Samba Configuration [SOLVED!]

goosed · 2009-03-17 00:06:01

Hi all, for the life of me I cannot figure out this problem. I'm trying to get Samba working with my AD environment. No matter what I try I cannot seem to get it working. Mind you, I can authenticate to the server if I type wbinfo -a username. I was also successful in joining it to AD. My problem is when I try to access a share, say Home, I get a message asking for a user/pass which it rejects. Here is my smb.conf:

[global]

    workgroup = ADSSERVER
    netbios name = ArchDesktop
    server string = Samba Server
    hosts allow = 192.168.2. 127.
    log file = /var/log/samba/%m.log
    max log size = 1000
    security = ADS
    encrypt passwords = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind separator = +
    idmap uid = 600-20000
    idmap gid = 600-20000
    template shell = /bin/bash
    realm = ADSSERVER
    preferred master = no
    dns proxy = no

[Home]
    comment = My Home Directory
    path = /home/admin
    read only = no
    inherit acls = yes
    inherit permissions = yes
    create mask = 700
    directory mask = 700
    valid users = @"ADSSERVER+Domain Users"
    admin users = @"ADSSERVER+Domain Admins"

[tmp]
    comment = Temporary File Space
    path = /tmp
    read only = no
    inherit acls = yes
    inherit permissions = yes
    create mask = 700
    directory mask = 700
    valid users = @"ADSSERVER+Domain Users"
    admin users = @"ADSSERVER+Domain Admins"

If anyone can point me in the right direction it would be much appreciated. Thanks.

Last edited by goosed (2009-03-19 01:34:46)

dschrute · 2009-03-17 01:58:32

Have you checked the file level permissions on the shared directory ? Samba acts like Windows in that access is dependent on both the filesystem and share level permissions.
Also is there anything interesting in the logs ?

goosed · 2009-03-17 05:00:36

Well not sure which logs to check in the samba directory. I tailed winbindd.log and here is the output when attempting to connect to a share:

[2009/03/17] 00:55:28 3] winbindd/winbindd_misc.c:winbindd_domain_info(654)
[5888]: domain_info [ADSERVER]
[2009/03/17] 00:55:28 3] winbindd/winbindd_misc.c:winbindd_ping(733)
[5888]: ping
[2009/03/17] 00:55:28 3] winbindd/winbindd_misc.c:winbindd_lookkupname(102)
[5888]: lookupname ADSERVER+admin

As far as perms go, root has ownership at the /home level, while my admin user has ownership at the /home/admin level.

I'm not sure what else to check.

PS - Great name

dschrute · 2009-03-17 13:33:21

Well not sure which logs to check in the samba directory.

I'd grep all samba log files for things like the user name you're connecting with, the share name, and the host/ip of the machine you're connecting from.

As far as perms go, root has ownership at the /home level, while my admin user has ownership at the /home/admin level.

So there is a "admin" user in AD, and that's what you're using to authenticate with when connecting to the /home/admin share ?

In my /home/username folders only that user has access - I.E. they are drwx--x--x. So since only that user has rw to the directory, even if I share the directory with full read/write to everyone, only the username matching the owner can access it. Filesystem perms take precedence over share perms, just like in Windows.

I'd start by testing the /tmp share, since /tmp has wide open permissions. One less thing to worry about, so it's easier to concentrate on the AD part of things.

goosed · 2009-03-17 15:21:15

dschrute wrote:

So there is a "admin" user in AD, and that's what you're using to authenticate with when connecting to the /home/admin share ?

Yes that's right.

dschrute wrote:

In my /home/username folders only that user has access - I.E. they are drwx--x--x. So since only that user has rw to the directory, even if I share the directory with full read/write to everyone, only the username matching the owner can access it. Filesystem perms take precedence over share perms, just like in Windows.

Well making progress.. slowly but surely. I changed the admin directory from drwx------ to drw--xr-x, and I can now access the admin share from my Windows machine. However I still cannot write to the directory. Here is the what I see in the logs.. this is when I try to create a New Text Document in my admin share:

[2009/03/17 11:17:34,  3] smbd/process.c:process_smb(1554)
  Transaction 1768 of length 74 (0 toread)
[2009/03/17 11:17:34,  3] smbd/process.c:switch_message(1378)
  switch message SMBtrans2 (pid 6252) conn 0xb90fd7f0
[2009/03/17 11:17:34,  3] smbd/trans2.c:call_trans2qfsinfo(2592)
  call_trans2qfsinfo: level = 261
[2009/03/17 11:17:34,  3] smbd/process.c:process_smb(1554)
  Transaction 1769 of length 134 (0 toread)
[2009/03/17 11:17:34,  3] smbd/process.c:switch_message(1378)
  switch message SMBntcreateX (pid 6252) conn 0xb90fd7f0
[2009/03/17 11:17:34,  3] smbd/dosmode.c:unix_mode(124)
  unix_mode(New Text Document.txt) returning 0766
[2009/03/17 11:17:34,  3] smbd/open.c:open_file(312)
  Permission denied opening New Text Document.txt
[2009/03/17 11:17:34,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/nttrans.c(498) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
[2009/03/17 11:17:34,  3] smbd/process.c:process_smb(1554)
  Transaction 1770 of length 124 (0 toread)
[2009/03/17 11:17:34,  3] smbd/process.c:switch_message(1378)
  switch message SMBtrans2 (pid 6252) conn 0xb90fd7f0
[2009/03/17 11:17:34,  3] smbd/trans2.c:call_trans2qfilepathinfo(3943)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2009/03/17 11:17:34,  3] smbd/trans2.c:call_trans2qfilepathinfo(4037)
  call_trans2qfilepathinfo: SMB_VFS_STAT of New Text Document.txt failed (No such file or directory)
[2009/03/17 11:17:34,  3] smbd/error.c:reply_unix_error(154)
  unix_error_packet: error string = No such file or directory
[2009/03/17 11:17:34,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/trans2.c(4038) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND
[2009/03/17 11:17:34,  3] smbd/process.c:process_smb(1554)
  Transaction 1771 of length 142 (0 toread)
[2009/03/17 11:17:34,  3] smbd/process.c:switch_message(1378)
  switch message SMBntcreateX (pid 6252) conn 0xb90fd7f0
[2009/03/17 11:17:34,  3] smbd/dosmode.c:unix_mode(124)
  unix_mode(New Text Document (2).txt) returning 0766
[2009/03/17 11:17:34,  3] smbd/open.c:open_file(312)
  Permission denied opening New Text Document (2).txt
[2009/03/17 11:17:34,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/nttrans.c(498) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
[2009/03/17 11:17:34,  3] smbd/process.c:process_smb(1554)
  Transaction 1772 of length 132 (0 toread)
[2009/03/17 11:17:34,  3] smbd/process.c:switch_message(1378)
  switch message SMBtrans2 (pid 6252) conn 0xb90fd7f0
[2009/03/17 11:17:34,  3] smbd/trans2.c:call_trans2qfilepathinfo(3943)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2009/03/17 11:17:34,  3] smbd/trans2.c:call_trans2qfilepathinfo(4037)
  call_trans2qfilepathinfo: SMB_VFS_STAT of New Text Document (2).txt failed (No such file or directory)
[2009/03/17 11:17:34,  3] smbd/error.c:reply_unix_error(154)
  unix_error_packet: error string = No such file or directory
[2009/03/17 11:17:34,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/trans2.c(4038) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND

And thanks for the help, I really appreciate it.

goosed · 2009-03-18 01:36:46

So I'm still not sure why it's not working. I know that AD authentication is working.. I've tested passwords and can successfully login via console using AD credentials. Still just cannot figure out why Samba isn't working correctly.

I've created a home directory called /home/ADSERVER/admin with admin:domain admins with the ownership. I've logged into the console using AD authentication, and can write to the new admin folder with no problem. I've shared the directory with Samba, and I can see it fine on my XP machine. However I still cannot write to it. What is wrong? *frustrated*

Last edited by goosed (2009-03-18 01:48:48)

ckristi · 2009-03-18 04:38:30

You need executable bit set on a directory (drwxr-xr-x) in order to be able to write, modify into that directory or even enter it.

goosed · 2009-03-18 16:34:10

Now if I set the executable bit, won't any user be able to access that folder?

brisbin33 · 2009-03-18 16:49:46

goosed wrote:

Now if I set the executable bit, won't any user be able to access that folder?

if i understand it correctly, the executable bit will allow [owner,group,all] to only enter the directory (and i think not even list the contents, that's the read bit right?)

that's why 755 (drwx-rx-rx) and 644 (rw-r-r) are good permissions on directories/files that don't contain sensative information. viewable to all, changable only by owner.

Last edited by brisbin33 (2009-03-18 16:50:16)

goosed · 2009-03-18 19:03:50

If I set 755 to my /home/admin directory, I can then enter it as another user but cannot write.

What I'd like to do is be able to set it so that my admin user can read/write to the /home/admin directory. And on the Windows side, also write to the same directory.

Right now I've only been able to get one or the other working.

ckristi · 2009-03-18 21:57:17

I think your problem can be easily solved. Create an "admins" group, give read/write/execute permissions for user admin (or root) and group admins on /home/admin. If you need other users to be able to write in that directory, simply add them to the group admins and create a samba user for them.

# groupadd admins
# gpasswd -a admin admins
# smbpasswd admin
Password:*******
Password again:*******
# chown admin:admins /home/admin
# chmod 775 /home/admin (if you want other users, others than admin and members of group admins, to see the content of this dir)

or

# chmod 770 /home/admin (if you do not want other users to be able to enter this directory)

Now, all you have to do is to connect from your Windows workstations to your share using user "admin" and the password set at the smbpasswd step.

P.S.: If you set the executable bit on a directory, the user (group or others) is (are) granted to enter that directory. If read bit is not set they won't be able to list the contents of that directory, but considering the rights on the directories or files inside he(or they)'ll be able to enter/see other folders/files inside that directory. I hope this was not too complicated explained... but for further reference you may search google for "linux file permissions" or follow a quick link here: http://www.freeos.com/articles/3127/

Last edited by ckristi (2009-03-18 22:04:52)

goosed · 2009-03-18 23:12:19

Thanks ckristi, your post looks very promising.

I created the group like you said and chowned /home/admin to root:admins. I also set the chmod bit to 775.

With the owner set to root, I cannot write to the directory as admin. I can however from my Windows box.
With the owner set to admin, I can write to the directory as admin.

Here are some things I've tested:

/home/admin, chown admin:admins, chmod 775
Results:
Can write as admin from Linux, cannot write as admin from XP.
Other users cannot write to the directory.

/home/admin, chown admin:admins, chmod 770
Results:
Can write as admin from Linux, cannot write (or browse) as admin from XP.
Other users cannot write to the directory.

So again I'm a little lost. Anything you can see? Thank you again.

Last edited by goosed (2009-03-18 23:43:03)

ckristi · 2009-03-18 23:29:01

Have you logged out and back in with user admin after adding him to the admins group?
If not, change back the rights to root:admins, logout admin, log back in and try again. The user becomes aware about the new groups that' been add to only after the login process.

Last edited by ckristi (2009-03-18 23:29:41)

goosed · 2009-03-18 23:52:33

I did not logout/in again and I'm wondering if that was the problem!

/home/admin, chown admin:admins, chmod 770
Results:
Can write as admin from Linux, can write as admin from XP.
Other users cannot see the directory

So this IS working now huh?

ckristi · 2009-03-18 23:58:01

Yep... I guess so. It would work even if you want to change the ownership of the directory to "root:admins". But I think this shouldn't be needed now. Remember that members of group admins are also able to write to this directory now. If you want only user admin to be able to write, keep admin:admins as owner:group and chmod 750 (full rights for user admin, Read and eXecute rights for members of group admins, no rights for other users).

Last edited by ckristi (2009-03-18 23:58:22)

goosed · 2009-03-19 00:03:17

hehe as you can see I had a hard time believing that it was working. Been working on this for the past few days!

Thank you so much for the help ckristi. I really appreciate it.

ckristi · 2009-03-19 00:15:49

You're welcome. Remember to prefix the subject of this thread with [Solved] now. :-)

Arch Linux

#1 2009-03-17 00:06:01

Samba Configuration [SOLVED!]

#2 2009-03-17 01:58:32

Re: Samba Configuration [SOLVED!]

#3 2009-03-17 05:00:36

Re: Samba Configuration [SOLVED!]

#4 2009-03-17 13:33:21

Re: Samba Configuration [SOLVED!]

#5 2009-03-17 15:21:15

Re: Samba Configuration [SOLVED!]

#6 2009-03-18 01:36:46

Re: Samba Configuration [SOLVED!]

#7 2009-03-18 04:38:30

Re: Samba Configuration [SOLVED!]

#8 2009-03-18 16:34:10

Re: Samba Configuration [SOLVED!]

#9 2009-03-18 16:49:46

Re: Samba Configuration [SOLVED!]

#10 2009-03-18 19:03:50

Re: Samba Configuration [SOLVED!]

#11 2009-03-18 21:57:17

Re: Samba Configuration [SOLVED!]

#12 2009-03-18 23:12:19

Re: Samba Configuration [SOLVED!]

#13 2009-03-18 23:29:01

Re: Samba Configuration [SOLVED!]

#14 2009-03-18 23:52:33

Re: Samba Configuration [SOLVED!]

#15 2009-03-18 23:58:01

Re: Samba Configuration [SOLVED!]

#16 2009-03-19 00:03:17

Re: Samba Configuration [SOLVED!]

#17 2009-03-19 00:15:49

Re: Samba Configuration [SOLVED!]

Board footer