Web lists-archives.com

Re: [Samba] 4.4.14 on solaris, using ads, can't read/write as user




Thanks for your help.  Here is a sanitized config from our dev system where
I'm testing the Solaris patch.

[global]
   workgroup = MYDOM
   netbios name = norm
   security = ADS
   log file = /var/log/samba/%m.log
   max log size = 50
   dns proxy = no
   loglevel = 3
   template shell = /usr/bin/bash
   winbind use default domain = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   encrypt passwords = yes
   realm = AD.MYDOM.CA


   idmap config * : range = 16777216-33554431
   idmap config * : backend = rid


   nt acl support = no
   unix extensions = no

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes


#============================ Share Definitions
==============================

[homes]
   comment = Home Directories
   path = %H
   browseable = no
   valid users = MYDOM\%U
   create mask = 0750
   directory mask = 0750
   wide links = Yes

   guest ok = no
   read only = no

[tmp]
  path = /tmp
  public = no
  browseable = no
  read only = no


As this is now, I was experimenting with not controlling the access to /tmp
New files can be copied there by the connected user, and they are showing
expected ownership.  Reading 700 files owned by the user isn't working from
smbclient nor Windows.

The version of AD is under Windows 2012R2


On Thu, Jun 29, 2017 at 1:30 PM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Thu, 29 Jun 2017 13:14:58 -0300
> francis picabia via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > On production, we have Samba share on Solaris and ADS config
> > working already using 3.6.25
> >
> > On a dev box used to test patches, I've spent a day and
> > some time on a Oracle support ticket trying to get
> > this working again under 4.4.14
> >
> > The same problem happens whether I'm testing with homes or a share
> > with /tmp.
> >
> > The user isn't matching expectations, so it won't allow copying a 700
> > file in /tmp
> > or [homes] to Windows.  It's like my samba connected user has rights
> > as "other".
> >
> > I thought it could be useful to copy a file from Windows to the /tmp
> > share and see who owns it.
> >
> > ls -l shows it is the user configured as under "valid users".  So
> > everything seems to be working as designed, except the UID isn't
> > really the same, or something like that.
> >
> > Within ls -l /tmp :
> > -rwxr--r--   1 fpicabia    domain users     242 Apr  2  2015 debug.log
> >
> > # getfacl /tmp/debug.log
> >
> > # file: /tmp/debug.log
> > # owner: fpicabia
> > # group: domain users
> > user::rwx
> > group::r--              #effective:r--
> > mask:rwx
> > other:r--
> >
> >
> > I'm wondering if there is any way to see how I'm connected when I
> > test with smbclient.
> >
> > smbstatus shows the user connected as expected.  Nothing I can find
> > shows an error or difference.
> >
> > Here is a snippet showing how /tmp was set up last
> >
> > [tmp]
> >         path = /tmp
> >         browseable = No
> >         force user = %U
> >         read only = No
> >         valid users = fpicabia
> >
> > One significant difference from 3.6.25 was winbind was added to
> > nsswitch.conf for passwd and group before we could get authentication
> > working for 4.4.14.
> >
> > Another bit that might help understand the workings: ssh allows
> > authentication with the AD password under the current 4.4.14 set up.
> >
> > So it is just file ownership matching the UID of the connected user
> > that is the problem.
>
> Can you post your entire smb.conf (you can sanitise it if you like) and
> can you also tell us what your AD DC is running
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba