RE: [Samba] Samba and unix permissions mismatch

2006-08-01 Thread Gutholm, James 
Our DCs are Win2003 but we dealt with the same problem on Linux member servers.

We use filesystem ACLs to control access. The owner/group of a shared directory 
is nobody:nobody.

The default ACL is:
default:user::rwx
default:group::---
default:other::---

plus numerous
default:group::rwx
entries. One for each group

The reason for the group::--- is because the primary group is "Domain Users" 
and we want to make sure that files don't default to allowing access to this 
group.

-James

> -Original Message-
> On Behalf Of BJörn Lindqvist
> Sent: Tuesday, August 01, 2006 6:30 AM
> To: samba@lists.samba.org
> Subject: [Samba] Samba and unix permissions mismatch
> 
> 
> I have just managed to get my first Samba/LDAP PDC up and running. But
> I have one big security problem -- users logging in to the PDC using
> ssh can access all shares.
> 
> User credentials, both for ssh login and for Samba access, 
> are retrieved
> from the LDAP directory. All shares are stored in the /var/lib/samba
> directory. The directories permissions look like this:
> 
> drwxrwx---  2 root Domain Users 4096 25 jul 15.11 Common
> drwxrwx---  2 root Domain Users 4096 13 jun 16.59 Customers
> drwxrwx---  2 root Domain Users 4096 13 jun 16.32 Sales
> ... and so on.
> 
> Each share is owned by root in the "Domain Users" group. In the Unix
> world, each directory can only be owned by one user in one group. But
> in the Samba world, directories and shares aren't owned by any
> single group, instead a number of groups have access to the directory
> or share. That is why the shares has to be owned by the Unix group
> "Domain Users," which is a meta group in which all users of the PDC
> belong.
> 
> Obviously, this arrangement isn't very nice. Every user that logs in
> via ssh can access all shares. Yet all shares need to be owned by the
> group "Domain Users" otherwise some groups of users can't access some
> shares. The Sales share, for example, should really be owned by both
> the Managers and the Accountants groups.
> 
> So how do I fix this? There doesn't seem to be any easy way.
> 
> Thanks in advance.
> 
> --
> Mvh Björn Lindqvist
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] pam winbind seems to have trouble with idmap backend = ldap

2006-07-25 Thread Gutholm, James 
Environment is
samba-3.0.10-1.4E.6
RedHat ES4, kernel 2.6.9-34.0.2.ELsmp
AD domain Win2003 SP2 Native mode

This system was initially setup in ads security mode, joined to a Win
2003 AD domain and configured to use winbind for both samba file shares
and authz/authn for sshd and local logins. In this configuration the
winbind idmap was the default local database. Everything worked fine.
Users could login via ssh and access controls on files were properly
working, samba file sharing worked properly, etc.

In an effort to synchronize the uid/gid to sid mapping across multiple
machines we configured a system to use idmap backend = ldap. Initially
it seemed that this new configuration was working. After deleting the
winbind cache and local database and restarting smb/winbind, getent
passwd populated the ldap directory with mapping info and samba file
sharing worked fine. The problem is that now ssh and console logins
don't work for AD accounts, only local accounts.

The short version is, with idmap... commented out, fileshares and ssh
work for AD accounts. With idmap... file shares work but ssh does not.
Errors while using ssh are included below.

-- smb.conf --
[global]
   workgroup = AC_COMPUTING
   server string = JAMESDIRTEST
   log file = /var/log/samba/%m.log
   log level = 3 passdb:5 auth:10 winbind:3
   max log size = 50
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   template homedir = /home/%U
   username map = /etc/samba/smbusers
   winbind use default domain = yes
   realm = EVERGREEN.EDU
   password server = EVDC1 EVDC2
   winbind enum users=yes
   winbind enum groups=yes
   client schannel = no
   client use spnego = no
   ldap admin dn = cn=manager,ou=users,dc=sambaidmap,dc=evergreen,dc=edu
   ldap idmap suffix = ou=idmap
   ldap suffix = dc=sambaidmap,dc=evergreen,dc=edu
   #idmap backend = ldap:"ldap://adappmode.evergreen.edu:5";
[setup-staging]
comment = Local Install Setup
path = /setup-staging
valid users = @"Network Services GG" @"Admin Computing GG"
public = no
writable = yes
printable = no
create mask = 0775
force group = Network Services GG
... more shares...
--

-- nsswitch.conf -
passwd: files winbind
shadow: files
group:  files winbind
hosts:  files dns
bootparams: files
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:files
--

-- pam.d/sshd 
#%PAM-1.0
authrequired  /lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
authsufficient/lib/security/$ISA/pam_winbind.so
use_first_pass
authrequired  /lib/security/$ISA/pam_deny.so
authrequired pam_nologin.so
#
#
account required  /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required  /lib/security/$ISA/pam_permit.so
#
#
passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3
passwordsufficient/lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
passwordsufficient/lib/security/$ISA/pam_winbind.so use_authtok
passwordrequired  /lib/security/$ISA/pam_deny.so
#
#
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required  /lib/security/$ISA/pam_limits.so
session required  /lib/security/$ISA/pam_unix.so
--

-- tail of var/log/messages --
Jul 25 11:14:25 jamesdirtest winbind: winbindd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: smbd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: nmbd startup succeeded
Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51) 
Jul 25 11:14:41 jamesdirtest smbd[6416]:   chdir (/setup-staging) failed

Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51) 
Jul 25 11:14:41 jamesdirtest smbd[6416]:   chdir (/setup-staging) failed

Jul 25 11:15:06 jamesdirtest sshd(pam_unix)[6418]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=jamesdirtest.evergreen.edu  user=james_su
Jul 25 11:15:06 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:06 jam