > > > The same problem happens whether I'm testing with homes or a share > > with /tmp. > > > > The user isn't matching expectations, so it won't allow copying a 700 > > file in /tmp > > or [homes] to Windows. It's like my samba connected user has rights > > as "other". > > > > I thought it could be useful to copy a file from Windows to the /tmp > > share and see who owns it. > > > > ls -l shows it is the user configured as under "valid users". So > > everything seems to be working as designed, except the UID isn't > > really the same, or something like that. > > > > Within ls -l /tmp : > > -rwxr--r-- 1 fpicabia domain users 242 Apr 2 2015 debug.log > > > > # getfacl /tmp/debug.log > > > > # file: /tmp/debug.log > > # owner: fpicabia > > # group: domain users > > user::rwx > > group::r-- #effective:r-- > > mask:rwx > > other:r-- > > > > > > I'm wondering if there is any way to see how I'm connected when I > > test with smbclient. > > > > smbstatus shows the user connected as expected. Nothing I can find > > shows an error or difference. > > > > Here is a snippet showing how /tmp was set up last > > > > [tmp] > > path = /tmp > > browseable = No > > force user = %U > > read only = No > > valid users = fpicabia > > > > One significant difference from 3.6.25 was winbind was added to > > nsswitch.conf for passwd and group before we could get authentication > > working for 4.4.14. > > > > Another bit that might help understand the workings: ssh allows > > authentication with the AD password under the current 4.4.14 set up. > > > > So it is just file ownership matching the UID of the connected user > > that is the problem. > > Can you post your entire smb.conf (you can sanitise it if you like) and > can you also tell us what your AD DC is running > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Jun-29 17:36 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
On Thu, 29 Jun 2017 14:06:37 -0300 francis picabia via samba <samba at lists.samba.org> wrote:> Thanks for your help. Here is a sanitized config from our dev system > where I'm testing the Solaris patch. > > [global] > workgroup = MYDOM > netbios name = norm > security = ADS > log file = /var/log/samba/%m.log > max log size = 50 > dns proxy = no > loglevel = 3 > template shell = /usr/bin/bash > winbind use default domain = true > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > encrypt passwords = yes > realm = AD.MYDOM.CA > > > idmap config * : range = 16777216-33554431 > idmap config * : backend = rid > > > nt acl support = no > unix extensions = no > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > > #============================ Share Definitions > =============================> > [homes] > comment = Home Directories > path = %H > browseable = no > valid users = MYDOM\%U > create mask = 0750 > directory mask = 0750 > wide links = Yes > > guest ok = no > read only = no > > [tmp] > path = /tmp > public = no > browseable = no > read only = no > > > As this is now, I was experimenting with not controlling the access > to /tmp New files can be copied there by the connected user, and they > are showing expected ownership. Reading 700 files owned by the user > isn't working from smbclient nor Windows. > > The version of AD is under Windows 2012R2 >Your problems lie here: idmap config * : range = 16777216-33554431 idmap config * : backend = rid Why use the range '16777216-33554431' ? You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb' And the main reason why it isn't working, you need a block for the 'MYDOM' domain, see here for more info: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
francis picabia
2017-Jun-29 18:36 UTC
[Samba] 4.4.14 on solaris, using ads, can't read/write as user
On Thu, Jun 29, 2017 at 2:36 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> > > Your problems lie here: > > idmap config * : range = 16777216-33554431 > idmap config * : backend = rid > > Why use the range '16777216-33554431' ? >On a working Debian system with Samba 4.1, we have things working OK with: idmap config MYDOM : range = 70000-9999999999 I started with something like that yesterday, so what you saw today was leftover guesses on something that might help.> You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb' >OK, I've switched it like the tdb example in your link. Auth and connection still working.> > And the main reason why it isn't working, you need a block for the > 'MYDOM' domain, see here for more info: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >"Block" meaning something like: [mydom] in smb.conf? I am not seeing it at the link. I have not spotted anything on that page we are missing other than mapping the root user, which I'm assuming is optional. I'm not getting the meaning of "need a block for the MYDOM domain". Mind blown on the minimal krb5.conf example. I've never seen one like it before, but apparently it is enough. I removed all of the lockdir, statedir and cachedir content and restarted winbind and samba. The "main reason" is really what I need to address, if I understood.