Web lists-archives.com

Re: [Samba] 4.4.14 on solaris, using ads, can't read/write as user




On Fri, Jun 30, 2017 at 8:52 AM, francis picabia <fpicabia@xxxxxxxxx> wrote:

>
>
> On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
>> On Thu, 29 Jun 2017 16:28:38 -0300
>> francis picabia via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>
>> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
>> > samba@xxxxxxxxxxxxxxx> wrote:
>> >
>> > >
>> > >
>> > > Well, no it isn't actually on that page, you need to follow an
>> > > hyperlink to this page:
>> > >
>> > > https://wiki.samba.org/index.php/Idmap_config_rid
>> > >
>> > >
>> > It is really confusing.  rid or tdb.  I don't know what it wants
>> > because the second link has both.
>>
>> No, it isn't confusing, you need both.
>>
>> You need to have something like this in smb.conf:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config MYDOM : backend = rid
>> idmap config MYDOM : range = 10000-999999
>>
>> The '*' range is for the 'BUILTIN' domain i.e. the Well Known SIDs
>> The 'MYDOM' range is for YOUR domain
>>
>>
> I'm using this config above currently and there is no change to the
> ownership
> or permissions issue.
>
> I have in nsswitch.conf:
>
> passwd:     files winbind
> group:      files winbind
>
> (shadow wasn't in nsswitch.conf on Solaris)
>
> winbind and samba services are being restarted on every config change like
> this:
>
> svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
> samba ; sleep 2; svcadm enable samba
>
> krb5.conf is the config suggested in the samba doc you linked.
>
> [libdefaults]
>         default_realm = AD.MYDOM.CA
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> Here is the tmp share currently:
>
> [tmp]
>         path = /tmp
>         browseable = No
>         read only = No
>
> If I upload a new file to the tmp share, the ownership shows
> the expected mapped user.
>
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr
>


I forgot to mention...  From smbclient, I can rm the file I have just
uploaded with smbclient.
This is the difference: with the file owned by the same user but created
from the Solaris OS
and shell session, smbclient cannot rm.

Also meant to ask what is the meaning of N and A below, as that could be a
key.


>
> If I touch a file in /tmp using root shell, and chown it to the same user,
> it cannot be overwritten or deleted.
>
> ls in smbclient shows this for a file uploaded over samba:
>
> 2017.csr                            A     1112  Fri Jun 30 08:21:05 2017
>
> A file chowned to the same fpicabia user on the system by root shows like
> this:
>
> doo.txt                             N        0  Fri Jun 30 08:21:29 2017
>
> Here is the error on attempting to delete it:
>
> smb: \> rm doo.txt
> NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
> NT_STATUS_ACCESS_DENIED listing \doo.txt
>
> Here is what it looks like from root console:
>
> # ls -l doo.txt 2017.csr
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
> -rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt
>
> On the outside chance the owner 'x' bit mattered I did a chown u+x on
> doo.txt
> and it made no difference to the rm command within smbclient.
>
> Is there something I'm missing about why this isn't the same user or
> allowable file permissions for writing?
>
> When I do a wbinfo -u | grep fpicabia
>
> Do you expect it should return:
>
> fpicabia
> or
> MYDOM\fpicabia
>
> I wish smbclient had a 'whoami' command, versus 'who am i', so we could
> see the mapping.
> smbstatus shows Username without the domain and for smbclient Protocol has
> NT1.
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba