Moin Liste,
ich habe hier mit einem sehr unschönen Samba-Problem zu kämpfen. Versucht ein Nutzer auf ein Samba-Share zuzugreifen, dann wird die Gruppenberechtigung nicht ausgewertet. Die Nutzer können nur auf Freigaben zugreifen, welche der Primären Gruppe (sambaPrimaryGroupSID) gehören. Alle anderen Gruppen werden ignoriert.
Die Benutzer stecken in eine LDAP-Datenbank. Am Besten ist wohl ein Beispiel:
Benutzer "weisse" will auf "lftcommon" zugreifen, wird aber vom Samba schnöde abgewiesen.
Hier der LDAP-Eintrag für den Benutzer:
$> ldapsearch -x -D "cn=administrator,dc=domain,dc=de" -W -b "uid=weisse,ou=people,dc=domain,dc=de" ... dn: uid=weisse,ou=people,dc=domain,dc=de ... sambaSID: S-1-5-21-3472328929-1490573074-2800308803-3002 .... gidNumber: 20500 ... sambaPrimaryGroupSID: S-1-5-21-3472328929-1490573074-2800308803-20500
Unter Linux steckt "weiss" in der richtigen Gruppe "lft" um auf das Verzeichnis zuzugreifen: $> id uid=21113(weisse) gid=20500(lftuser) Gruppen=... 20000(lft) ... $> ll -d common drwxrwx--- 16 root lft 4096 9. Aug 14:28 common
Für Windows existiert noch so ein Groupmapping. Wobei ich mir nicht sicher bin, ob man das groupmapping überhaupt benötigt. $> net groupmap list ... lft (S-1-5-21-3472328929-1490573074-2800308803-1006) -> lft ... (Die SID "1006" spielt irgendwie auch keine Rolle. Ob dort die Unix-GID steht oder $foo ist egal. Zumindest funktioniert in keinem Fall.)
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 --------> # /etc/samba/smb.conf [global] .... # LDAP als Benutzerdatenbank festlegen encrypt passwords = yes passdb backend = ldapsam:ldap://mlrfs1.domain.de
ldap admin dn = cn=administrator,dc=domain,dc=de ldap suffix = dc=domain,dc=de ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap group suffix = ou=group ldap user suffix = ou=people
ldapsam:trusted = yes ldapsam:editposix = yes
# ldap ssl = start_tls # ldap tls = start_tls ldap ssl = no ldap passwd sync = Yes ... log level = 1 passdb:2 auth:2 winbind:2 ... [lftcommon] comment = Alle LFT Nutzer path = /home/lft/common read only = No inherit permissions = No veto files = /aquota.user/groups/shares/ browseable = yes guest ok = no printable = no create mask = 740 directory mask = 750 valid users = @lft force group = +lft force create mode = 0660 force directory mode = 0660 <--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Anbei mal ein Auszug aus der /var/log/log.smb. Es ist eine frische Anmeldung an der Domäne als "weisse" und dann Zugriff auf die Freigabe "lftcommon"
Samba findet im LDAP die Gruppee 20000. Kurz vor dem "NT_STATUS_ACCESS_DENIED" spielt Samba noch mit einer Gruppe 1000. Diese Gruppe gibt es wirklich, aber hat mit dem Share nichts zu tun.
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 --------> .... [2010/09/16 11:11:15.686408, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:15.763748, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [weisse] -> [weisse] -> [weisse] succeeded [2010/09/16 11:11:16.597111, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:16.599831, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [weisse] -> [weisse] -> [weisse] succeeded [2010/09/16 11:11:16.642294, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service profiles initially as user weisse (uid=21113, gid=20500) (pid 8611) [2010/09/16 11:11:16.644955, 1] smbd/dosmode.c:255(get_ea_dos_attribute) get_ea_dos_attributes: Cannot get attribute from EA on file .msprofile: Error = Die Operation wird nicht unterstützt [2010/09/16 11:11:16.646398, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:31.293138, 1] smbd/service.c:1251(close_cnum) mlr134v (141.30.156.134) closed connection to service profiles [2010/09/16 11:11:32.330728, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:32.334515, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [weisse] -> [weisse] -> [weisse] succeeded [2010/09/16 11:11:32.340314, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: haehnel [2010/09/16 11:11:32.385181, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: root [2010/09/16 11:11:32.386166, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service netlogon initially as user weisse (uid=21113, gid=20500) (pid 8616) [2010/09/16 11:11:33.194144, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:33.197010, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:33.198957, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service weisse initially as user weisse (uid=21113, gid=20500) (pid 8616) [2010/09/16 11:11:41.813782, 1] smbd/service.c:1251(close_cnum) mlr134v (141.30.156.134) closed connection to service netlogon [2010/09/16 11:11:41.815067, 1] smbd/service.c:1251(close_cnum) mlr134v (141.30.156.134) closed connection to service weisse [2010/09/16 11:11:56.278246, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:56.281555, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [weisse] -> [weisse] -> [weisse] succeeded [2010/09/16 11:11:56.286103, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:56.288915, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: weisse [2010/09/16 11:11:56.290839, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service weisse initially as user weisse (uid=21113, gid=20500) (pid 8644) [2010/09/16 11:11:56.672438, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: haehnel [2010/09/16 11:11:56.675118, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: root [2010/09/16 11:11:56.677183, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service netlogon initially as user weisse (uid=21113, gid=20500) (pid 8644) [2010/09/16 11:12:00.759827, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:00.760879, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:00.761015, 0] param/loadparm.c:9912(widelinks_warning) Share 'lft' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. [2010/09/16 11:12:00.762599, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:00.762975, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service lft initially as user weisse (uid=21113, gid=20500) (pid 8644) [2010/09/16 11:12:00.823477, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:00.824278, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20000 [2010/09/16 11:12:00.824416, 0] param/loadparm.c:9912(widelinks_warning) Share 'lftcommon' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. [2010/09/16 11:12:00.825761, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:00.826182, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service lftcommon initially as user weisse (uid=21113, gid=20500) (pid 8644) [2010/09/16 11:12:01.364989, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 21003 [2010/09/16 11:12:01.366606, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:01.367811, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 21003 [2010/09/16 11:12:01.369595, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 21003 [2010/09/16 11:12:01.370874, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 20500 [2010/09/16 11:12:01.371561, 1] smbd/service.c:1070(make_connection_snum) mlr134v (141.30.156.134) connect to service lftstud initially as user weisse (uid=21113, gid=20500) (pid 8644) [2010/09/16 11:12:01.460171, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1000 [2010/09/16 11:12:01.460405, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED <--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Zum System: openSuse 11.3 Samba (Version 3.5.4) OpenLDAP (Version 2.4.21)
Hat jemand einen PDC (Samba+LDAP) mit Suse 11.3 am Laufen und kann mir weiterhelfen? Früher mit einer 9.x-Version lief das schon mal wichtig gut. Seid der Umstellung auf 11.3 hängt es an allen Ecken und Enden.
Jens