[Samba] Clients can't write to group-writable files
Josh Malone via samba
Really stumped on this issue. I have samba 4.4.7 running on a new
server. Users cannot write to files to which they have write permissions
via group.
Example:
Here's the local filesystem on the samba server. I'm logged in as jmalone
: jmalone@canis; cd /home/www.nrao.edu/content/logs/
: jmalone@canis; ls -l
total 4
-rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz
-rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar
: jmalone@canis; touch foobar
No problems. Now, let me mount that on my Mac:
: jmalone@agrajag; cd /Volumes/www.nrao.edu/content/logs
: jmalone@agrajag; ls -l
total 2
-rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz
-rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar
-rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html
: jma...@agrajag.cv; touch foobar
touch: foobar: Permission denied
I can write to 'baz' though.
Here's the log entries from the failed write attempt:
[2016/11/10 10:01:58.250031, 2] ../source3/smbd/open.c:1025(open_file)
jmalone opened file content/logs/foobar read=No write=No (numopen=4)
[2016/11/10 10:01:58.251220, 2]
../source3/smbd/close.c:793(close_normal_file)
jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND
[2016/11/10 10:01:58.252517, 2] ../source3/smbd/open.c:1025(open_file)
jmalone opened file content/logs/foobar read=No write=No (numopen=4)
[2016/11/10 10:01:58.253723, 2]
../source3/smbd/close.c:793(close_normal_file)
jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND
The listing is weird over cifs too - not sure if that's the source of
problems or a symptom, or a red herring. I also get the same error on a
Windows smb client. I've tried 4.5.1, 4.4.5, and now 4.3.12 and they all
do the same thing. My old server running 4.0 didn't have this issue.
In case it matters, the filesystem being shared via samba is NFS mounted
to the samba server.
Thanks so much,
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Josh Malone via samba
Apologies for basically bumping my own thread, but I'm absolutely at my
wits' end trying to figure out this access problem. I've replicated the
issue with and without NFS being involved. On our old 4.0.25 server,
users can write to files that they have group-based write permissions.
On 4.5.x, 4.4.x, and 4.3.x that permission is not being honored.
I would be incredibly grateful for help debugging this issue. I've gone
over level 10 logs and nothing is looking like a smoking gun. Lots of
stuff like:
open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087
[2016/11/14 11:32:30.009669, 4, pid=9336, effective(2310, 2049),
real(2310, 0)] ../source3/smbd/open.c:2758(open_fi
le_ntcreate)
calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask =
0x20087, open_access_mask = 0x20087
[2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:3558(posix_get_nt_acl)
posix_get_nt_acl: called for file logs/foobar
[2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049),
real(2310, 0)] ../source3/passdb/lookup_sid.c:1251
(uid_to_sid)
uid 12477 -> sid S-1-22-1-12477
[2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049),
real(2310, 0)] ../source3/passdb/lookup_sid.c:1300
(gid_to_sid)
gid 9006 -> sid S-1-22-2-9006
[2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:2724(canonicalise_acl)
canonicalise_acl: Access ace entries before arrange :
[2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:2737(canonicalise_acl)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
[2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:2737(canonicalise_acl)
canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 (cvweb)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
[2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:2737(canonicalise_acl)
canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477
(pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
-
[2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049),
real(2310, 0), class=acls] ../source3/smbd/posix_a
cls.c:848(print_canon_ace_list)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477
(pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
-
canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 (cvweb)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
but I'll admit I'm not sure what I'm looking for.
On 11/10/16 1:13 PM, Josh Malone via samba wrote:
> Hello,
>
> Really stumped on this issue. I have samba 4.4.7 running on a new
> server. Users cannot write to files to which they have write permissions
> via group.
>
> Example:
>
> Here's the local filesystem on the samba server. I'm logged in as jmalone
>
>
> : jmalone@canis; cd /home/www.nrao.edu/content/logs/
> : jmalone@canis; ls -l
> total 4
> -rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz
> -rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar
> : jmalone@canis; touch foobar
>
>
> No problems. Now, let me mount that on my Mac:
>
>
> : jmalone@agrajag; cd /Volumes/www.nrao.edu/content/logs
> : jmalone@agrajag; ls -l
> total 2
> -rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz
> -rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar
> -rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html
> : jma...@agrajag.cv; touch foobar
> touch: foobar: Permission denied
>
> I can write to 'baz' though.
>
Jeremy Allison via samba
> All,
>
> Apologies for basically bumping my own thread, but I'm absolutely at
> my wits' end trying to figure out this access problem. I've
> replicated the issue with and without NFS being involved. On our old
> 4.0.25 server, users can write to files that they have group-based
> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> being honored.
Look for an ACCESS_DENIED. Check the token of the smbd
issuing that error. We check the Windows ACL against
the token before allowing the write.
Josh Malone via samba
> On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
>> All,
>>
>> Apologies for basically bumping my own thread, but I'm absolutely at
>> my wits' end trying to figure out this access problem. I've
>> replicated the issue with and without NFS being involved. On our old
>> 4.0.25 server, users can write to files that they have group-based
>> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
>> being honored.
>
>
> Look for an ACCESS_DENIED. Check the token of the smbd
> issuing that error. We check the Windows ACL against
> the token before allowing the write.
Thank you for that pointer. So, if I take this line for example:
smbd_check_access_rights: file . requesting 0x40 returning 0x40
(NT_STATUS_ACCESS_DENIED)
[2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049),
real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)
I see that smbd #28398 is the offending process. I'm not sure what the
"token" is that I'm looking for. Again - sorry for my lack of
familiarity with the internals here. I've *never* had issues like these
with Samba before.
However, I see this bit:
canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
My interpretation of this is that samba things that the file GID is 0
and that group write is not allowed. This is not at all what the file
permissions are though. Am I mis-reading this or is Samba getting
permissions some other way. This is a purely Unix filesystem - there
should be no NTFS ACLs.
Also, the line:
[2016/11/14 12:49:21.964411, 5, pid=28398, effective(2310, 2049),
real(2310, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
How is the real different from the effective on a simple unix file?
Thanks again,
-Josh
Josh Malone via samba
I cannot fix this under RHEL6. I've tried every version of samba back to
4.0.
However - I just noticed that this bug DOESN'T occur on samba-gb. What's
the difference? I've tried 2 different systems in CV and the bug occurs.
GB's smb.conf doesn't look very different from what I'm testing with
(colin.cv).
What gives, man?
Jeremy Allison via samba
> On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:
> >On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
> >>All,
> >>
> >>Apologies for basically bumping my own thread, but I'm absolutely at
> >>my wits' end trying to figure out this access problem. I've
> >>replicated the issue with and without NFS being involved. On our old
> >>4.0.25 server, users can write to files that they have group-based
> >>write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> >>being honored.
> >
> >
> >Look for an ACCESS_DENIED. Check the token of the smbd
> >issuing that error. We check the Windows ACL against
> >the token before allowing the write.
>
> Thank you for that pointer. So, if I take this line for example:
>
> smbd_check_access_rights: file . requesting 0x40 returning 0x40
> (NT_STATUS_ACCESS_DENIED)
> [2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)
>
> I see that smbd #28398 is the offending process. I'm not sure what
> the "token" is that I'm looking for. Again - sorry for my lack of
> familiarity with the internals here. I've *never* had issues like
> these with Samba before.
The token is the list of uids/gids (or SIDs in Windows terms)
that this smbd is using to represent the user right now.
> However, I see this bit:
>
>
> canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r-x
Looks like a perm set of rwxr-xr-x on the file to me, with
owner and group of root.
> My interpretation of this is that samba things that the file GID is
> 0 and that group write is not allowed. This is not at all what the
> file permissions are though. Am I mis-reading this or is Samba
> getting permissions some other way. This is a purely Unix filesystem
> - there should be no NTFS ACLs.
smbd synthesises NT ACLs from the POSIX perms in order to do
the access checks. Then it checks the open request using the
current process token against the NT ACL to decide whether to
allow access.
> Also, the line:
>
> [2016/11/14 12:49:21.964411, 5, pid=28398, effective(2310, 2049),
> real(2310, 0)]
> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>
> How is the real different from the effective on a simple unix file?
These come from the current uid/gid of the process - constructed
here:
", effective(%u, %u), real(%u, %u)",
(unsigned int)geteuid(), (unsigned int)getegid(),
(unsigned int)getuid(), (unsigned int)getgid());
Thay line tells you that pid 28398 is currently running with
an effective uid of2310, and an effective gid of 2049.
They are the values that will be used to check file access.
Josh Malone via samba
>
> The token is the list of uids/gids (or SIDs in Windows terms)
> that this smbd is using to represent the user right now.
Okay - that makes sense. Thank you.
>>
>> canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
>> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>> canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
>> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
>> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>> ace_flags = 0x0 perms r-x
>
> Looks like a perm set of rwxr-xr-x on the file to me, with
> owner and group of root.
But the file is not root:root - it's owned by uid 12477 and group 9006.
Why is Samba getting the wrong owner/group for this file?
>
> smbd synthesises NT ACLs from the POSIX perms in order to do
> the access checks. Then it checks the open request using the
> current process token against the NT ACL to decide whether to
> allow access.
>
>> Also, the line:
>>
>> [2016/11/14 12:49:21.964411, 5, pid=28398, effective(2310, 2049),
>> real(2310, 0)]
>> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>>
>> How is the real different from the effective on a simple unix file?
>
> These come from the current uid/gid of the process - constructed
> here:
>
> ", effective(%u, %u), real(%u, %u)",
> (unsigned int)geteuid(), (unsigned int)getegid(),
> (unsigned int)getuid(), (unsigned int)getgid());
>
> Thay line tells you that pid 28398 is currently running with
> an effective uid of2310, and an effective gid of 2049.
>
> They are the values that will be used to check file access.
Okay - so it's getting the right values for my user, but coming up with
the wrong permissions on the file I'm trying to access. Any idea why?
I've been trying to debug this for days now - every build I make on Red
Hat Enterprise 6 does this. However, running Samba under Ubuntu server
behaves correctly in the same AD/NFS environment.
I've found another RHEL6 server here that's not showing the problem, so
I'm going to try to diff the 2 boxes and see what's up.
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Josh Malone via samba
#include <embarrassment.h>
Josh Malone via samba
>
> Okay - so it's getting the right values for my user, but coming up with
> the wrong permissions on the file I'm trying to access. Any idea why?
>
> I've been trying to debug this for days now - every build I make on Red
> Hat Enterprise 6 does this. However, running Samba under Ubuntu server
> behaves correctly in the same AD/NFS environment.
>
> I've found another RHEL6 server here that's not showing the problem, so
> I'm going to try to diff the 2 boxes and see what's up.
>
> -Josh
>
I've tracked the problem down to some squirrely magic in username
mapping. I don't understand it, but the other server had a username map
script that just returns the same thing it was called with 99% of the
time. If I use that script instead of my empty usermap.cfg file, things
work properly. If i leave out the map entirely (no script, no file )
things fail as before.
What does a normal "everything matches on windows and unix" username map
file need to look like?
Thanks again,
Rowland Penny via samba
Josh Malone via samba <sa...@lists.samba.org> wrote:
> On 11/16/16 8:44 AM, Josh Malone via samba wrote:
>
> I've tracked the problem down to some squirrely magic in username
> mapping. I don't understand it, but the other server had a username
> map script that just returns the same thing it was called with 99% of
> the time. If I use that script instead of my empty usermap.cfg file,
> things work properly. If i leave out the map entirely (no script, no
> file ) things fail as before.
>
> What does a normal "everything matches on windows and unix" username
> map file need to look like?
>
> Thanks again,
>
> -Josh
>
If you are connecting to an Unix domain member, you don't use a
username map, you give your windows users a uidNumber attribute and
they become Unix users as well, provided the Unix domain member is
setup correctly.
Don't remember seeing the smb.conf files you are using, this may help
with your problem.
Rowland
Jeremy Allison via samba
> On 11/15/16 7:25 PM, Jeremy Allison wrote:
> >
> >The token is the list of uids/gids (or SIDs in Windows terms)
> >that this smbd is using to represent the user right now.
>
> Okay - that makes sense. Thank you.
>
> >>
> >> canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
> >>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> >> canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
> >>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> >> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> >>ace_flags = 0x0 perms r-x
> >
> >Looks like a perm set of rwxr-xr-x on the file to me, with
> >owner and group of root.
>
> But the file is not root:root - it's owned by uid 12477 and group
> 9006. Why is Samba getting the wrong owner/group for this file?
That is the core of your problem. What does the full debug
level 10 log say around this message ?
Jeremy Allison via samba
> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>
> >>But the file is not root:root - it's owned by uid 12477 and group
> >>9006. Why is Samba getting the wrong owner/group for this file?
> >
> >That is the core of your problem. What does the full debug level 10
> >log say around this message ?
> >
>
That is not a helpful response to a request for debug info.
Just sayin' :-) :-).
Josh Malone via samba
>>
>> But the file is not root:root - it's owned by uid 12477 and group
>> 9006. Why is Samba getting the wrong owner/group for this file?
>
> That is the core of your problem. What does the full debug level 10
> log say around this message ?
>
Nothing that I can see.
In any case, I've resolved my issue. By setting a user map script that
just returns $1, the problem goes away. It's as if samba wasn't
processing the trivial case of unix = windows without this help. I
couldn't even use an empty usermap or find any other usermap setup that
worked. Not sure why.
And I only had to resort to this on my RHEL6 servers. Ubuntu server
handles it just fine without maps or scripts.
On 11/16/16 11:21 AM, Rowland Penny via samba wrote:
>
> If you are connecting to an Unix domain member, you don't use a
> username map, you give your windows users a uidNumber attribute and
> they become Unix users as well, provided the Unix domain member is
> setup correctly.
>
> Don't remember seeing the smb.conf files you are using, this may
> help with your problem.
>
> Rowland
My AD account objects all have uidNumber and gidNumber set (we use that
for the Mac systems bound to AD). And the AD usernames match the NIS
usernames. (the uid/gids match too).
Is there documentation that focuses on the simple "Member server" case
for just serving files to users who exist on both unix and AD? Seems
like most of the docs assume you're using Samba as a DC or something
more magical than a simple file server.
In any case, thanks to all who chimed in on my problem. Very much
appreciated.
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Rowland Penny via samba
Josh Malone via samba <sa...@lists.samba.org> wrote:
This is probably why it works on Ubuntu, but not on Centos, sssd is
probably running on the Centos machine, but isn't setup correctly.
>
> Is there documentation that focuses on the simple "Member server"
> case for just serving files to users who exist on both unix and AD?
> Seems like most of the docs assume you're using Samba as a DC or
> something more magical than a simple file server.
There isn't really a 'simple member server', the word 'member' means it
is a Domain member and you can read here about them:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
You can leverage that to create a fileserver that authenticates to AD.
Rowland
Josh Malone via samba
> On Wed, Nov 16, 2016 at 03:12:06PM -0500, Josh Malone via samba wrote:
>> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
>>>>
>>>> But the file is not root:root - it's owned by uid 12477 and group
>>>> 9006. Why is Samba getting the wrong owner/group for this file?
>>>
>>> That is the core of your problem. What does the full debug level 10
>>> log say around this message ?
>>>
>>
>> Nothing that I can see.
>
> That is not a helpful response to a request for debug info.
>
> Just sayin' :-) :-).
>
No, it's not. Apologies.
http://www.cv.nrao.edu/~jmalone/sambalog.txt
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Alex Crow via samba
>> My AD account objects all have uidNumber and gidNumber set (we use
>> that for the Mac systems bound to AD). And the AD usernames match the
>> NIS usernames. (the uid/gids match too).
> This is probably why it works on Ubuntu, but not on Centos, sssd is
> probably running on the Centos machine, but isn't setup correctly.
>
sssd I don't think runs by default on Centos 6 or 7 (in my case it doesn't).
OP: have you tried using winbind in nsswitch.conf on the member servers
with rfc2307 enabled in the smb.conf?
It works for us in both Centos 6 and 7, no issues with UID/GID mapping.
Cheers
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
Josh Malone via samba
>
>>> My AD account objects all have uidNumber and gidNumber set (we use
>>> that for the Mac systems bound to AD). And the AD usernames match the
>>> NIS usernames. (the uid/gids match too).
>> This is probably why it works on Ubuntu, but not on Centos, sssd is
>> probably running on the Centos machine, but isn't setup correctly.
>>
>
> sssd I don't think runs by default on Centos 6 or 7 (in my case it doesn't).
No - sssd is not on in my system.
>
> OP: have you tried using winbind in nsswitch.conf on the member servers
> with rfc2307 enabled in the smb.conf?
>
> It works for us in both Centos 6 and 7, no issues with UID/GID mapping.
No, I haven't. I'll have to try that. As I stated earlier, I resolved
the issue my implementing a trivial username map script (return $1) but
have never understood why I had the problem in the first place or how
this fixes it.
I'll give winbind a bit more of a look.
>
> Cheers
>
> Alex
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Jeremy Allison via samba
> On 11/16/16 3:17 PM, Jeremy Allison wrote:
> >On Wed, Nov 16, 2016 at 03:12:06PM -0500, Josh Malone via samba wrote:
> >>On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>>>
> >>>>But the file is not root:root - it's owned by uid 12477 and group
> >>>>9006. Why is Samba getting the wrong owner/group for this file?
> >>>
> >>>That is the core of your problem. What does the full debug level 10
> >>>log say around this message ?
> >>>
> >>
> >>Nothing that I can see.
> >
> >That is not a helpful response to a request for debug info.
> >
> >Just sayin' :-) :-).
> >
>
> No, it's not. Apologies.
>
> http://www.cv.nrao.edu/~jmalone/sambalog.txt
Looking at that log I see:
posix_get_nt_acl: called for file .
canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x
So it's the top-level directory of the share
/data/test
that is root.root rwxr-xr-x
Can you check that ?
The open request fails with:
smbd_check_access_rights: file . requesting 0x40 returning 0x40 (NT_STATUS_ACCESS_DENIED)
0x40 is SEC_DIR_DELETE_CHILD, which is seeing if a file in that
directory can be deleted. As you're not root, that open fails
(you don't have 'w' access).
Hope this helps.
Rowland Penny via samba
Alex Crow via samba <sa...@lists.samba.org> wrote:
>
> >> My AD account objects all have uidNumber and gidNumber set (we use
> >> that for the Mac systems bound to AD). And the AD usernames match
> >> the NIS usernames. (the uid/gids match too).
> > This is probably why it works on Ubuntu, but not on Centos, sssd is
> > probably running on the Centos machine, but isn't setup correctly.
> >
>
> sssd I don't think runs by default on Centos 6 or 7 (in my case it
> doesn't).
OK, but this could still be where the problem lies, well sort of ;-)
If winbind is running on Ubuntu, but not on the DC, then this could
well be the problem.
Rowland
Josh Malone via samba
> On Wed, Nov 16, 2016 at 03:25:24PM -0500, Josh Malone wrote:
>>
>> http://www.cv.nrao.edu/~jmalone/sambalog.txt
>
> Looking at that log I see:
>
> posix_get_nt_acl: called for file .
>
> canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x
>
> So it's the top-level directory of the share
> /data/test
>
> that is root.root rwxr-xr-x
>
> Can you check that ?
Nope - that directory is uid 2310, group 9004. I'm in group 9004. How
can samba be getting that wrong?
> The open request fails with:
>
> smbd_check_access_rights: file . requesting 0x40 returning 0x40 (NT_STATUS_ACCESS_DENIED)
>
> 0x40 is SEC_DIR_DELETE_CHILD, which is seeing if a file in that
> directory can be deleted. As you're not root, that open fails
> (you don't have 'w' access).
>
> Hope this helps.
Okay - I understand how to read the logs a bit better now. Still baffled
at samba not getting file acls correct though.
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Rowland Penny via samba
Josh Malone via samba <sa...@lists.samba.org> wrote:
> On 11/17/16 2:06 PM, Alex Crow via samba wrote:
> >
> >>> My AD account objects all have uidNumber and gidNumber set (we use
> >>> that for the Mac systems bound to AD). And the AD usernames match
> >>> the NIS usernames. (the uid/gids match too).
> >> This is probably why it works on Ubuntu, but not on Centos, sssd is
> >> probably running on the Centos machine, but isn't setup correctly.
> >>
> >
> > sssd I don't think runs by default on Centos 6 or 7 (in my case it
> > doesn't).
>
> No - sssd is not on in my system.
>
> >
> > OP: have you tried using winbind in nsswitch.conf on the member
> > servers with rfc2307 enabled in the smb.conf?
> >
> > It works for us in both Centos 6 and 7, no issues with UID/GID
> > mapping.
>
> No, I haven't. I'll have to try that. As I stated earlier, I resolved
> the issue my implementing a trivial username map script (return $1)
> but have never understood why I had the problem in the first place or
> how this fixes it.
>
> I'll give winbind a bit more of a look.
>
From my understanding you seem to have Mac and Windows clients and are
using the Samba machine as a fileserver. If the windows machines are
joined to a domain, then you will probably be better off joining the
Samba machine to the domain, this way you will not need the user map.
It might help if you could explain your setup, if it is different
from the above and a copy of your smb.conf would help as well.
Rowland
Jeremy Allison via samba
> On 11/17/16 2:17 PM, Jeremy Allison wrote:
> >On Wed, Nov 16, 2016 at 03:25:24PM -0500, Josh Malone wrote:
>
> >>
> >>http://www.cv.nrao.edu/~jmalone/sambalog.txt
> >
> >Looking at that log I see:
> >
> >posix_get_nt_acl: called for file .
> >
> > canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> > canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> > canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x
> >
> >So it's the top-level directory of the share
> >/data/test
> >
> >that is root.root rwxr-xr-x
> >
> >Can you check that ?
>
> Nope - that directory is uid 2310, group 9004. I'm in group 9004.
> How can samba be getting that wrong?
Don't know - there wasn't enough of the log to tell. However,
that's what the POSIX ACL code was returning for the file
owner/group.
Alex Crow via samba
> From my understanding you seem to have Mac and Windows clients and are
> using the Samba machine as a fileserver. If the windows machines are
> joined to a domain, then you will probably be better off joining the
> Samba machine to the domain, this way you will not need the user map.
>
> It might help if you could explain your setup, if it is different
> from the above and a copy of your smb.conf would help as well.
>
> Rowland
>
>
>
Didn't even consider that as a possibility (I saw the words "member
server" that implied to be that the server was already joined. TBH I now
have no idea what the OP's setup is...
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
Josh Malone via samba
>
>> From my understanding you seem to have Mac and Windows clients and are
>> using the Samba machine as a fileserver. If the windows machines are
>> joined to a domain, then you will probably be better off joining the
>> Samba machine to the domain, this way you will not need the user map.
>>
>> It might help if you could explain your setup, if it is different
>> from the above and a copy of your smb.conf would help as well.
>>
>> Rowland
Sorry - I should have posted this from the beginning.
http://www.cv.nrao.edu/~jmalone/smb.conf
The samba server is joined to our AD domain. testjoin reports that the
join is okay and authentication is working properly. The samba server is
*also* joined to our NIS domain from which it gets the unix users.
Usernames match between unix and AD. All accounts have uidNumber and
gidNumber set correctly in AD (although it wasn't always like this; only
recently did I implement this with a nightly script that copies the id
numbers into AD).
The smb.conf I posted is the one which exhibits the problem with
group-writable files. By commenting the username map and uncommenting
the username map script, the problem goes away. The mapusers.sh script
just echos $1. The usermap.cfg map file is empty. I've also tried
removing that config line entirely - problem remains.
The share I used for testing is:
[www.nrao.edu]
comment = www.nrao.edu Web Content
path = /home/www.nrao.edu
public = no
writable = yes
browsable = yes
create mask = 664
directory mask = 2775
Level 10 debug log is here, in its entirety this time:
http://www.cv.nrao.edu/~jmalone/log.agrajag
It's a Mac client running 10.11.something.
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Rowland Penny via samba
Josh Malone via samba <sa...@lists.samba.org> wrote:
OK, can I suggest you stop using either a usermap or a userscript. Try
setting up your domain member correctly see here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
and here:
https://wiki.samba.org/index.php/Idmap_config_ad
As you have Mac clients, it might be a good idea to use vfs_fruit, try
reading 'man vfs_fruit'
Setup correctly, you wont have windows, Mac and Unix users, you will
just have AD users.
Rowland
Josh Malone via samba
>
> OK, can I suggest you stop using either a usermap or a userscript. Try
> setting up your domain member correctly see here:
With no usermap file or script, the behavior is the same: can't write to
files you should be able to based on group membership.
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> and here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
I thought my setup was almost that, with the exception of getting unix
users from NIS instead of winbindd. Would that not work?
> As you have Mac clients, it might be a good idea to use vfs_fruit, try
> reading 'man vfs_fruit'
I'm not sure this will get us anything, particularly since Mac users
have to share files with Linux users in almost all of our workflows.
> Setup correctly, you wont have windows, Mac and Unix users, you will
> just have AD users.
Well - that might just be my complication then: We have separate
directories for Windows and Unix. They both contain the same users and
have the same uid/gid numbers, but there are two directories.
>
> Rowland
>
Thanks again,
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jma...@nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
--
Rowland Penny via samba
Josh Malone via samba <sa...@lists.samba.org> wrote:
> On 11/18/16 9:53 AM, Rowland Penny via samba wrote:
> >
> > OK, can I suggest you stop using either a usermap or a userscript.
> > Try setting up your domain member correctly see here:
>
> With no usermap file or script, the behavior is the same: can't write
> to files you should be able to based on group membership.
>
> >
> > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >
> > and here:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
>
> I thought my setup was almost that, with the exception of getting
> unix users from NIS instead of winbindd. Would that not work?
>
>
> > As you have Mac clients, it might be a good idea to use vfs_fruit,
> > try reading 'man vfs_fruit'
>
> I'm not sure this will get us anything, particularly since Mac users
> have to share files with Linux users in almost all of our workflows.
>
>
> > Setup correctly, you wont have windows, Mac and Unix users, you will
> > just have AD users.
>
> Well - that might just be my complication then: We have separate
> directories for Windows and Unix. They both contain the same users
> and have the same uid/gid numbers, but there are two directories.
>
> >
> > Rowland
> >
>
> Thanks again,
>
> -Josh
>
OK, you have Windows users stored in AD, these use SID-RIDs, but by
adding uidNumber attributes to the windows users, they become Unix
users as well, there is no need to have two directories. You would end
up with one user with one password being available on windows and Unix.
At the moment, you seem to have users stored in multiple places, with,
I take it, the same (or possibly even worse, different) password(s)
stored in multiple places.
what goes for users also goes for groups, groups and group members
stored in AD and used everywhere.
Rowland