LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-09-2008, 01:42 AM   #1
brecht
LQ Newbie
 
Registered: Jul 2003
Location: belgium
Distribution: Opensuse 10.3
Posts: 5

Rep: Reputation: 0
Unhappy Samba pdc permission problem


Hello,

I am configuring a Samba pdc (primary domain controller) with ldap for authentication of the users.
I am working with opensuse 10.3 (64 bit) and samba 3.0.26a-3.5 this version comes with opensuse.

My partitions are formatted with ext3 and I use LVM

The system is working ... fairly good, now we have three users that already use the server (finally their will be 50+ users).
My biggest problem for now is that when users make a new directory it is always configured readonly for the group. In my smb.conf I set the permissions to 0770 (my smb.conf is further in this post).

I already searched for some days and found many simular problems but none wich solved my problems. (disabeling acl)
Most solutions did more damage then they helped.
I already changed a lot in my smb.conf so it isn't to structured. Sorry for that.
I have some new computers I have to install and I wan't to make them use the new server.

here is a part of my fstab and my smb.conf.

fstab:
/dev/data/foo /foo ext3 acl,user_xattr 1 2
/dev/archive/foo_archive /foo_archive ext3 acl,user_xattr 1 2
/dev/samba/foo_samba /foo_samba ext3 acl,user_xattr 1 2

smb.conf
# Defining domain name, hostname
####################################################
[global]
workgroup = foo.net
netbios name = foo

# Specifying ldapsam backend database
####################################################
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers

# Specifying printing subsystem
####################################################
printcap name = cups
printing = cups

# Path to ldapsmb scripts
#
# With OpenSUSE 10.3 when you install
####################################################
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %g %u
delete user from group script = /usr/sbin/smbldap-groupmod -x %g %u
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u


#
# Various other directives ( man smb.conf )
####################################################
obey pam restrictions = Yes
logon script = scripts\logon.bat
logon path = \\foo\profiles\%U
logon drive = M:
logon home = \\foo\%U
profile acls = Yes
domain logons = Yes
os level = 44
preferred master = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes

# ACLs are broken so make sure they stay off for now. -> ???
#acl compatibility = winnt
#force unknown acl user = 00
#inherit acls = No
#nt acl support = No
# This fixes a small bug in roaming profiles by "faking" the right ACL
#profile acls = Yes

# Locking settings
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
lock dir = /var/lock
blocking locks = Yes
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No

# toegevoegd om de error "ERROR writing 4 bytes to client" weg te werken,
# windows clients zoeken op 2 poorten, de eerste waar ze binnen geraken is de winnaar ... het zou daar van komen.
smb ports = 139

# OpenLDAP stuff is defined here
###################################################
ldap suffix = dc=foo,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=foo,dc=net
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

#dit zou er mee kunnen te maken hebben, is waarschijnlijk indien geen domein controller
#winbind uid = 15000-20000
#winbind gid = 15000-20000
#winbind enum users = yes
#winbind enum groupw = yes

# Defining logging facility
####################################################
log level = 2
log file = /var/log/samba/%m.log

# Virus Scanning Definition
####################################################
#vfs object = vscan-clamav
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# Defining user home directories
####################################################
[homes]
comment = map van %U
path = /foo/users/%U
read only = No
browseable = No
create mask = 0640
directory mask = 0750

# Defining printers
####################################################
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /foosystem/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

# Defining network logon service
####################################################
[netlogon]
comment = NLService
path = /foo_samba/netlogon
guest ok = Yes
browseable = No

# Defining profile share ( for roaming profiles )
####################################################
[profiles]
comment = Roaming Profiles
path = /foo_samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
force user = %U
valid users = %U "Domain Admins"
read only = No
profile acls = Yes

# Defining arbitary shared resource
####################################################
#[share]
#comment = data share
#path = /opt/stuff
#valid users = %U

# Defining arbitary shared resource tree
####################################################
[Algemeen]
comment = Algemene map
path = /foo/groups/Algemeen
valid users = @"Domain Users"
read only = no
browseable = yes
force group = "Domain Users"
create mode = 0664
force create mode = 0664
directory mode = 0775
force directory mode = 0775

#temp wordt wekelijks gewist
[Temp]
comment = Tijdelijke bestanden
path = /foo/groups/Temp
valid users = @"Domain Users"
read only = no
browseable = yes
force group = "Domain Users"
create mode = 0664
force create mode = 0664
directory mode = 0775
force directory mode = 0775

[IT]
profile acls = no
comment = Afdeling IT
path = /foo/groups/IT
valid users = @IT
readonly = no
browseable = yes
force group = IT
writable = yes
write list = @IT
locking = yes
force create mode = 0770
force directory mode = 0770
create mask = 0770
directory mask = 0770
inherit acls = yes
map acl inherit = yes

[Boekhouding]
comment = Afdeling Boekhouding
path = /foo/groups/Boekhouding
valid users = @boekhouding
readonly = no
browseable = yes
force group = boekhouding
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Offertes]
comment = Afdeling Offertes
path = /foo/groups/Offertes
valid users = @offertes
readonly = no
browseable = yes
force group = offertes
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Bestellingen]
comment = Afdeling Bestellingen
path = /foo/groups/Bestellingen
valid users = @bestellingen
readonly = no
browseable = yes
force group = bestellingen
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Planning]
comment = Afdeling Planning
path = /foo/groups/Planning
valid users = @planning
readonly = no
browseable = yes
force group = planning
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Personeelsdienst]
comment = Afdeling Personeelsdienst
path = /foo/groups/Personeelsdienst
valid users = @personeelsdienst
readonly = no
browseable = yes
force group = personeelsdienst
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Receptie]
comment = Afdeling Receptie
path = /foo/groups/Receptie
valid users = @receptie
readonly = no
browseable = yes
force group = receptie
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

[Mobiliteit]
comment = Mobiliteit
path = /foo/groups/Mobiliteit
valid users = tracey marijke liselottep
readonly = no
browseable = yes
force group = Domain Users
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770


clients are windows xp computers.
 
Old 04-09-2008, 06:29 AM   #2
brecht
LQ Newbie
 
Registered: Jul 2003
Location: belgium
Distribution: Opensuse 10.3
Posts: 5

Original Poster
Rep: Reputation: 0
solution (I think)

yes, I haven't found the solution but I have found a workaround, ... forcing acl rights, this solved my problem. Here my smb.conf file:

# Defining domain name, hostname
####################################################
[global]
workgroup = foo.net
netbios name = foo

# Specifying ldapsam backend database
####################################################
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers

# Specifying printing subsystem
####################################################
printcap name = cups
printing = cups

# smbldap scripts
####################################################
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %g %u
delete user from group script = /usr/sbin/smbldap-groupmod -x %g %u
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u

# Various other directives ( man smb.conf )
####################################################
obey pam restrictions = Yes
logon script = scripts\logon.bat
logon path = \\foo\profiles\%U
logon drive = M:
logon home = \\foo\%U
domain logons = Yes
os level = 44
preferred master = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes

kernel oplocks = Yes
lock spin time = 10
oplock break wait time = 0
lock dir = /var/lock
blocking locks = Yes
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No

# toegevoegd om de error "ERROR writing 4 bytes to client" weg te werken (denk eigenlijk niet dat het daar van komt),
# windows clients zoeken op 2 poorten, de eerste waar ze binnen geraken is de winnaar ... het zou daar van komen.
smb ports = 139

# OpenLDAP stuff is defined here
###################################################
ldap suffix = dc=foo,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=foo,dc=net
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

# Defining logging facility
####################################################
log level = 2
log file = /var/log/samba/%m.log

# Virus Scanning Definition/moet ik nog configureren
####################################################
#vfs object = vscan-clamav
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# Defining user home directories
####################################################
[homes]
comment = map van %U
path = /foo/users/%U
read only = No
browseable = No
create mask = 0640
directory mask = 0750
csc policy = disable
profile acls = yes
nt acl support = no

# Defining printers /nog niet in orde
####################################################
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /foosystem/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

# Defining network logon service
####################################################
[netlogon]
comment = NLService
path = /foo_samba/netlogon
guest ok = Yes
browseable = No

# Defining profile share ( for roaming profiles )
####################################################
[profiles]
comment = Roaming Profiles
path = /foo_samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
force user = %U
valid users = %U "Domain Admins"
read only = No
profile acls = Yes

# Defining arbitary shared resource tree
####################################################
[Algemeen]
comment = Algemene map
path = /foo/groups/Algemeen
valid users = @"Domain Users"
force group = "Domain Users"
writable = yes
browseable = yes
create mask = 0664
directory mask = 02775
force create mode = 0664
force directory mode = 02775
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Temp]
comment = Tijdelijke bestanden
path = /foo/groups/Temp
valid users = @"Domain Users"
force group = "Domain Users"
writable = yes
browseable = yes
create mask = 0664
directory mask = 02775
force create mode = 0664
force directory mode = 02775
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[IT]
comment = Afdeling IT
path = /foo/groups/IT
valid users = @IT
force group = IT
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Boekhouding]
comment = Afdeling Boekhouding
path = /foo/groups/Boekhouding
valid users = @boekhouding
force group = boekhouding
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Offertes]
comment = Afdeling Offertes
path = /foo/groups/Offertes
valid users = @offertes
force group = offertes
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Bestellingen]
comment = Afdeling Bestellingen
path = /foo/groups/Bestellingen
valid users = @bestellingen
force group = bestellingen
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Planning]
comment = Afdeling Planning
path = /foo/groups/Planning
valid users = @planning
force group = planning
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Personeelsdienst]
comment = Afdeling Personeelsdienst
path = /foo/groups/Personeelsdienst
valid users = @personeelsdienst
force group = personeelsdienst
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Receptie]
comment = Afdeling Receptie
path = /foo/groups/Receptie
valid users = @receptie
force group = receptie
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

[Mobiliteit]
comment = Mobiliteit
path = /foo/groups/Mobiliteit
valid users = tracey marijke liselottep
force group = Domain Users
writable = yes
browseable = yes
create mask = 0660
directory mask = 02770
force create mode = 0660
force directory mode = 02770
csc policy = disable
profile acls = yes
nt acl support = no
inherit acls = yes

hopefully this can help someone else.
Sugestions on my smb.conf file are always welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem of samba PDC vedang Linux - Server 0 12-05-2007 01:42 AM
samba pdc trust with windows 2003 server pdc samba_pk Linux - Networking 1 06-08-2007 01:22 AM
samba as PDC Problem mustafasattar Linux - Networking 3 12-08-2006 07:49 AM
samba 3 problem - samba PDC can not join to the domain ananthak Linux - Networking 1 05-21-2006 10:39 AM
Samba as PDC problem jrmontg Linux - Networking 7 07-19-2005 02:53 PM


All times are GMT -5. The time now is 03:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration