samba - Jun 2017 - 4.4.14 on solaris, using ads, can't read/write as user

On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 29 Jun 2017 16:28:38 -0300
> francis picabia via samba <samba at lists.samba.org> wrote:
>
> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > Well, no it isn't actually on that page, you need to follow
an
> > > hyperlink to this page:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > >
> > >
> > It is really confusing.  rid or tdb.  I don't know what it wants
> > because the second link has both.
>
> No, it isn't confusing, you need both.
>
> You need to have something like this in smb.conf:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 10000-999999
>
> The '*' range is for the 'BUILTIN' domain i.e. the Well
Known SIDs
> The 'MYDOM' range is for YOUR domain
>
>
I'm using this config above currently and there is no change to the
ownership
or permissions issue.

I have in nsswitch.conf:

passwd:     files winbind
group:      files winbind

(shadow wasn't in nsswitch.conf on Solaris)

winbind and samba services are being restarted on every config change like
this:

svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
samba ; sleep 2; svcadm enable samba

krb5.conf is the config suggested in the samba doc you linked.

[libdefaults]
        default_realm = AD.MYDOM.CA
        dns_lookup_realm = false
        dns_lookup_kdc = true

Here is the tmp share currently:

[tmp]
        path = /tmp
        browseable = No
        read only = No

If I upload a new file to the tmp share, the ownership shows
the expected mapped user.

-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr

If I touch a file in /tmp using root shell, and chown it to the same user,
it cannot be overwritten or deleted.

ls in smbclient shows this for a file uploaded over samba:

2017.csr                            A     1112  Fri Jun 30 08:21:05 2017

A file chowned to the same fpicabia user on the system by root shows like
this:

doo.txt                             N        0  Fri Jun 30 08:21:29 2017

Here is the error on attempting to delete it:

smb: \> rm doo.txt
NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
NT_STATUS_ACCESS_DENIED listing \doo.txt

Here is what it looks like from root console:

# ls -l doo.txt 2017.csr
-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
-rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt

On the outside chance the owner 'x' bit mattered I did a chown u+x on
doo.txt
and it made no difference to the rm command within smbclient.

Is there something I'm missing about why this isn't the same user or
allowable file permissions for writing?

When I do a wbinfo -u | grep fpicabia

Do you expect it should return:

fpicabia
or
MYDOM\fpicabia

I wish smbclient had a 'whoami' command, versus 'who am i', so
we could see
the mapping.
smbstatus shows Username without the domain and for smbclient Protocol has
NT1.

On Fri, Jun 30, 2017 at 8:52 AM, francis picabia <fpicabia at gmail.com>
wrote:
>
>
> On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 29 Jun 2017 16:28:38 -0300
>> francis picabia via samba <samba at lists.samba.org> wrote:
>>
>> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
>> > samba at lists.samba.org> wrote:
>> >
>> > >
>> > >
>> > > Well, no it isn't actually on that page, you need to
follow an
>> > > hyperlink to this page:
>> > >
>> > > https://wiki.samba.org/index.php/Idmap_config_rid
>> > >
>> > >
>> > It is really confusing.  rid or tdb.  I don't know what it
wants
>> > because the second link has both.
>>
>> No, it isn't confusing, you need both.
>>
>> You need to have something like this in smb.conf:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config MYDOM : backend = rid
>> idmap config MYDOM : range = 10000-999999
>>
>> The '*' range is for the 'BUILTIN' domain i.e. the Well
Known SIDs
>> The 'MYDOM' range is for YOUR domain
>>
>>
> I'm using this config above currently and there is no change to the
> ownership
> or permissions issue.
>
> I have in nsswitch.conf:
>
> passwd:     files winbind
> group:      files winbind
>
> (shadow wasn't in nsswitch.conf on Solaris)
>
> winbind and samba services are being restarted on every config change like
> this:
>
> svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
> samba ; sleep 2; svcadm enable samba
>
> krb5.conf is the config suggested in the samba doc you linked.
>
> [libdefaults]
>         default_realm = AD.MYDOM.CA
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> Here is the tmp share currently:
>
> [tmp]
>         path = /tmp
>         browseable = No
>         read only = No
>
> If I upload a new file to the tmp share, the ownership shows
> the expected mapped user.
>
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr
>

I forgot to mention...  From smbclient, I can rm the file I have just
uploaded with smbclient.
This is the difference: with the file owned by the same user but created
from the Solaris OS
and shell session, smbclient cannot rm.

Also meant to ask what is the meaning of N and A below, as that could be a
key.

>
> If I touch a file in /tmp using root shell, and chown it to the same user,
> it cannot be overwritten or deleted.
>
> ls in smbclient shows this for a file uploaded over samba:
>
> 2017.csr                            A     1112  Fri Jun 30 08:21:05 2017
>
> A file chowned to the same fpicabia user on the system by root shows like
> this:
>
> doo.txt                             N        0  Fri Jun 30 08:21:29 2017
>
> Here is the error on attempting to delete it:
>
> smb: \> rm doo.txt
> NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
> NT_STATUS_ACCESS_DENIED listing \doo.txt
>
> Here is what it looks like from root console:
>
> # ls -l doo.txt 2017.csr
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
> -rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt
>
> On the outside chance the owner 'x' bit mattered I did a chown u+x
on
> doo.txt
> and it made no difference to the rm command within smbclient.
>
> Is there something I'm missing about why this isn't the same user
or
> allowable file permissions for writing?
>
> When I do a wbinfo -u | grep fpicabia
>
> Do you expect it should return:
>
> fpicabia
> or
> MYDOM\fpicabia
>
> I wish smbclient had a 'whoami' command, versus 'who am i',
so we could
> see the mapping.
> smbstatus shows Username without the domain and for smbclient Protocol has
> NT1.
>
>

On Fri, 30 Jun 2017 09:45:41 -0300
francis picabia via samba <samba at lists.samba.org> wrote:

OK, What filesystem are you using ?

Rowland