HPE Community
Operating System - HP-UX
1849825 Members
1820 Online
104044 Solutions
New Discussion

Re: Samba Share and rights very strange

 
SOLVED
Go to solution
Coolmar
Esteemed Contributor

‎02-02-2006 12:54 AM

‎02-02-2006 12:54 AM

Samba Share and rights very strange

Hi,

I have a Samba share that is setup to allow a certain group access to the files. Another group are allowed to write to them. This all used to work and just stopped working. What is happening is the users with write access can create a folder, copy files into the share, modify existing files. They cannot delete or rename. I figure if you have write access...you have full access.

Here is the config file:


[global]
workgroup = AAFC-AAC
netbios name = SKREGISD
server string = SKREGISD share
security = DOMAIN
map to guest = Bad User
password server = ONNCRX1
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
max smbd processes = 0
wins server = 10.117.10.40
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind separator = +
winbind enum users = No
winbind enum groups = No
winbind cache time = 3000
short preserve case = No
dos filetime resolution = Yes
client schannel = No

[LYRS]
comment = Layers for GIS
path = /lyrs
public = No
valid users = domain+readers
read only = Yes
force group = readers
write list = domain+admin
directory mask = 0775
create mask = 0775
force create mode = 0775
security mask = 0775
max connections = 0

The directory that the share maps to is owned by the "readers" group and all dirs and files are rwxrwxr-x
0 Kudos
Reply
11 REPLIES 11
eric roseme
Respected Contributor

‎02-02-2006 11:25 AM

‎02-02-2006 11:25 AM

Solution

Re: Samba Share and rights very strange

Hi Sally,

I have read your previous thread. To supply a definitive answer I think would require a duplication scenario, which would take a lot of work. SO I would approach this in one of two ways:

1. Open a call at the RC and let them figure it out. If you have a support contract, that's what it is for (and one of the big values of HP CIFS Server over Opensource)

2. You have a complex share definition. I understand why you have "read only" and "write list", but do not understand why domain+admin is not in "valid users", or why "valid users" and "write list" have domain+group but "force group" does not. I understand that it was working, but now it is not. Anyway, I would remove "valid users", "read only", "force group", and "write list", and then test for the functions that you want (read, write, copy, rename, etc...). Then add back each parm and see what happens. There was a guy in the original thread who suggested an initial share config, but it was not clear if you tried it.

Here are a couple of disclaimers: 1 - I have never tested "security = domain" with winbind and share definitions (always with ads); 2 - Samba is very flexible, and combining various parms can yield unpredictable results, so it's best to try and define the share as simply as possible; 3 - "valid users" can be confusing - you can not give access with "valid users", only deny access. So if a user/group is not in "valid users", it will be denied, even if it has permissions. But if a user is in "valid users" and does not have permissions, it will not have access.

Magic Bullet: If you want to try a magic bullet, I would eliminate "valid users", or add domain+admin to "valid users".

Good Luck,

Eric Roseme



Reply
Coolmar
Esteemed Contributor

‎02-02-2006 11:46 PM

‎02-02-2006 11:46 PM

Re: Samba Share and rights very strange

Thanks for the reply Eric. I have since discovered that the "windows people" installed critical patches around the same time this started happening. I am leaning towards that being the problem as my smb.conf was all working until a week ago...when they installed the patches. I will update this thread when I know for sure.

S.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-03-2006 12:03 AM

‎02-03-2006 12:03 AM

Re: Samba Share and rights very strange

Shalom,

You may need to rejoin your domain and stop/start samba when the windows patching is done.

We've recently seen patching windows PDC systems has caused untold problems with Linux systems with older versions of Samba. Not seen the same behavior with HP-UX.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Coolmar
Esteemed Contributor

‎02-03-2006 12:29 AM

‎02-03-2006 12:29 AM

Re: Samba Share and rights very strange

Shalom Steven,

I did try that - a few times actually - and didn't seem to help.
0 Kudos
Reply
Alzhy
Honored Contributor

‎02-03-2006 03:14 AM

‎02-03-2006 03:14 AM

Re: Samba Share and rights very strange

Sally ... what version of Samba? Are you on Samba 2 or Samba 3. If on Samba 3 -- are you using HP's build -- a.k.a CIFS Server? Also are you using the very latest one based on Samba 3.014d?
Hakuna Matata.
0 Kudos
Reply
Coolmar
Esteemed Contributor

‎02-03-2006 03:48 AM

‎02-03-2006 03:48 AM

Re: Samba Share and rights very strange

Hi Nelson,

Here is what I have:

B8725AA A.02.02 HP CIFS Server

What s New in A.02.02 (3.0d):

This is a feature release that incorporates Samba Server version 3.0.14a with additional HP fixes.


0 Kudos
Reply
Coolmar
Esteemed Contributor

‎02-03-2006 03:51 AM

‎02-03-2006 03:51 AM

Re: Samba Share and rights very strange

I also recently installed the Sept 2005 Goldpacks....could that be the problem?

GOLDAPPS11i B.11.11.0509.429 Applications Patches for HP-UX 11i v1, September 2005
GOLDBASE11i B.11.11.0509.429 Base Patches for HP-UX 11i v1, September 2005
0 Kudos
Reply
Alzhy
Honored Contributor

‎02-03-2006 04:07 AM

‎02-03-2006 04:07 AM

Re: Samba Share and rights very strange

You've the latest and greatest alright...

I guess your best course of action is check out the issues and forums at www.samba.org if there are issues vis a vis certain Windows 2K/2003 patches.

OR, if you have full HP-UX support -- approach HP since HP CIFS is fully supported.

Hakuna Matata.
0 Kudos
Reply
Coolmar
Esteemed Contributor

‎02-03-2006 04:09 AM

‎02-03-2006 04:09 AM

Re: Samba Share and rights very strange

Thanks Nelson. Hey, do you think I should roll back those Goldbase and GoldApps patches?
0 Kudos
Reply
Alzhy
Honored Contributor

‎02-03-2006 04:17 AM

‎02-03-2006 04:17 AM

Re: Samba Share and rights very strange

No. Keep 'em.

I will however double check everything on your HP-UX side.

I will even go to the extreme of having the machine account revoked on the domain. Remove your /var/opt/samba/private/secrets.tdb and go to the process of having the machine accoutn created (Wizard) and membership redone (net rpc join). If you've a cooperative and interested Windows Admin and you're runing Windows 2000/2003 ADS ..then you might just go straight and use SECURITY=ADS. This is fully documented in the CIFS Server manuals.
Hakuna Matata.
Reply
eric roseme
Respected Contributor

‎02-03-2006 07:46 AM

‎02-03-2006 07:46 AM

Re: Samba Share and rights very strange

Hi Sally,

Without doing a controlled duplication, I think we're all just guessing, but here'goes another try.

Usually domain membership issues have more to do with authentication than permissions. Since your users apparently get authenticated okay (they can mount the share) then I think your domain membership is okay.

I agree with Nelson that you can leave your HP-UX patches alone. However, the Windows patches may be an area of concern. Since you are using winbind, you are dependant upon winbind to get user/group data from the DC - for permissions. If your Windows patches messed up your winbind anonynmous connection, then you may not be getting your correct group permissions for your users. To set your winbind access manually, use "wbinfo -a administrator%password". This will manually set a user/password which winbind will use to access the DC for account info. Then do a "groups username" from the HP-UX box to ensure that your users are getting the correct group enumeration. Just a guess.

The only other way that I can see a Windows patch affecting permissions is if a new client policy was introduced and propogated out with Group Policy Manager, and that somehow affects client share access. Since your clients can mount the share, do a right click on one of the files and look at the advanced security menu. Click Edit and see what your effective permissions are. If the "writers" do not have full control - with delete/rename or whatever - then maybe there was some sort of client policy introduced without your knowledge.

Another guess. See you later,

Eric Roseme
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.