topic Re: Samba Share and rights very strange in Operating System - HP-UX

Samba Share and rights very strange

Coolmar — Thu, 02 Feb 2006 08:54:42 GMT

Hi,

I have a Samba share that is setup to allow a certain group access to the files. Another group are allowed to write to them. This all used to work and just stopped working. What is happening is the users with write access can create a folder, copy files into the share, modify existing files. They cannot delete or rename. I figure if you have write access...you have full access.

Here is the config file:

[global]
workgroup = AAFC-AAC
netbios name = SKREGISD
server string = SKREGISD share
security = DOMAIN
map to guest = Bad User
password server = ONNCRX1
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
max smbd processes = 0
wins server = 10.117.10.40
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind separator = +
winbind enum users = No
winbind enum groups = No
winbind cache time = 3000
short preserve case = No
dos filetime resolution = Yes
client schannel = No

[LYRS]
comment = Layers for GIS
path = /lyrs
public = No
valid users = domain+readers
read only = Yes
force group = readers
write list = domain+admin
directory mask = 0775
create mask = 0775
force create mode = 0775
security mask = 0775
max connections = 0

The directory that the share maps to is owned by the "readers" group and all dirs and files are rwxrwxr-x

Re: Samba Share and rights very strange

eric roseme — Thu, 02 Feb 2006 19:25:37 GMT

Hi Sally,

I have read your previous thread. To supply a definitive answer I think would require a duplication scenario, which would take a lot of work. SO I would approach this in one of two ways:

1. Open a call at the RC and let them figure it out. If you have a support contract, that's what it is for (and one of the big values of HP CIFS Server over Opensource)

2. You have a complex share definition. I understand why you have "read only" and "write list", but do not understand why domain+admin is not in "valid users", or why "valid users" and "write list" have domain+group but "force group" does not. I understand that it was working, but now it is not. Anyway, I would remove "valid users", "read only", "force group", and "write list", and then test for the functions that you want (read, write, copy, rename, etc...). Then add back each parm and see what happens. There was a guy in the original thread who suggested an initial share config, but it was not clear if you tried it.

Here are a couple of disclaimers: 1 - I have never tested "security = domain" with winbind and share definitions (always with ads); 2 - Samba is very flexible, and combining various parms can yield unpredictable results, so it's best to try and define the share as simply as possible; 3 - "valid users" can be confusing - you can not give access with "valid users", only deny access. So if a user/group is not in "valid users", it will be denied, even if it has permissions. But if a user is in "valid users" and does not have permissions, it will not have access.

Magic Bullet: If you want to try a magic bullet, I would eliminate "valid users", or add domain+admin to "valid users".

Good Luck,

Eric Roseme

Re: Samba Share and rights very strange

Coolmar — Fri, 03 Feb 2006 07:46:44 GMT

Thanks for the reply Eric. I have since discovered that the "windows people" installed critical patches around the same time this started happening. I am leaning towards that being the problem as my smb.conf was all working until a week ago...when they installed the patches. I will update this thread when I know for sure.

S.

Re: Samba Share and rights very strange

Steven E. Protter — Fri, 03 Feb 2006 08:03:41 GMT

Shalom,

You may need to rejoin your domain and stop/start samba when the windows patching is done.

We've recently seen patching windows PDC systems has caused untold problems with Linux systems with older versions of Samba. Not seen the same behavior with HP-UX.

SEP

Re: Samba Share and rights very strange

Coolmar — Fri, 03 Feb 2006 08:29:35 GMT

Shalom Steven,

I did try that - a few times actually - and didn't seem to help.

Re: Samba Share and rights very strange

Alzhy — Fri, 03 Feb 2006 11:14:50 GMT

Sally ... what version of Samba? Are you on Samba 2 or Samba 3. If on Samba 3 -- are you using HP's build -- a.k.a CIFS Server? Also are you using the very latest one based on Samba 3.014d?

Re: Samba Share and rights very strange

Coolmar — Fri, 03 Feb 2006 11:48:28 GMT

Hi Nelson,

Here is what I have:

B8725AA A.02.02 HP CIFS Server

What s New in A.02.02 (3.0d):

This is a feature release that incorporates Samba Server version 3.0.14a with additional HP fixes.

Re: Samba Share and rights very strange

Coolmar — Fri, 03 Feb 2006 11:51:07 GMT

I also recently installed the Sept 2005 Goldpacks....could that be the problem?

GOLDAPPS11i B.11.11.0509.429 Applications Patches for HP-UX 11i v1, September 2005
GOLDBASE11i B.11.11.0509.429 Base Patches for HP-UX 11i v1, September 2005

Re: Samba Share and rights very strange

Alzhy — Fri, 03 Feb 2006 12:07:54 GMT

You've the latest and greatest alright...

I guess your best course of action is check out the issues and forums at www.samba.org if there are issues vis a vis certain Windows 2K/2003 patches.

OR, if you have full HP-UX support -- approach HP since HP CIFS is fully supported.

Re: Samba Share and rights very strange

Coolmar — Fri, 03 Feb 2006 12:09:17 GMT

Thanks Nelson. Hey, do you think I should roll back those Goldbase and GoldApps patches?

Re: Samba Share and rights very strange

Alzhy — Fri, 03 Feb 2006 12:17:23 GMT

No. Keep 'em.

I will however double check everything on your HP-UX side.

I will even go to the extreme of having the machine account revoked on the domain. Remove your /var/opt/samba/private/secrets.tdb and go to the process of having the machine accoutn created (Wizard) and membership redone (net rpc join). If you've a cooperative and interested Windows Admin and you're runing Windows 2000/2003 ADS ..then you might just go straight and use SECURITY=ADS. This is fully documented in the CIFS Server manuals.

Re: Samba Share and rights very strange

eric roseme — Fri, 03 Feb 2006 15:46:51 GMT

Hi Sally,

Without doing a controlled duplication, I think we're all just guessing, but here'goes another try.

Usually domain membership issues have more to do with authentication than permissions. Since your users apparently get authenticated okay (they can mount the share) then I think your domain membership is okay.

I agree with Nelson that you can leave your HP-UX patches alone. However, the Windows patches may be an area of concern. Since you are using winbind, you are dependant upon winbind to get user/group data from the DC - for permissions. If your Windows patches messed up your winbind anonynmous connection, then you may not be getting your correct group permissions for your users. To set your winbind access manually, use "wbinfo -a administrator%password". This will manually set a user/password which winbind will use to access the DC for account info. Then do a "groups username" from the HP-UX box to ensure that your users are getting the correct group enumeration. Just a guess.

The only other way that I can see a Windows patch affecting permissions is if a new client policy was introduced and propogated out with Group Policy Manager, and that somehow affects client share access. Since your clients can mount the share, do a right click on one of the files and look at the advanced security menu. Click Edit and see what your effective permissions are. If the "writers" do not have full control - with delete/rename or whatever - then maybe there was some sort of client policy introduced without your knowledge.

Another guess. See you later,

Eric Roseme