4.4.14 on solaris, using ads, can't read/write as user

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On production, we have Samba share on Solaris and ADS config
working already using 3.6.25

On a dev box used to test patches, I've spent a day and
some time on a Oracle support ticket trying to get
this working again under 4.4.14

The same problem happens whether I'm testing with homes or a share with
/tmp.

The user isn't matching expectations, so it won't allow copying a 700 file
in /tmp
or [homes] to Windows.  It's like my samba connected user has rights as
"other".

I thought it could be useful to copy a file from Windows to the /tmp share
and see who owns it.

ls -l shows it is the user configured as under "valid users".  So everything
seems to be working as designed, except the UID isn't really the same, or
something like that.

Within ls -l /tmp :
-rwxr--r--   1 fpicabia    domain users     242 Apr  2  2015 debug.log

# getfacl /tmp/debug.log

# file: /tmp/debug.log
# owner: fpicabia
# group: domain users
user::rwx
group::r--              #effective:r--
mask:rwx
other:r--


I'm wondering if there is any way to see how I'm connected when I test with
smbclient.

smbstatus shows the user connected as expected.  Nothing I can find shows
an error or difference.

Here is a snippet showing how /tmp was set up last

[tmp]
        path = /tmp
        browseable = No
        force user = %U
        read only = No
        valid users = fpicabia

One significant difference from 3.6.25 was winbind was added to
nsswitch.conf for passwd and group before we could get authentication
working for 4.4.14.

Another bit that might help understand the workings: ssh allows
authentication with the AD password under the current 4.4.14 set up.

So it is just file ownership matching the UID of the connected user that is
the problem.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, 29 Jun 2017 13:14:58 -0300
francis picabia via samba <[hidden email]> wrote:

> On production, we have Samba share on Solaris and ADS config
> working already using 3.6.25
>
> On a dev box used to test patches, I've spent a day and
> some time on a Oracle support ticket trying to get
> this working again under 4.4.14
>
> The same problem happens whether I'm testing with homes or a share
> with /tmp.
>
> The user isn't matching expectations, so it won't allow copying a 700
> file in /tmp
> or [homes] to Windows.  It's like my samba connected user has rights
> as "other".
>
> I thought it could be useful to copy a file from Windows to the /tmp
> share and see who owns it.
>
> ls -l shows it is the user configured as under "valid users".  So
> everything seems to be working as designed, except the UID isn't
> really the same, or something like that.
>
> Within ls -l /tmp :
> -rwxr--r--   1 fpicabia    domain users     242 Apr  2  2015 debug.log
>
> # getfacl /tmp/debug.log
>
> # file: /tmp/debug.log
> # owner: fpicabia
> # group: domain users
> user::rwx
> group::r--              #effective:r--
> mask:rwx
> other:r--
>
>
> I'm wondering if there is any way to see how I'm connected when I
> test with smbclient.
>
> smbstatus shows the user connected as expected.  Nothing I can find
> shows an error or difference.
>
> Here is a snippet showing how /tmp was set up last
>
> [tmp]
>         path = /tmp
>         browseable = No
>         force user = %U
>         read only = No
>         valid users = fpicabia
>
> One significant difference from 3.6.25 was winbind was added to
> nsswitch.conf for passwd and group before we could get authentication
> working for 4.4.14.
>
> Another bit that might help understand the workings: ssh allows
> authentication with the AD password under the current 4.4.14 set up.
>
> So it is just file ownership matching the UID of the connected user
> that is the problem.

Can you post your entire smb.conf (you can sanitise it if you like) and
can you also tell us what your AD DC is running

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
Thanks for your help.  Here is a sanitized config from our dev system where
I'm testing the Solaris patch.

[global]
   workgroup = MYDOM
   netbios name = norm
   security = ADS
   log file = /var/log/samba/%m.log
   max log size = 50
   dns proxy = no
   loglevel = 3
   template shell = /usr/bin/bash
   winbind use default domain = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   encrypt passwords = yes
   realm = AD.MYDOM.CA


   idmap config * : range = 16777216-33554431
   idmap config * : backend = rid


   nt acl support = no
   unix extensions = no

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes


#============================ Share Definitions
==============================

[homes]
   comment = Home Directories
   path = %H
   browseable = no
   valid users = MYDOM\%U
   create mask = 0750
   directory mask = 0750
   wide links = Yes

   guest ok = no
   read only = no

[tmp]
  path = /tmp
  public = no
  browseable = no
  read only = no


As this is now, I was experimenting with not controlling the access to /tmp
New files can be copied there by the connected user, and they are showing
expected ownership.  Reading 700 files owned by the user isn't working from
smbclient nor Windows.

The version of AD is under Windows 2012R2


On Thu, Jun 29, 2017 at 1:30 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 29 Jun 2017 13:14:58 -0300
> francis picabia via samba <[hidden email]> wrote:
>
> > On production, we have Samba share on Solaris and ADS config
> > working already using 3.6.25
> >
> > On a dev box used to test patches, I've spent a day and
> > some time on a Oracle support ticket trying to get
> > this working again under 4.4.14
> >
> > The same problem happens whether I'm testing with homes or a share
> > with /tmp.
> >
> > The user isn't matching expectations, so it won't allow copying a 700
> > file in /tmp
> > or [homes] to Windows.  It's like my samba connected user has rights
> > as "other".
> >
> > I thought it could be useful to copy a file from Windows to the /tmp
> > share and see who owns it.
> >
> > ls -l shows it is the user configured as under "valid users".  So
> > everything seems to be working as designed, except the UID isn't
> > really the same, or something like that.
> >
> > Within ls -l /tmp :
> > -rwxr--r--   1 fpicabia    domain users     242 Apr  2  2015 debug.log
> >
> > # getfacl /tmp/debug.log
> >
> > # file: /tmp/debug.log
> > # owner: fpicabia
> > # group: domain users
> > user::rwx
> > group::r--              #effective:r--
> > mask:rwx
> > other:r--
> >
> >
> > I'm wondering if there is any way to see how I'm connected when I
> > test with smbclient.
> >
> > smbstatus shows the user connected as expected.  Nothing I can find
> > shows an error or difference.
> >
> > Here is a snippet showing how /tmp was set up last
> >
> > [tmp]
> >         path = /tmp
> >         browseable = No
> >         force user = %U
> >         read only = No
> >         valid users = fpicabia
> >
> > One significant difference from 3.6.25 was winbind was added to
> > nsswitch.conf for passwd and group before we could get authentication
> > working for 4.4.14.
> >
> > Another bit that might help understand the workings: ssh allows
> > authentication with the AD password under the current 4.4.14 set up.
> >
> > So it is just file ownership matching the UID of the connected user
> > that is the problem.
>
> Can you post your entire smb.conf (you can sanitise it if you like) and
> can you also tell us what your AD DC is running
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, 29 Jun 2017 14:06:37 -0300
francis picabia via samba <[hidden email]> wrote:

> Thanks for your help.  Here is a sanitized config from our dev system
> where I'm testing the Solaris patch.
>
> [global]
>    workgroup = MYDOM
>    netbios name = norm
>    security = ADS
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    dns proxy = no
>    loglevel = 3
>    template shell = /usr/bin/bash
>    winbind use default domain = true
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind nested groups = yes
>    encrypt passwords = yes
>    realm = AD.MYDOM.CA
>
>
>    idmap config * : range = 16777216-33554431
>    idmap config * : backend = rid
>
>
>    nt acl support = no
>    unix extensions = no
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>
> #============================ Share Definitions
> ==============================
>
> [homes]
>    comment = Home Directories
>    path = %H
>    browseable = no
>    valid users = MYDOM\%U
>    create mask = 0750
>    directory mask = 0750
>    wide links = Yes
>
>    guest ok = no
>    read only = no
>
> [tmp]
>   path = /tmp
>   public = no
>   browseable = no
>   read only = no
>
>
> As this is now, I was experimenting with not controlling the access
> to /tmp New files can be copied there by the connected user, and they
> are showing expected ownership.  Reading 700 files owned by the user
> isn't working from smbclient nor Windows.
>
> The version of AD is under Windows 2012R2
>

Your problems lie here:

   idmap config * : range = 16777216-33554431
   idmap config * : backend = rid

Why use the range '16777216-33554431' ?
You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb'
And the main reason why it isn't working, you need a block for the
'MYDOM' domain, see here for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, Jun 29, 2017 at 2:36 PM, Rowland Penny via samba <
[hidden email]> wrote:

>
>
> Your problems lie here:
>
>    idmap config * : range = 16777216-33554431
>    idmap config * : backend = rid
>
> Why use the range '16777216-33554431' ?
>

On a working Debian system with Samba 4.1, we have things
working OK with:

idmap config MYDOM : range = 70000-9999999999

I started with something like that yesterday, so what you saw today
was leftover guesses on something that might help.



> You cannot use 'rid' with the BUILTIN (*) domain, you should use 'tdb'
>

OK, I've switched it like the tdb example in your link.  Auth and
connection still working.

>
> And the main reason why it isn't working, you need a block for the
> 'MYDOM' domain, see here for more info:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
>
"Block" meaning something like:
[mydom]
in smb.conf?

I am not seeing it at the link.  I have not spotted anything on that page
we are missing other
than mapping the root user, which I'm assuming is optional.

I'm not getting the meaning of "need a block for the MYDOM domain".

Mind blown on the minimal krb5.conf example.  I've never seen one like it
before, but apparently it is enough.

I removed all of the lockdir, statedir and cachedir content and restarted
winbind and samba.

The "main reason" is really what I need to address, if I understood.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, 29 Jun 2017 15:36:15 -0300
francis picabia via samba <[hidden email]> wrote:

> On Thu, Jun 29, 2017 at 2:36 PM, Rowland Penny via samba <
> [hidden email]> wrote:
>
> >
> >
> > Your problems lie here:
> >
> >    idmap config * : range = 16777216-33554431
> >    idmap config * : backend = rid
> >
> > Why use the range '16777216-33554431' ?
> >
>
> On a working Debian system with Samba 4.1, we have things
> working OK with:
>
> idmap config MYDOM : range = 70000-9999999999
>
> I started with something like that yesterday, so what you saw today
> was leftover guesses on something that might help.
>
>
>
> > You cannot use 'rid' with the BUILTIN (*) domain, you should use
> > 'tdb'
> >
>
> OK, I've switched it like the tdb example in your link.  Auth and
> connection still working.
>
> >
> > And the main reason why it isn't working, you need a block for the
> > 'MYDOM' domain, see here for more info:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> >
> "Block" meaning something like:
> [mydom]
> in smb.conf?
>
> I am not seeing it at the link.  I have not spotted anything on that
> page we are missing other
> than mapping the root user, which I'm assuming is optional.

Well, no it isn't actually on that page, you need to follow an
hyperlink to this page:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
[hidden email]> wrote:

>
>
> Well, no it isn't actually on that page, you need to follow an
> hyperlink to this page:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
>
It is really confusing.  rid or tdb.  I don't know what it wants because
the second link has both.

Here is the current config.  It will allow a connection to homes or tmp,
but as usual I can't operate on 700 files or upload new files to the share
on Solaris.  It can upload new files to the /tmp, as I've seen work before
as well.

[global]
        realm = AD.MYDOM.CA
        workgroup = MYDOM
        log file = /var/log/samba/%m.log
        max log size = 50
        disable spoolss = Yes
        load printers = No
        printcap name = /dev/null
        unix extensions = No
        security = ADS
        template homedir = /export/home/%U
        template shell = /usr/bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind use default domain = Yes
        dns proxy = No
        idmap config mydom: backend = rid
        idmap config mydom: range = 100001-200000
        nt acl support = No


[homes]
        comment = Home Directories
        path = %H
        browseable = No
        wide links = Yes
        create mask = 0750
        directory mask = 0750
        read only = No
        valid users = %U


[tmp]
        path = /tmp
        browseable = No
        read only = No


Also tried this:

        idmap config * : range = 80001-100000
        idmap config mydom: backend = rid
        idmap config mydom: range = 100001-200000
        idmap config * : backend = tdb

No difference seen.

What is the Abracadabra?

Isn't it easier to compose the solution than send me more
links with "If no back end for local BUILTIN accounts and
groups on the domain member is configured", which means very little to me?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, 29 Jun 2017 16:28:38 -0300
francis picabia via samba <[hidden email]> wrote:

> On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> [hidden email]> wrote:
>
> >
> >
> > Well, no it isn't actually on that page, you need to follow an
> > hyperlink to this page:
> >
> > https://wiki.samba.org/index.php/Idmap_config_rid
> >
> >
> It is really confusing.  rid or tdb.  I don't know what it wants
> because the second link has both.

No, it isn't confusing, you need both.

You need to have something like this in smb.conf:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-999999

The '*' range is for the 'BUILTIN' domain i.e. the Well Known SIDs
The 'MYDOM' range is for YOUR domain


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 29 Jun 2017 16:28:38 -0300
> francis picabia via samba <[hidden email]> wrote:
>
> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> > [hidden email]> wrote:
> >
> > >
> > >
> > > Well, no it isn't actually on that page, you need to follow an
> > > hyperlink to this page:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > >
> > >
> > It is really confusing.  rid or tdb.  I don't know what it wants
> > because the second link has both.
>
> No, it isn't confusing, you need both.
>
> You need to have something like this in smb.conf:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 10000-999999
>
> The '*' range is for the 'BUILTIN' domain i.e. the Well Known SIDs
> The 'MYDOM' range is for YOUR domain
>
>
I'm using this config above currently and there is no change to the
ownership
or permissions issue.

I have in nsswitch.conf:

passwd:     files winbind
group:      files winbind

(shadow wasn't in nsswitch.conf on Solaris)

winbind and samba services are being restarted on every config change like
this:

svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
samba ; sleep 2; svcadm enable samba

krb5.conf is the config suggested in the samba doc you linked.

[libdefaults]
        default_realm = AD.MYDOM.CA
        dns_lookup_realm = false
        dns_lookup_kdc = true

Here is the tmp share currently:

[tmp]
        path = /tmp
        browseable = No
        read only = No

If I upload a new file to the tmp share, the ownership shows
the expected mapped user.

-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr

If I touch a file in /tmp using root shell, and chown it to the same user,
it cannot be overwritten or deleted.

ls in smbclient shows this for a file uploaded over samba:

2017.csr                            A     1112  Fri Jun 30 08:21:05 2017

A file chowned to the same fpicabia user on the system by root shows like
this:

doo.txt                             N        0  Fri Jun 30 08:21:29 2017

Here is the error on attempting to delete it:

smb: \> rm doo.txt
NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
NT_STATUS_ACCESS_DENIED listing \doo.txt

Here is what it looks like from root console:

# ls -l doo.txt 2017.csr
-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
-rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt

On the outside chance the owner 'x' bit mattered I did a chown u+x on
doo.txt
and it made no difference to the rm command within smbclient.

Is there something I'm missing about why this isn't the same user or
allowable file permissions for writing?

When I do a wbinfo -u | grep fpicabia

Do you expect it should return:

fpicabia
or
MYDOM\fpicabia

I wish smbclient had a 'whoami' command, versus 'who am i', so we could see
the mapping.
smbstatus shows Username without the domain and for smbclient Protocol has
NT1.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Fri, Jun 30, 2017 at 8:52 AM, francis picabia <[hidden email]> wrote:

>
>
> On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
> [hidden email]> wrote:
>
>> On Thu, 29 Jun 2017 16:28:38 -0300
>> francis picabia via samba <[hidden email]> wrote:
>>
>> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
>> > [hidden email]> wrote:
>> >
>> > >
>> > >
>> > > Well, no it isn't actually on that page, you need to follow an
>> > > hyperlink to this page:
>> > >
>> > > https://wiki.samba.org/index.php/Idmap_config_rid
>> > >
>> > >
>> > It is really confusing.  rid or tdb.  I don't know what it wants
>> > because the second link has both.
>>
>> No, it isn't confusing, you need both.
>>
>> You need to have something like this in smb.conf:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config MYDOM : backend = rid
>> idmap config MYDOM : range = 10000-999999
>>
>> The '*' range is for the 'BUILTIN' domain i.e. the Well Known SIDs
>> The 'MYDOM' range is for YOUR domain
>>
>>
> I'm using this config above currently and there is no change to the
> ownership
> or permissions issue.
>
> I have in nsswitch.conf:
>
> passwd:     files winbind
> group:      files winbind
>
> (shadow wasn't in nsswitch.conf on Solaris)
>
> winbind and samba services are being restarted on every config change like
> this:
>
> svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
> samba ; sleep 2; svcadm enable samba
>
> krb5.conf is the config suggested in the samba doc you linked.
>
> [libdefaults]
>         default_realm = AD.MYDOM.CA
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> Here is the tmp share currently:
>
> [tmp]
>         path = /tmp
>         browseable = No
>         read only = No
>
> If I upload a new file to the tmp share, the ownership shows
> the expected mapped user.
>
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr
>


I forgot to mention...  From smbclient, I can rm the file I have just
uploaded with smbclient.
This is the difference: with the file owned by the same user but created
from the Solaris OS
and shell session, smbclient cannot rm.

Also meant to ask what is the meaning of N and A below, as that could be a
key.


>
> If I touch a file in /tmp using root shell, and chown it to the same user,
> it cannot be overwritten or deleted.
>
> ls in smbclient shows this for a file uploaded over samba:
>
> 2017.csr                            A     1112  Fri Jun 30 08:21:05 2017
>
> A file chowned to the same fpicabia user on the system by root shows like
> this:
>
> doo.txt                             N        0  Fri Jun 30 08:21:29 2017
>
> Here is the error on attempting to delete it:
>
> smb: \> rm doo.txt
> NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
> NT_STATUS_ACCESS_DENIED listing \doo.txt
>
> Here is what it looks like from root console:
>
> # ls -l doo.txt 2017.csr
> -rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
> -rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt
>
> On the outside chance the owner 'x' bit mattered I did a chown u+x on
> doo.txt
> and it made no difference to the rm command within smbclient.
>
> Is there something I'm missing about why this isn't the same user or
> allowable file permissions for writing?
>
> When I do a wbinfo -u | grep fpicabia
>
> Do you expect it should return:
>
> fpicabia
> or
> MYDOM\fpicabia
>
> I wish smbclient had a 'whoami' command, versus 'who am i', so we could
> see the mapping.
> smbstatus shows Username without the domain and for smbclient Protocol has
> NT1.
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Fri, 30 Jun 2017 09:45:41 -0300
francis picabia via samba <[hidden email]> wrote:

OK, What filesystem are you using ?

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Fri, Jun 30, 2017 at 10:26 AM, Rowland Penny via samba <
[hidden email]> wrote:

>
>
> OK, What filesystem are you using ?
>
>
On Solaris /tmp is technically swap.
The partitions are generally set up as UFS, such as /
which is on /dev/dsk/c1t1d0s0

# fstyp /dev/dsk/c1t1d0s0
ufs
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Fri, 30 Jun 2017 11:13:25 -0300
francis picabia via samba <[hidden email]> wrote:

> On Fri, Jun 30, 2017 at 10:26 AM, Rowland Penny via samba <
> [hidden email]> wrote:
>
> >
> >
> > OK, What filesystem are you using ?
> >
> >
> On Solaris /tmp is technically swap.
> The partitions are generally set up as UFS, such as /
> which is on /dev/dsk/c1t1d0s0
>
> # fstyp /dev/dsk/c1t1d0s0
> ufs

Try altering fstab to include 'acls' as an option, then add this to
smb.conf:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

you will also need the solaris equivalents of the 'acl' & 'attr'
packages found on Debian.

This will get you closer to ACLs that AD expects.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Fri, Jun 30, 2017 at 11:32 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 30 Jun 2017 11:13:25 -0300
> francis picabia via samba <[hidden email]> wrote:
>
> > On Fri, Jun 30, 2017 at 10:26 AM, Rowland Penny via samba <
> > [hidden email]> wrote:
> >
> > >
> > >
> > > OK, What filesystem are you using ?
> > >
> > >
> > On Solaris /tmp is technically swap.
> > The partitions are generally set up as UFS, such as /
> > which is on /dev/dsk/c1t1d0s0
> >
> > # fstyp /dev/dsk/c1t1d0s0
> > ufs
>
> Try altering fstab to include 'acls' as an option, then add this to
> smb.conf:
>
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> you will also need the solaris equivalents of the 'acl' & 'attr'
> packages found on Debian.
>
> This will get you closer to ACLs that AD expects.
>
>
ACLs are already available to UFS, but not configured on the file to be
different than what ls -l shows.

getfacl on a sample file on Solaris confirms the permission is the same as
for ls -l view

We have a Debian system running Samba 4.1 which has nothing added
for acls - just regular ext4 - and it works OK for mapped user.

I've tried the settings you've suggested and it didn't change the
permissions of overwriting
or removing a file over samba.  If I made the file 777, then Samba user can
remove it.

Can you point to a changelog discussing how ACLs are now required to make
user mapping work?  We've never needed ACLs in over a decade of using Samba
from Solaris.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
I've read there can be issues with /tmp so I switched the test to /var/tmp

One file (foo.txt) is made by the shell user, while the other
file (doo.txt) is made by the same user connected over Samba.

bash-3.2$ ls -n doo.txt
-rwxr--r--   1 3000     3004          29 Jul  4 09:51 doo.txt
bash-3.2$ ls -n foo.txt
-rw-rw----   1 61001    10            39 Jul  4 09:50 foo.txt

With -l they both seem to have the same user name.

This doesn't happen in 3.6, which is where Solaris was only 3 patches back.

The ID mapping seems to be the problem.

The share is currently set like this:

[tmp]
  path = /var/tmp
  public = no
  browseable = no
  read only = no
  force user = %U


%U is going with UID 3000  rather than 61001 we see on Samba 3.6.25 on
Solaris.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 4.4.14 on solaris, using ads, can't read/write as user

Samba - General mailing list
On Tue, 4 Jul 2017 15:26:17 -0300
francis picabia via samba <[hidden email]> wrote:

> I've read there can be issues with /tmp so I switched the test
> to /var/tmp
>
> One file (foo.txt) is made by the shell user, while the other
> file (doo.txt) is made by the same user connected over Samba.
>
> bash-3.2$ ls -n doo.txt
> -rwxr--r--   1 3000     3004          29 Jul  4 09:51 doo.txt
> bash-3.2$ ls -n foo.txt
> -rw-rw----   1 61001    10            39 Jul  4 09:50 foo.txt
>
> With -l they both seem to have the same user name.
>
> This doesn't happen in 3.6, which is where Solaris was only 3 patches
> back.
>
> The ID mapping seems to be the problem.
>
> The share is currently set like this:
>
> [tmp]
>   path = /var/tmp
>   public = no
>   browseable = no
>   read only = no
>   force user = %U
>
>
> %U is going with UID 3000  rather than 61001 we see on Samba 3.6.25 on
> Solaris.

try running this:

net cache flush

then restart samba

If that doesn't work, please post the output from this command:

cat /path/to/smb.conf

Replace '/path/to' with the path to your smb.conf

Not sure if I asked this, but what are you using as an AD DC and do
your users and groups have uidNumber or gidNumber attributes.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...