Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
On Fri, 3 May 2019 15:36:59 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Hai Paul,

Look at this: user=paulg,uid=2381
(from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)

Now, look at this :
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999
What do you notice here. ( the hint is 2381:1000 ) and i would expect
to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is
a local users one, not AD-DC users.

Your ranges are out of sync now, and that your denied is completly
correct.

Good catch Louis, those numbers are even outside the '*' domain, so
must be a local Unix user and group and how many times do I have to
say this:

You cannot have local Unix users and groups in /etc/passwd & /etc/group
and expect them to work on a Samba Unix domain.

If the ID numbers are in AD, then the only reason would be if this is
a classicupgraded domain (which I personally hate) and if so, the
ranges in smb.conf will need altering to match.

Rowland

Louis and Rowland,

Thank you both for your suggestions. Why only the mail directory, why wouldn't I get a permission error on the other directories?

This is a classic upgraded domain. In this situation, what would be ideal..?

1 ) Configure the local builtin accounts?

idmap config *   :  range = 100-999

2) Configure the Domain accounts?

idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 1000-999999

Suggestions and links always welcomed :)

Paul

--
Paul Griffith | Computer Systems Coordinator
Electrical Engineering & Computer Science | Lassonde School of Engineering
York University | 4700 Keele St., Toronto ON M3J 1P3 Canada
T:416-736-2100 x70258 | F:416-736-5872


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba