Hi Rowland,
My authentification seem to work (Thanks) but I can see the files inside the
FTPFiles shares.
I checked:
# ntlm_auth --username="sebastien boulianne" --domain=domain.qc.ca
Password:
NT_STATUS_OK: Success (0x0)
drwsrwxrwx 11 root domain users 4.0K Aug 11 16:46 site
[FTPFiles]
comment = Files
path = /glftpd/site
create mask = 0777
directory mask = 0777
valid users = %S
When I try to access the share, the error say I do not have the permissions to
access it.
Can you give me some tips how to debug it ?
Thanks you very much again!
Sébastien
-----Message d'origine-----
De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny
via samba Envoyé : 23 août 2017 12:02 À : samba at
lists.samba.org<mailto:samba at lists.samba.org> Objet : Re: [Samba] Share
access problem
On Wed, 23 Aug 2017 11:23:09 -0400
<Sebastien.Boulianne at cpu.ca<mailto:Sebastien.Boulianne at
cpu.ca>> wrote:
> Hi Rowland,
> I tried that but it didn't work.
>
> I can list all users using wbinfo -u but it didn't work if I do getent
> passwd <samaccountname>.
>
> Do you have any clues ?
>
wbinfo talks directly to winbind which gets its info directly from AD, so
'wbinfo -u' just shows that winbind is connected to AD.
To get Unix to know who your AD users are, you need to get winbind to map your
users to an ID number and then pass this to nsswitch.
When a user is created in AD, the users cn is set to the users
'givenName' and 'sn' e.g. mine is 'CN: Rowland Penny'
My 'sAMAccountName' is 'rowland' i.e. 'givenName' in
lowercase.
This means, as long as smb.conf is created correctly, the libnss_winbind links
are created correctly and PAM is set to use winbind, it should work for all
users. If it only works for some users but not others, then either you are not
using the correct username, they don't have a uidNumber attribute (if using
the 'ad' backend) or the 'DOMAIN' range isn't correct.
A quick way to test the later, add a '0' to the 'DOMAIN' high
range in smb.conf.
After that, you need to investigate the users object in AD, you can use
ldapsearch to do this from Unix (provided you have the required permissions,
rights and passwords), failing that get the windows sysadmins to dump it for
you.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Fri, 25 Aug 2017 15:11:26 -0400 <Sebastien.Boulianne at cpu.ca> wrote:> Hi Rowland, > > My authentification seem to work (Thanks) but I can see the files > inside the FTPFiles shares. > > I checked: > > # ntlm_auth --username="sebastien boulianne" --domain=domain.qc.ca > > Password: > > NT_STATUS_OK: Success (0x0) > > drwsrwxrwx 11 root domain users 4.0K Aug 11 16:46 siteThe above shows that you are not using ACLs and that any users should be able to access, read and write files in 'site'. That is, any users known to Unix> > [FTPFiles] > comment = Files > path = /glftpd/site > create mask = 0777 > directory mask = 0777 > valid users = %SAs you aren't using Windows ACLs (and if you are connecting from Windows,you should) see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs If you decide to use Windows ACLs,see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Hi Rowland, https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs What do you think about that config for the share FTPFiles ? Does it has some directives you would remove ? [FTPFiles] comment = Files path = /glftpd/site guest ok = no public = no writable = yes printable = no browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 0777 directory mask = 0777 # ?? force create mode = 0660 # ?? force directory mode = 0660 hide unreadable = Yes hide unwriteable files = Yes access based share enum = Yes valid users = DOM\"domain users" admin users = DOM\"domain admins" Thanks again. Sébastien -----Message d'origine----- De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny via samba Envoyé : 25 août 2017 15:35 À : samba at lists.samba.org Objet : Re: [Samba] Share access problem On Fri, 25 Aug 2017 15:11:26 -0400 <Sebastien.Boulianne at cpu.ca> wrote:> Hi Rowland, > > My authentification seem to work (Thanks) but I can see the files > inside the FTPFiles shares. > > I checked: > > # ntlm_auth --username="sebastien boulianne" --domain=domain.qc.ca > > Password: > > NT_STATUS_OK: Success (0x0) > > drwsrwxrwx 11 root domain users 4.0K Aug 11 16:46 siteThe above shows that you are not using ACLs and that any users should be able to access, read and write files in 'site'. That is, any users known to Unix> > [FTPFiles] > comment = Files > path = /glftpd/site > create mask = 0777 > directory mask = 0777 > valid users = %SAs you aren't using Windows ACLs (and if you are connecting from Windows,you should) see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs If you decide to use Windows ACLs,see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba