Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 26/06/12 11:54, Colin Fowler wrote: On 26/06/12 06:48, Andrew Bartlett wrote: On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SID [2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though! net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly. I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as username sid map script = to the smb.conf. Is this completely nuts or would a patch like this be accepted? This would essentially be the same as running winbindd and using idmap_nss as I understand it. We wrote winbindd for a purpose, and it handles many of the important tasks of being in an AD domain. We do support not running it, but it is a degraded mode. Andrew Bartlett Thanks Andrew, I'll take a good look at idmap_nss now. For the last week we've trialled idmap_nss and so far everything seems to be working great! Thanks for all the suggestions. Our last problem is with Dreamweaver CS6 not being able to save files (when notepad can!), but we're debugging that now :) regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? I might actually do some hacking on this myself. Any pointers as to where in the code I should dive in? regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 11:46, steve wrote: On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve Hi Steve, yes, I'd like users to be able to set an ACL in Windows for a domain user and for it to be honoured in Linux for the mapped Unix user. Currently if I set an ACL in Linux for the Unix user, it actually appears correctly in the security dialog box on windows. I just can't set a new ACL from Windows. regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 12:22, steve wrote: On 22/06/12 12:50, Colin Fowler wrote: On 22/06/12 11:46, steve wrote: On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve Hi Steve, yes, I'd like users to be able to set an ACL in Windows for a domain user and for it to be honoured in Linux for the mapped Unix user. Currently if I set an ACL in Linux for the Unix user, it actually appears correctly in the security dialog box on windows. I just can't set a new ACL from Windows. regards, Colin Hi Colin That's interesting. I have a bugzilla open on something similar: https://bugzilla.samba.org/show_bug.cgi?id=8938 So, when a user creates a file, e.g. in his home folder in windows, do the acl and permissions appear correct back on the fileserver or when the same file is viewed on a Linux client? Cheers, Steve Hi Steve, I'm running Samba 3.6.5 currently, not 4.0 and I'm running without winbind· When a user in windows (DOMAIN\bob) creates a file, it appears on linux as owned by the unix user bob. There's no acls on the file, just a file with the ownerships of bob and bob's primary group (staff). If on Linux I add an ACL for the user tom via setfacl, I can see the user tom in the security list in Windows as (Unix User\tom). What I can't do is add ACLs from windows. Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SID [2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though! net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly. I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as username sid map script = to the smb.conf. Is this completely nuts or would a patch like this be accepted? regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACLS without winbind (but WITH correct user mapping)
Thanks to some of the guys on #samba-technical (obnox in particular!), I now have a working samba configuration. The environment: In our setup each user has an entry in both openldap (no samba schemes) and AD. Each account has the same name and even has a Unix UID entry in AD. Our users ssh into Linux boxes, authenticating off of openldap. Files are shared via samba. Due to the account duplication the config I use has NO winbind. Instead the username map script option is used with echo username map script = echo A rather simple but beatiful solution thanks to the IRC lads. User bob auths via AD, the AD username is mapped to unix username and file permissions work perfectly. ACLS: The filesystem supports ACLS. When I view the security tab on a Windows 7 client, I see the user perissions as following Everyone bob (Unix User\bob) staff (Unix Group\staff) If I add an acl for tom on the unix server via setfacl I then see Everyone bob (Unix User\bob) tom (Unix User\tom) staff (Unix Group\staff) Great! Attempting to add a user to the ACLs from the windows side fails however. I click edit, then add and type in a username In the box I now have bob (Unix User\bob) tom (Unix User\tom) nigel (DOMAIN\nigel) staff (Unix Group\staff) Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? Any help appreciated! Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] User cannot get into own directory with 700 permissions
If I create a directory with 700 permissions owned by me with the group set to my primary group I *cannot* get into the directory from my windows machine. I can of course get into it from unix If however I set the mode to 740, I can get into it from windows Samba version is 3.6.5 running on Debian squeeze and is installed from the backports repository. Below is a snippet of the log file at log level 5 from when I try to access the directory 700_dir_cfowler_staff any help much appreciated! [2012/06/15 10:24:25.700630, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 5978) conn 0x7fab011282a0 [2012/06/15 10:24:25.700932, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2012/06/15 10:24:25.701045, 5] smbd/filename.c:257(unix_convert) unix_convert called on file test2/700_dir_cfowler_staff [2012/06/15 10:24:25.701178, 5] smbd/files.c:126(file_new) allocated file structure 10381, fnum = 14477 (3 used) [2012/06/15 10:24:25.701296, 3] smbd/dosmode.c:159(unix_mode) unix_mode(test2/700_dir_cfowler_staff) returning 0740 [2012/06/15 10:24:25.701445, 4] smbd/open.c:2069(open_file_ntcreate) calling open_file with flags=0x0 flags2=0x0 mode=0740, access_mask = 0x81, open_access_mask = 0x81 [2012/06/15 10:24:25.701655, 5] smbd/files.c:464(file_free) freed files structure 14477 (2 used) [2012/06/15 10:24:25.701770, 5] smbd/open.c:2597(open_directory) open_directory: opening directory test2/700_dir_cfowler_staff, access_mask = 0x81, share_access = 0x7 create_options = 0x0, create_disposition = 0x1, file_attributes = 0x10 [2012/06/15 10:24:25.701960, 3] smbd/error.c:81(error_packet_set) error packet at smbd/error.c(161) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED [global] workgroup = FOO realm = FOO.BAR.COM interfaces = eth0, lo bind interfaces only = Yes security = DOMAIN log file = /var/log/samba/samba.log.%m unix extensions = No idmap config * : backend = tdb wide links = Yes log level = 5 [homes] comment = Home directories (%h) read only = No create mask = 0750 browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Non primary group permissions not working
Hi, I'm having a major problem here. We are running Samba 3.5.11 on Debian Squeeze. Authentication is via ADS When I create a directory with group rwx access I cannot access that directory through Windows or smbclient unless that group is my primary group. If I'm a member of the group (but it's not my primary), I can't access it. If I ssh to the server it works AOK Here's me and my groups on the samba server cfowler@staffpgstore:~$ id -Gn staff sss scssadmin scssunixadmin BUILTIN\users Here's my testcase. $ ls -ld testcase/ drwxrwx--- 2 wwwowner scssadmin 4096 Nov 4 09:28 testcase/ I can easily access this directory as a user on the sever. This makes sense as I'm in the scssadmin group. Here's what happens when I try to get in via smbclient from a Linux workstation $ smbclient //staffpgstore/cfowler -U itserv/cfowler Enter itserv/cfowler's password: Domain=[ITSERV] OS=[Unix] Server=[Samba 3.5.11] smb: \ cd testcase smb: \testcase\ dir NT_STATUS_ACCESS_DENIED listing \testcase\* 64507 blocks of size 33553920. 50979 blocks available Atemmpting to access the directory in Windows gives me Windows cannot access. You do not have permission Here's my smb.conf [global] workgroup = ITSERV realm = ITSERV.SCSS.TCD.IE security = ADS password server = zeus.itserv.scss.tcd.ie log level = 3 passdb:10 auth:10 winbind:10 vfs:10 idmap:10 acls:10 log file = /var/log/samba/samba.log.%m unix extensions = No idmap uid = 900 - 999 idmap gid = 900 - 999 winbind cache time = 5 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes idmap alloc config: range = 1000-40 idmap config ITSERV: range = 1000-40 idmap config ITSERV: schema_mode = rfc2307 idmap config ITSERV: backend = ad admin users = administrator wide links = Yes [homes] comment = Home directories (%h) read only = No create mask = 0700 inherit acls = Yes browseable = No ANY help at all would be much appreciated. I'm pulling my hair out here! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
