Moin Liste,
ich habe hier mit einem sehr unschönen Samba-Problem zu kämpfen. Versucht ein
Nutzer auf ein Samba-Share zuzugreifen, dann wird die Gruppenberechtigung
nicht ausgewertet. Die Nutzer können nur auf Freigaben zugreifen, welche der
Primären Gruppe (sambaPrimaryGroupSID) gehören. Alle anderen Gruppen werden
ignoriert.
Die Benutzer stecken in eine LDAP-Datenbank. Am Besten ist wohl ein Beispiel:
Benutzer "weisse" will auf "lftcommon" zugreifen, wird aber vom Samba schnöde
abgewiesen.
Hier der LDAP-Eintrag für den Benutzer:
$> ldapsearch -x -D "cn=administrator,dc=domain,dc=de" -W -b
"uid=weisse,ou=people,dc=domain,dc=de"
...
dn: uid=weisse,ou=people,dc=domain,dc=de
...
sambaSID: S-1-5-21-3472328929-1490573074-2800308803-3002
....
gidNumber: 20500
...
sambaPrimaryGroupSID: S-1-5-21-3472328929-1490573074-2800308803-20500
Unter Linux steckt "weiss" in der richtigen Gruppe "lft" um auf das
Verzeichnis zuzugreifen:
$> id
uid=21113(weisse) gid=20500(lftuser) Gruppen=... 20000(lft) ...
$> ll -d common
drwxrwx--- 16 root lft 4096 9. Aug 14:28 common
Für Windows existiert noch so ein Groupmapping. Wobei ich mir nicht sicher
bin, ob man das groupmapping überhaupt benötigt.
$> net groupmap list
...
lft (S-1-5-21-3472328929-1490573074-2800308803-1006) -> lft
...
(Die SID "1006" spielt irgendwie auch keine Rolle. Ob dort die Unix-GID
steht oder $foo ist egal. Zumindest funktioniert in keinem Fall.)
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
# /etc/samba/smb.conf
[global]
....
# LDAP als Benutzerdatenbank festlegen
encrypt passwords = yes
passdb backend = ldapsam:ldap://mlrfs1.domain.de
ldap admin dn = cn=administrator,dc=domain,dc=de
ldap suffix = dc=domain,dc=de
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap group suffix = ou=group
ldap user suffix = ou=people
ldapsam:trusted = yes
ldapsam:editposix = yes
# ldap ssl = start_tls
# ldap tls = start_tls
ldap ssl = no
ldap passwd sync = Yes
...
log level = 1 passdb:2 auth:2 winbind:2
...
[lftcommon]
comment = Alle LFT Nutzer
path = /home/lft/common
read only = No
inherit permissions = No
veto files = /aquota.user/groups/shares/
browseable = yes
guest ok = no
printable = no
create mask = 740
directory mask = 750
valid users = @lft
force group = +lft
force create mode = 0660
force directory mode = 0660
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Anbei mal ein Auszug aus der /var/log/log.smb. Es ist eine frische Anmeldung
an der Domäne als "weisse" und dann Zugriff auf die Freigabe "lftcommon"
Samba findet im LDAP die Gruppee 20000. Kurz vor dem "NT_STATUS_ACCESS_DENIED"
spielt Samba noch mit einer Gruppe 1000. Diese Gruppe gibt es wirklich, aber
hat mit dem Share nichts zu tun.
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
....
[2010/09/16 11:11:15.686408, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:15.763748, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [weisse] -> [weisse] ->
[weisse] succeeded
[2010/09/16 11:11:16.597111, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:16.599831, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [weisse] -> [weisse] ->
[weisse] succeeded
[2010/09/16 11:11:16.642294, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service profiles initially as user
weisse (uid=21113, gid=20500) (pid 8611)
[2010/09/16 11:11:16.644955, 1] smbd/dosmode.c:255(get_ea_dos_attribute)
get_ea_dos_attributes: Cannot get attribute from EA on file .msprofile:
Error = Die Operation wird nicht unterstützt
[2010/09/16 11:11:16.646398, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:31.293138, 1] smbd/service.c:1251(close_cnum)
mlr134v (141.30.156.134) closed connection to service profiles
[2010/09/16 11:11:32.330728, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:32.334515, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [weisse] -> [weisse] ->
[weisse] succeeded
[2010/09/16 11:11:32.340314, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: haehnel
[2010/09/16 11:11:32.385181, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: root
[2010/09/16 11:11:32.386166, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service netlogon initially as user
weisse (uid=21113, gid=20500) (pid 8616)
[2010/09/16 11:11:33.194144, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:33.197010, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:33.198957, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service weisse initially as user weisse
(uid=21113, gid=20500) (pid 8616)
[2010/09/16 11:11:41.813782, 1] smbd/service.c:1251(close_cnum)
mlr134v (141.30.156.134) closed connection to service netlogon
[2010/09/16 11:11:41.815067, 1] smbd/service.c:1251(close_cnum)
mlr134v (141.30.156.134) closed connection to service weisse
[2010/09/16 11:11:56.278246, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.281555, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [weisse] -> [weisse] ->
[weisse] succeeded
[2010/09/16 11:11:56.286103, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.288915, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.290839, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service weisse initially as user weisse
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:11:56.672438, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: haehnel
[2010/09/16 11:11:56.675118, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: root
[2010/09/16 11:11:56.677183, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service netlogon initially as user
weisse (uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:00.759827, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.760879, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.761015, 0] param/loadparm.c:9912(widelinks_warning)
Share 'lft' has wide links and unix extensions enabled. These parameters are
incompatible. Wide links will be disabled for this share.
[2010/09/16 11:12:00.762599, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.762975, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service lft initially as user weisse
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:00.823477, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.824278, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20000
[2010/09/16 11:12:00.824416, 0] param/loadparm.c:9912(widelinks_warning)
Share 'lftcommon' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
[2010/09/16 11:12:00.825761, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.826182, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service lftcommon initially as user
weisse (uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:01.364989, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.366606, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:01.367811, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.369595, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.370874, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:01.371561, 1] smbd/service.c:1070(make_connection_snum)
mlr134v (141.30.156.134) connect to service lftstud initially as user weisse
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:01.460171, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1000
[2010/09/16 11:12:01.460405, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Zum System:
openSuse 11.3
Samba (Version 3.5.4)
OpenLDAP (Version 2.4.21)
Hat jemand einen PDC (Samba+LDAP) mit Suse 11.3 am Laufen und kann mir
weiterhelfen? Früher mit einer 9.x-Version lief das schon mal wichtig gut.
Seid der Umstellung auf 11.3 hängt es an allen Ecken und Enden.
Jens
