Bug #2815
Can't access group shared folder (samba WS mode)
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-samba | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
When Samba is operating in workstation mode, a shared folder is not accessible to the members of the owning group.
smbclient
reports NT_STATUS_ACCESS_DENIED
error. Log files don't report any useful information.
The culprit could be the idmap configuration:
# wbinfo -G 5000 S-1-5-21-1395243596-1391465310-1452543066-1005 # wbinfo - Y S-1-5-21-1395243596-1391465310-1452543066-1005 50005
The last command was expected to remap the given SID to GID 5000, but reports a newly allocated GID: 50005. In LDAP there is a new (unexpected) entry:
# ldapsearch -LLL -Y EXTERNAL gidNumber=50005 2>/dev/null dn: sambaSID=S-1-5-21-1395243596-1391465310-1452543066-1005,ou=Idmap,dc=direct ory,dc=nh objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 50005 sambaSID: S-1-5-21-1395243596-1391465310-1452543066-1005BTW, the bug does not arise in PDC mode:
- delete the LDAP entry
- clean the cache (net cache flush)
- change to PDC mode
Packages:
# rpm -qa | grep -F .ns | sort nethserver-base-2.2.1-1.ns6.noarch nethserver-directory-2.0.3-1.ns6.noarch nethserver-ibays-2.0.3-1.ns6.noarch nethserver-release-6.5-5.ns6.noarch nethserver-samba-1.4.5-1.ns6.noarch ...
Related issues
Associated revisions
smb.conf: always use nss idmap backend for local user database. Refs #2815
When acting as PDC use the workgroup name instead of machine name.
History
#1 Updated by Davide Principi about 7 years ago
In WS mode:
# wbinfo -g DAVIDEP3\locals DAVIDEP3\unix group admin DAVIDEP3\domain admins DAVIDEP3\domain users DAVIDEP3\domain computers DAVIDEP3\domain guests DAVIDEP3\bilanci DAVIDEP3\amministrazione DAVIDEP3\unix group primo.utente # wbinfo -D DAVIDEP3 Name : DAVIDEP3 Alt_Name : SID : S-1-5-21-1395243596-1391465310-1452543066 Active Directory : No Native : No Primary : Yes # wbinfo -D WORKGROUP failed to call wbcDomainInfo: WBC_ERR_DOMAIN_NOT_FOUND Could not get domain info
I think this is an idmap configuration problem: the idmap_nss backend is configured for WORKGROUP
. I bet it could be DAVIDEP3
...:
# grep idmap /etc/samba/smb.conf ldap idmap suffix = ou=Idmap idmap config * : backend = ldap idmap config * : ldap_url = ldap://127.0.0.1 idmap config * : ldap_base_dn = ou=Idmap,dc=directory,dc=nh idmap config * : ldap_user_dn = cn=samba,dc=directory,dc=nh idmap config * : range = 50000-99999 idmap config WORKGROUP : range = 0 - 9999 idmap config WORKGROUP : backend = nss
BTW, in PDC mode the "foreign group prefix" has gone:
# wbinfo -g locals unix group admin domain admins domain users domain computers domain guests bilanci amministrazione unix group primo.utente
#2 Updated by Davide Principi about 7 years ago
- Related to Enhancement #2803: Edit workgroup name when role is Workstation added
#3 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
On branch b2803 Refs #2803
#4 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
Check the bug is not reproducible on the modified version
#5 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-samba-1.4.5-1.14git5c2b63f.ns6.noarch.rpm
#6 Updated by Nicola Rauso almost 7 years ago
- Assignee set to Nicola Rauso
#7 Updated by Nicola Rauso almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Nicola Rauso) - % Done changed from 70 to 90
Tested: ok
#8 Updated by Davide Principi almost 7 years ago
Released in nethserver-updates
as hotfix:
nethserver-samba-1.4.5-2.ns6.noarch.rpm
The QA tests were done on the master branch: close this issue when the master branch has been released.
#9 Updated by Davide Principi almost 7 years ago
- File 0003-Hotfix-Release-1.4.5-2.ns6.patch added
- File 0002-nethserver-samba.spec-converted-to-plain-.spec-file..patch added
- File 0001-smb.conf-always-use-nss-idmap-backend-for-local-user.patch added
Attached patches were applied to nethserver-samba 1.4.5 from branch b2803.
#10 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-samba-1.4.6-1.ns6.noarch.rpm