Prev: Server not found in kerberos database (with net ads join)
Next: [Samba] intermittent authentication: check_ntlm_password: Authentication for user [someuser] -> [someuser] FAILED with error NT_STATUS_ACCESS_DENIED
From: Heinz Hölzl on 11 Feb 2010 07:00 hi i have a file, owned by heinz_sgv an the permissons are set to 700. # ls -l x.txt -rwx------ 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt with smbclient i can access to the file, i have full rights and i can see the ACLs # smbclient //localhost/samba -U heinz_sgv%x -c "showacls ;ls tmp/x.txt" Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:A SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 revision: 1 type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 3 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-1002 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-5-21-3234543381-3221305018-1482225196-513 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-1-0 Owner SID: S-1-5-21-3234543381-3221305018-1482225196-1002 Group SID: S-1-5-21-3234543381-3221305018-1482225196-513 If i connect to samba using kerberos, i can not get the permissions of the file. (principal: heinz_sgv(a)GVCC.NET) smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir tmp/x.txt" -d 0 Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:A SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 display_finfo() Failed to open \tmp\x.txt: NT_STATUS_ACCESS_DENIED if i change the permissions to 770 then i can see the permissions of the file also with kerberos: # chmod 770 x.txt # ls -l x.txt -rwxrwx--- 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt # smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir tmp/x.txt" Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:AS SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 revision: 1 type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 3 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-1002 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-513 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-1-0 Owner SID: S-1-5-21-3234543381-3221305018-1482225196-1002 Group SID: S-1-5-21-3234543381-3221305018-1482225196-513 Thank you, heinz my smb.conf: [global] workgroup = GVCC.NET # Kerberos realm = GVCC.NET password server = probe24.bahnhof.gvcc.net kerberos method = system keytab client use spnego = yes use spnego = yes # pdc settings domain logons = yes domain master = yes local master = yes preferred master = yes os level = 65 log level = 3 ### ldapsam:editposix passdb backend = ldapsam:ldap://localhost/ ldapsam:trusted = yes ldapsam:editposix = yes ldap admin dn = cn=admin,dc=gvcc,dc=net ldap user suffix = ou=users ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = dc=gvcc,dc=net ldap ssl = no idmap backend = ldap:ldap://localhost/ idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://localhost/ idmap alloc config : ldap_base_dn = ou=idmap,dc=gvcc,dc=net idmap alloc config : ldap_user_dn = cn=admin,dc=gvcc,dc=net logon path = logon home = \\%N\%U logon drive = k: guest ok = No read only = No case sensitive = no default case = lower preserve case = yes short preserve case = yes create mode = 0660 force create mode = 0000 directory mask = 0770 force directory mode = 2000 unix charset = utf8 display charset = utf8 [samba] path=/samba readonly=no guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |