HPE Community
Operating System - HP-UX
1822146 Members
4242 Online
109640 Solutions
New Discussion

Samba and WINDOWS NTFS permissions

 
SOLVED
Go to solution
Stéphane Gauthier
Advisor

‎11-12-2008 10:36 AM

‎11-12-2008 10:36 AM

Samba and WINDOWS NTFS permissions

Hello all,

I am trying to manage samba shared directories using Windows NTFS permissions. What I mean is that I want to be able to manage user’s permissions on Samba shared directories using Windows NTFS security. I have been looking all around the web and found some stuff but I am stuck. I have created a new filesystem for testing and try to do the following in /etc/fstab:

/dev/vg00/lvol15 /samba_drives vxfs rw,suid,largefiles,delaylog,datainlog,acl 02

I read that I need to enable acl on the filesystem and then mount it but I get an error saying that acl parameter is not recognized.

I know I will have to make sure in Samba that the shared directory has NT ACL SUPPORT set to YES.

Any help would be appreciated.

Stephane
0 Kudos
Reply
13 REPLIES 13
eric roseme
Respected Contributor

‎11-12-2008 02:13 PM

‎11-12-2008 02:13 PM

Re: Samba and WINDOWS NTFS permissions

you do not need an "acl" option on the mount (i don't know what that is). You must have JFS 3.3 and layout version 4 or above - that's all you need from the file system. Post your hp-ux version, "fstyp -v" version, CIFS/Samba version (smbd -V). As long as all of that stuff is okay, it will work. The Admin Guide has detailed instructions on managing the ACLs.

Eric Roseme
0 Kudos
Reply
Stéphane Gauthier
Advisor

‎11-13-2008 08:00 AM

‎11-13-2008 08:00 AM

Re: Samba and WINDOWS NTFS permissions

I am running HP-UX 11.23 and Samba is Version 3.0.14a based HP CIFS Server A.02.02.

I can't find JFS installed...see :

/opt/samba/bin # swlist | grep JFS

Return nothing.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-13-2008 01:08 PM

‎11-13-2008 01:08 PM

Re: Samba and WINDOWS NTFS permissions

On 11.23 you are okay for the filesystem version by default. The HP CIFS Server version is okay (but should be upgraded).

Take that "acl" off the mount command, mount the FS, then share it with CIFS.

One thing that is overlooked is that CIFS uses the /var/opt/samba/private/smbpasswd file as the source for user-data for ACL support. I know it's weird, but that's the way it is. So look at your smbpasswd file and see if your user records are in it. If not, then run syncsmbpasswd.

That's assuming that you can right click on your share files and directories and you know how to navigate for ACL management, but you do not see users/groups to add or assign rights to.

Eric
0 Kudos
Reply
Stéphane Gauthier
Advisor

‎11-13-2008 01:19 PM

‎11-13-2008 01:19 PM

Re: Samba and WINDOWS NTFS permissions

I am getting close. Tks Eric. I have resync the smbpasswd file and now it does contain all users. I have restarted Samba and I am still not able to manage user security from Windows security tab. When adding a new user, I am able to find that user but as soon as I click OK, the user disappears...it seems it can not retain it.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-14-2008 02:08 PM

‎11-14-2008 02:08 PM

Re: Samba and WINDOWS NTFS permissions

okay. in the old days that meant that you did not have your filesystem layout upgraded to do ACLs. But 11.23 should have JFS/VxFS 4.1 with layout 5 by default - all good for ACL support. so let's start by going into your shared directory on the HP-UX console (or telnet or something) and find a file then do "setacl -m u:username:rwx filename". Now do a "getacl filename" and make sure that the ACL was set. If it is, then go to your windows client and see if you can change it from the Windows explorer. If the ACL was not set with the setacl, then you have a filesystem problem. Do a "fstyp -v /dev/vgxx/lvolxx/" and post the result.

I will not be back here until at least Monday, tho.

Later,

Eric
Reply
Stéphane Gauthier
Advisor

‎11-18-2008 07:48 AM

‎11-18-2008 07:48 AM

Re: Samba and WINDOWS NTFS permissions

The ACL's seems to be working fine but I think I found what is my problem. Users on UNIX are not the same as Windows...I mean that users on the HP are not the one from Windows domain controller... So when truying to set permission for a user it is trying to do it to a Windows users but that user is not the same on the HP even if they have the same login name.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-18-2008 09:08 AM

‎11-18-2008 09:08 AM

Solution

Re: Samba and WINDOWS NTFS permissions

you can solve this in a number of ways. The quickest is to create an /etc/opt/samba/username.map file and in smb.conf set "username map = /etc/opt/samba/username.map". In the file just map the users like "unixuser = windowsuser". The next option is to run winbind - then you will see the usernames in the explorer. The best option is to run "idmap backend = ad", and then your UNIX IDs are stored on the Active Directory. I am writing a whitepaper on how to do this right now. It's not difficult, but there are a lot of steps and it's easy to miss some.

I suggest that you use username.map to troubleshoot, then look into the other options for a long-term solution.

Eric
Reply
Stéphane Gauthier
Advisor

‎11-18-2008 11:51 AM

‎11-18-2008 11:51 AM

Re: Samba and WINDOWS NTFS permissions

The thing is that both unix and windows users has the same login name, let say user1 is also called user1 on Windows. But is seems that the system think it's a diffrent user.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-19-2008 09:16 AM

‎11-19-2008 09:16 AM

Re: Samba and WINDOWS NTFS permissions

It does not matter if they are the same name. You have to map the users - choose one of the methods above. The implicit mapping feature was in Samba 2.2 - but it is gone from Samba 3.0.

Eric
0 Kudos
Reply
Stéphane Gauthier
Advisor

‎11-19-2008 10:38 AM

‎11-19-2008 10:38 AM

Re: Samba and WINDOWS NTFS permissions

I have added this to the /etc/opt/samba/username.map

user1=user1

That's my user name for UNIX and Windows.

Here is what I found under /var/opt/samba in log.q202642 (name of my computer)

/var/opt/samba # more log.q202642
[2008/11/19 13:30:08, 1] smbd/service.c:make_connection_snum(642)
q202642 (10.1.3.137) connect to service Informatique initially as user insg (u
id=0, gid=1000) (pid 172)
[2008/11/19 13:30:10, 1] smbd/service.c:close_cnum(829)
q202642 (10.1.3.137) closed connection to service Informatique
[2008/11/19 13:30:13, 1] smbd/service.c:make_connection_snum(642)
q202642 (10.1.3.137) connect to service Informatique initially as user insg (u
id=0, gid=1000) (pid 172)
[2008/11/19 13:30:18, 0] smbd/posix_acls.c:create_canon_ace_lists(1388)
create_canon_ace_lists: unable to map SID S-1-5-21-384314138-255804918-1540833
222-4216 to uid or gid.

And here is what's in /var/opt/samba/log.winbindd

[2008/11/19 13:25:39, 1] nsswitch/winbindd.c:main(864)
winbindd version 3.0.14a based HP CIFS Server A.02.02 started.
Copyright The Samba Team 2000-2004
[2008/11/19 13:25:39, 0] nsswitch/winbindd_util.c:winbindd_param_init(555)
winbindd: idmap uid range missing or invalid
[2008/11/19 13:25:39, 0] nsswitch/winbindd_util.c:winbindd_param_init(556)
winbindd: cannot continue, exiting.
[2008/11/19 13:25:39, 1] nsswitch/winbindd.c:main(897)
Could not init idmap -- netlogon proxy only
[2008/11/19 13:26:00, 1] nsswitch/winbindd_sid.c:winbindd_uid_to_sid(404)
Could not convert uid 0 to rid
[2008/11/19 13:30:14, 1] nsswitch/winbindd_sid.c:winbindd_uid_to_sid(404)
Could not convert uid 0 to rid

When I tried to modify permission from Windows screen, I do add user1 and change permissions but when pressing Apply, user1 disappears.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-20-2008 01:43 PM

‎11-20-2008 01:43 PM

Re: Samba and WINDOWS NTFS permissions

Up above I was saying that there are several ways to map the users, one of which is winbind. From your log entries, it appears that you have the winbind daemon running, but that winbind is not configured correctly. If winbind is running, Samba looks for the user mapping in the winbind tdb under /var/opt/samba/locks. So I do not know what happens if it is mis-configured and the daemon is running but no tdb exists. If you want to run winbind, do this:

idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

You'll need to add winbind to nsswitch.conf. Start the daemon, and do a "wbinfo -u" and a "wbinfo -g" to make sure that the IDs get resolved. Also, you will still need to run syncsmbpasswd, because CIFS looks for the ACL names there.

or, make sure winding is not running, make sure that your user names are in smbpasswd, and use the username.map file.

Obviously, this gets a little complex. You may need to call the RC.

Eric
Reply
eric roseme
Respected Contributor

‎11-21-2008 10:21 AM

‎11-21-2008 10:21 AM

Re: Samba and WINDOWS NTFS permissions

I just configured 2 new VMs (on a blade server) on 11.23 and JFS 4.1 with current CIFS/Samba, Kerberos client, and LDAP-UX client code. Joined them to a W2003R2 domain and used username.map users to /home/. Mounted shares and was able to add new ACL entries from the Windows XP client file exlorer interface.

CIFS A.03.02.04
krb5client D.1.6.2
ldapuxclient B.04.17
HP-UX 11.23
JFS 4.1 layout 5

Eric
0 Kudos
Reply
Stéphane Gauthier
Advisor

‎11-21-2008 10:30 AM

‎11-21-2008 10:30 AM

Re: Samba and WINDOWS NTFS permissions

Tks Eric. I am now using winbind and it is working fine. Really appreciate.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.