Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




On Mon, 6 May 2019 10:33:27 -0400
Paul Griffith <paulg@xxxxxxxxxxxxx> wrote:

> On 5/3/19 9:53 AM, Rowland Penny via samba wrote:
> > On Fri, 3 May 2019 15:36:59 +0200
> > "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >  
> >> Hai Paul,
> >>
> >> Look at this: user=paulg,uid=2381
> >> (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> >> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
> >>
> >> Now, look at this :  
> >>> idmap config * : backend = tdb
> >>> idmap config * : range = 3000-7999
> >>> # - You must set a DOMAIN backend configuration
> >>> # idmap config for the ONEEXAMPLECA domain
> >>> idmap config ONEEXAMPLECA : backend = rid
> >>> idmap config ONEEXAMPLECA : range = 10000-999999  
> >> What do you notice here. ( the hint is 2381:1000 ) and i would
> >> expect to see 10000:10000 or higher. Do you see what i mean? Your
> >> UID/GID is a local users one, not AD-DC users.
> >>
> >> Your ranges are out of sync now, and that your denied is completly
> >> correct.
> >>  
> > Good catch Louis, those numbers are even outside the '*' domain, so
> > must be a local Unix user and group and how many times do I have to
> > say this:
> >
> > You cannot have local Unix users and groups in /etc/passwd
> > & /etc/group and expect them to work on a Samba Unix domain.
> >
> > If the ID numbers are in AD, then the only reason would be if this
> > is a classicupgraded domain (which I personally hate) and if so, the
> > ranges in smb.conf will need altering to match.
> >
> > Rowland
> >   
> >  
> 
> Louis and Rowland,
> 
> Thank you both for your suggestions. Why only the mail directory, why 
> wouldn't I get a permission error on the other directories?
> 
> This is a classic upgraded domain. In this situation, what would be
> ideal..?
> 
> 1 ) Configure the local builtin accounts?
> 
> idmap config *   :  range = 100-999

No, set this above the 'ONEEXAMPLECA' domain

> 
> 2) Configure the Domain accounts?
> 
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 1000-999999

if your lowest Unix ID in AD is 1000 and your highest is less than
999999, then yes, but use the 'ad' backend instead.

If you don't care about the ID's (in which case, why did you run the
classicupgrade ?), the range can be anything you like, if you use
the 'rid' backend.

Rowland

> 
> Suggestions and links always welcomed :)
> 
> Paul
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba