RHEL 4 does not recognize file permissions from w3k storage server cifs share

rockfx01 · 07-08-2008, 09:32 AM

Hello,

I am trying to get permissions working properly on a RHEL 4 server for a mounted cifs share from a W2003 Storage Server.

The setup is as follows:

We are using an Windows 2003 R2 server for Active Directory user authentication. The AD server has Identity Management for Unix installed, and certain users and groups have been given Unix properties (UID/GID, etc) to allow identification of users across both Linux and Windows computers.

The second server involved is a RHEL 4 server. I set up LDAP/Kreberos user authentication per this article. I edited the /etc/pam.d/samba file instead of system-auth, however, because we do not want network users to be able to log in to the server. In initial tests, editing the system-auth file allowed network users to log in, so I know local authentication of A.D. users is working. I can also do a getent group and getent passwd and the A.D. users with Unix properties are in the lists.

The third server is a Windows 2003 R2 Storage Server being used as a NAS. PC clients connect directly to the NAS via standard Windows shares without a problem.

This is where it gets tricky - I am trying to mount the share via cifs from the RHEL server using the A.D. Administrator user account so that it can manage permissions and ownership of files on the share by A.D. users. We tried NFS shares, which works without any problems by using username mapping (for root access) on the storage server coupled with the Active Directory user mapping; however, we ran into poor language support between the RHEL server and the Storage Server when languages other than English are used for filenames.

The Problem:

I can mount the share via cifs and access files without any problem, but when I perform an 'ls -l' command, all files are listed as owned by user "root", group "root" even if an A.D. user with Unix properties owns the file.

If I want a file to be owned by A.D. user 'John' I can do "chown John:MyGroup theFile.txt". Subsequently, doing 'ls -l' will list the file as owned by "John", group "MyGroup". HOWEVER, looking at the file on the storage server reveals that the windows file permissions on the file have not actually changed at all. As a result, the user who should own the file does not and a PC client logged in as the appropriate users cannot access the file with the proper permissions.

Other Notes:

NFS works, but as mentioned above, this causes problems for us when languages other than English are used for file and folder names. NFS user mapping appears to work because the W3k storage server is doing the heavy lifting of RID->UID/GID mapping of file permissions, rather than the RHEL server. Hence when the share is mounted via cifs on the RHEL server, it does not recognize the Windows file permissions and cannot set permissions correctly. That is my impression so far, at least. I suspect there is something wrong with my PAM or Samba configuration that is preventing A.D. permissions from working correctly on the cifs share.

So, I need to be able to properly identify and assign file ownership by A.D. users using a cifs share on the RHEL server.

Applicable Info

/etc/hosts

Code:

127.0.0.1    localhost    localhost.localdomain
192.168.0.10     DomainCont     DomainCont.Domain.local
192.168.0.15     RHELServer    RHELServer.RHELComputer

*If I use the FQDN for the RHEL Server in the hosts file, the 'net ads join' command stalls.

/etc/krb5.conf

Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 DOMAIN.LOCAL = {
  kdc = domaincont.domain.local:88
  admin_server = domaincont.domain.local:749
  kpasswd_server = domaincont.domain.local:464
  kpasswd_protocol = SET_CHANGE
  default_domain = true
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/krb.conf

Code:

DOMAIN.LOCAL
DOMAIN.LOCAL	domaincont.domain.local:88
DOMAIN.LOCAL	domaincont.domain.local:749 admin server
SICS.SE		kerberos.sics.se admin server
[...]

/etc/krb.realms

Code:

domain.local     DOMAIN.LOCAL
.domain.local	DOMAIN.LOCAL
sics.se		SICS.SE
[...]

/etc/ldap.conf

Code:

host 192.168.0.10
base dc=domain,dc=local
uri ldap://domaincont.domain.local/
binddn ldap@domain.local
bindpw MyPassword
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap
referrals no
ssl no
nss_base_passwd dc=domain,dc=local?sub
nss_base_shadow dc=domain,dc=local?sub
nss_base_group dc=domain,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos cn
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

/etc/sys-config/network

Code:

NETWORKING=yes
HOSTNAME=RHELServer

/etc/nsswitch.conf

Code:

[...]
passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind
[...]

/etc/pam.d/samba

Code:

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 10000 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 10000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

*A bit odd that we make the home directory for a user when they connect to the RHEL server via Samba, but there is a reason behind it.

/etc/samba/smb.conf

Code:

[global]
unix charset = LOCALE
workgroup = DOMAIN
netbios name = RHELServer
realm = DOMAIN.LOCAL
server string = RHEL Server
security = ADS
use kerberos keytab = Yes
idmap backend = ad
ldap idmap suffix = dc=domain,dc=local
ldap admin dn = cn=ldap,cn=Users,dc=domain,dc=local
ldap suffix = dc=domain,dc=local
idmap uid = 100000-200000
idmap gid = 100000-200000
log file = /var/log/samba/%m.log
log level = 1
syslog = 0
max log size = 50
printcap name = CUPS
winbind use default domain = yes
winbind nested groups = Yes
obey pam restrictions = Yes


template shell = /bin/bash
printing = cups
show add printer wizard = no
os level = 0
preferred master = no
local master = no
domain master = no

server signing = disabled

server schannel = auto		
client schannel = auto

dead time = 15

# Set to RAID stripe size
write cache size = 65535
# -- did that slow it down?
max xmit = 65535

logon path = 
logon drive = M:
logon home = \\%L\media\%U
logon script = logon.bat

; name resolve order = wins lmhosts bcast

# This server is operating as the WINS server.
wins support = yes

;  dns proxy = no
;  preserve case = no
;  short preserve case = no
;  default case = lower
;  case sensitive = no

add machine script = /etc/samba/dvuseradd.sh /usr/sbin/useradd -d /dev/null -g dvsws -s /bin/false -M %u
username map = /etc/samba/smbusers
strict allocate = yes
time server = yes

[homes]
    comment = Home Directories
    browseable = No
    read only = Yes
    # valid users = %D\%U
    invalid users = root

[netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    read only = yes
    invalid users = root

[share]
    comment = Public share
    path = /mnt/library0/share
    writeable = yes
    guest ok = yes
    browseable = yes
    fstype = Samba
    create mask = 0775
    directory mask = 0775
    force create mode = 0664
    force directory mode = 0775
    invalid users = root

*There is probably some extra items in this file, but I thought I would post everything in it in case there is something amiss that I don't know should be added/removed.

Thanks in advance to anyone that can help with this. Been wrestling with the RHEL server to find the proper config for 2 days now...

rockfx01 · 07-10-2008, 08:58 AM

Well, I have determined that the root of the problem is the RHEL system is not reading the POSIX ACLs from the Windows 2003 Storage Server for some reason.

I am able to create a local smb share on the RHEL server and apply Windows/POSIX ACLs to it from Windows Clients by enabling acl support on the root file system and the "nt acl support = yes" option in smb.conf. Using 'getfacl' on files on the local share displays the correct posix acl permissions of the files for network users.

As before, however, if I mount a cifs share from either the Windows 2003 R2 Storage Server or the Windows 2003 R2 domain controller/Active Directory Server, the RHEL server does not see the Windows/POSIX ACLs at all. It caches default unix permissions locally, allows you to change them via chmod/chown, but these changes are not reflected on the Windows server(s) and if I unmount and remount the share, the RHEL server starts over with the default permissions for all of the shared files.

Could it be something to do with SMB signing? From what I have read, it seems that I would not even be able to mount the shares if SMB signing were not working correctly. How do I get the Windows ACLs working for cifs shares mounted to the RHEL system? Is there something I need to do on the W3k servers to enable POSIX/XATTR for Samba/cifs shares?

Right now I am using the following mount settings in fstab:

Code:

LABEL=/1     /     ext3     defaults,acl     1 1
192.168.0.10:test     /mnt/test1     cifs    acl,user=administrator,pass=password,dom=DOMAIN 0 0
192.168.0.19:test2    /mnt/test2    cifs    acl,user=administrator,pass=password,dom=DOMAIN 0 0

"mount" displays the following:

Code:

/dev/sdi3 on / type ext3 (rw,acl)
...
//192.168.0.10/test on /mnt/test1 type cifs (rw,mand)

"ldd /usr/sbin/smbd" returns:

Code:

        libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0x005f6000)
        liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0x00ea2000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00128000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0013c000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x001a1000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x0076f000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00523000)
        libcups.so.2 => /usr/lib/libcups.so.2 (0x001c2000)
        libssl.so.4 => /lib/libssl.so.4 (0x001de000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x00212000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00781000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x002fa000)
        libpam.so.0 => /lib/libpam.so.0 (0x00328000)
        libattr.so.1 => /lib/libattr.so.1 (0x00838000)
        libacl.so.1 => /lib/libacl.so.1 (0x009ca000)
        libdl.so.2 => /lib/libdl.so.2 (0x00330000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0x00334000)
        libc.so.6 => /lib/tls/libc.so.6 (0x0033c000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x004a0000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00465000)
        /lib/ld-linux.so.2 (0x00111000)

So attr and acl appear to be enabled, although I'm not sure if it libattr.so and libacl.so needs to be also listed for the following options:

Code:

[root@hdxchangeserver sbin]# ldd /sbin/mount.smbfs
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00694000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00c25000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00ece000)
        libdl.so.2 => /lib/libdl.so.2 (0x00dc3000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00d08000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00111000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x009c1000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00ce1000)
        libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0x00943000)
        liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0x005f0000)
        libc.so.6 => /lib/tls/libc.so.6 (0x00176000)
        /lib/ld-linux.so.2 (0x00f71000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0029f000)
        libssl.so.4 => /lib/libssl.so.4 (0x00a71000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x0046c000)
        libz.so.1 => /usr/lib/libz.so.1 (0x002b3000)
[root@hdxchangeserver sbin]# ldd /sbin/mount.cifs
        libc.so.6 => /lib/tls/libc.so.6 (0x00bc5000)
        /lib/ld-linux.so.2 (0x00bac000)
[root@hdxchangeserver sbin]# ldd /bin/mount
        libc.so.6 => /lib/tls/libc.so.6 (0x00bc5000)
        /lib/ld-linux.so.2 (0x00bac000)

Does this mean I need to recompile mount.cifs with acl/attr support? Or does it inherit support from smbd and/or mount.smbfs?

rockfx01 · 07-14-2008, 09:22 AM

For anyone with the same problem, RHEL support responded and said that they do not support Windows ACLs in their cifs.ko module (in both RHEL 4 or 5). You can build a new module for the kernel, but will have to do any QA for it yourself, risking possible data loss or server downtime if there are problems.