-   Linux - Server (
-   -   RHEL 4 does not recognize file permissions from w3k storage server cifs share (

rockfx01 07-08-2008 09:32 AM

RHEL 4 does not recognize file permissions from w3k storage server cifs share

I am trying to get permissions working properly on a RHEL 4 server for a mounted cifs share from a W2003 Storage Server.

The setup is as follows:

We are using an Windows 2003 R2 server for Active Directory user authentication. The AD server has Identity Management for Unix installed, and certain users and groups have been given Unix properties (UID/GID, etc) to allow identification of users across both Linux and Windows computers.

The second server involved is a RHEL 4 server. I set up LDAP/Kreberos user authentication per this article. I edited the /etc/pam.d/samba file instead of system-auth, however, because we do not want network users to be able to log in to the server. In initial tests, editing the system-auth file allowed network users to log in, so I know local authentication of A.D. users is working. I can also do a getent group and getent passwd and the A.D. users with Unix properties are in the lists.

The third server is a Windows 2003 R2 Storage Server being used as a NAS. PC clients connect directly to the NAS via standard Windows shares without a problem.

This is where it gets tricky - I am trying to mount the share via cifs from the RHEL server using the A.D. Administrator user account so that it can manage permissions and ownership of files on the share by A.D. users. We tried NFS shares, which works without any problems by using username mapping (for root access) on the storage server coupled with the Active Directory user mapping; however, we ran into poor language support between the RHEL server and the Storage Server when languages other than English are used for filenames.

The Problem:

I can mount the share via cifs and access files without any problem, but when I perform an 'ls -l' command, all files are listed as owned by user "root", group "root" even if an A.D. user with Unix properties owns the file.

If I want a file to be owned by A.D. user 'John' I can do "chown John:MyGroup theFile.txt". Subsequently, doing 'ls -l' will list the file as owned by "John", group "MyGroup". HOWEVER, looking at the file on the storage server reveals that the windows file permissions on the file have not actually changed at all. As a result, the user who should own the file does not and a PC client logged in as the appropriate users cannot access the file with the proper permissions.

Other Notes:

NFS works, but as mentioned above, this causes problems for us when languages other than English are used for file and folder names. NFS user mapping appears to work because the W3k storage server is doing the heavy lifting of RID->UID/GID mapping of file permissions, rather than the RHEL server. Hence when the share is mounted via cifs on the RHEL server, it does not recognize the Windows file permissions and cannot set permissions correctly. That is my impression so far, at least. I suspect there is something wrong with my PAM or Samba configuration that is preventing A.D. permissions from working correctly on the cifs share.

So, I need to be able to properly identify and assign file ownership by A.D. users using a cifs share on the RHEL server.

Applicable Info

Code:    localhost    localhost.localdomain    DomainCont    DomainCont.Domain.local    RHELServer    RHELServer.RHELComputer

*If I use the FQDN for the RHEL Server in the hosts file, the 'net ads join' command stalls.


 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

  kdc = domaincont.domain.local:88
  admin_server = domaincont.domain.local:749
  kpasswd_server = domaincont.domain.local:464
  kpasswd_protocol = SET_CHANGE
  default_domain = true

 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false


DOMAIN.LOCAL        domaincont.domain.local:88
DOMAIN.LOCAL        domaincont.domain.local:749 admin server
SICS.SE       admin server


domain.local    DOMAIN.LOCAL
.domain.local        DOMAIN.LOCAL                SICS.SE


base dc=domain,dc=local
uri ldap://domaincont.domain.local/
binddn ldap@domain.local
bindpw MyPassword
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap
referrals no
ssl no
nss_base_passwd dc=domain,dc=local?sub
nss_base_shadow dc=domain,dc=local?sub
nss_base_group dc=domain,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos cn
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad




passwd:    files ldap winbind
shadow:    files ldap winbind
group:      files ldap winbind


auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 10000 quiet
auth        sufficient use_first_pass
auth        required

account    required broken_shadow
account    sufficient
account    sufficient uid < 10000 quiet
account    [default=bad success=ok user_unknown=ignore]
account    required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nis nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session    optional revoke
session    required skel=/etc/skel umask=0022
session    required
session    [success=1 default=ignore] service in crond quiet use_uid
session    required
session    optional

*A bit odd that we make the home directory for a user when they connect to the RHEL server via Samba, but there is a reason behind it.


unix charset = LOCALE
workgroup = DOMAIN
netbios name = RHELServer
server string = RHEL Server
security = ADS
use kerberos keytab = Yes
idmap backend = ad
ldap idmap suffix = dc=domain,dc=local
ldap admin dn = cn=ldap,cn=Users,dc=domain,dc=local
ldap suffix = dc=domain,dc=local
idmap uid = 100000-200000
idmap gid = 100000-200000
log file = /var/log/samba/%m.log
log level = 1
syslog = 0
max log size = 50
printcap name = CUPS
winbind use default domain = yes
winbind nested groups = Yes
obey pam restrictions = Yes

template shell = /bin/bash
printing = cups
show add printer wizard = no
os level = 0
preferred master = no
local master = no
domain master = no

server signing = disabled

server schannel = auto               
client schannel = auto

dead time = 15

# Set to RAID stripe size
write cache size = 65535
# -- did that slow it down?
max xmit = 65535

logon path =
logon drive = M:
logon home = \\%L\media\%U
logon script = logon.bat

; name resolve order = wins lmhosts bcast

# This server is operating as the WINS server.
wins support = yes

;  dns proxy = no
;  preserve case = no
;  short preserve case = no
;  default case = lower
;  case sensitive = no

add machine script = /etc/samba/ /usr/sbin/useradd -d /dev/null -g dvsws -s /bin/false -M %u
username map = /etc/samba/smbusers
strict allocate = yes
time server = yes

    comment = Home Directories
    browseable = No
    read only = Yes
    # valid users = %D\%U
    invalid users = root

    comment = Network Logon Service
    path = /home/netlogon
    read only = yes
    invalid users = root

    comment = Public share
    path = /mnt/library0/share
    writeable = yes
    guest ok = yes
    browseable = yes
    fstype = Samba
    create mask = 0775
    directory mask = 0775
    force create mode = 0664
    force directory mode = 0775
    invalid users = root

*There is probably some extra items in this file, but I thought I would post everything in it in case there is something amiss that I don't know should be added/removed.

Thanks in advance to anyone that can help with this. Been wrestling with the RHEL server to find the proper config for 2 days now...

rockfx01 07-10-2008 08:58 AM

Well, I have determined that the root of the problem is the RHEL system is not reading the POSIX ACLs from the Windows 2003 Storage Server for some reason.

I am able to create a local smb share on the RHEL server and apply Windows/POSIX ACLs to it from Windows Clients by enabling acl support on the root file system and the "nt acl support = yes" option in smb.conf. Using 'getfacl' on files on the local share displays the correct posix acl permissions of the files for network users.

As before, however, if I mount a cifs share from either the Windows 2003 R2 Storage Server or the Windows 2003 R2 domain controller/Active Directory Server, the RHEL server does not see the Windows/POSIX ACLs at all. It caches default unix permissions locally, allows you to change them via chmod/chown, but these changes are not reflected on the Windows server(s) and if I unmount and remount the share, the RHEL server starts over with the default permissions for all of the shared files.

Could it be something to do with SMB signing? From what I have read, it seems that I would not even be able to mount the shares if SMB signing were not working correctly. How do I get the Windows ACLs working for cifs shares mounted to the RHEL system? Is there something I need to do on the W3k servers to enable POSIX/XATTR for Samba/cifs shares?

Right now I am using the following mount settings in fstab:


LABEL=/1    /    ext3    defaults,acl    1 1    /mnt/test1    cifs    acl,user=administrator,pass=password,dom=DOMAIN 0 0    /mnt/test2    cifs    acl,user=administrator,pass=password,dom=DOMAIN 0 0

"mount" displays the following:

/dev/sdi3 on / type ext3 (rw,acl)
// on /mnt/test1 type cifs (rw,mand)

"ldd /usr/sbin/smbd" returns:
Code: => /usr/lib/ (0x005f6000) => /usr/lib/ (0x00ea2000) => /usr/lib/ (0x00128000) => /usr/lib/ (0x0013c000) => /usr/lib/ (0x001a1000) => /lib/ (0x0076f000) => /lib/ (0x00523000) => /usr/lib/ (0x001c2000) => /lib/ (0x001de000) => /lib/ (0x00212000) => /lib/ (0x00781000) => /lib/ (0x002fa000) => /lib/ (0x00328000) => /lib/ (0x00838000) => /lib/ (0x009ca000) => /lib/ (0x00330000) => /usr/lib/ (0x00334000) => /lib/tls/ (0x0033c000) => /usr/lib/ (0x004a0000) => /usr/lib/ (0x00465000)
        /lib/ (0x00111000)

So attr and acl appear to be enabled, although I'm not sure if it and needs to be also listed for the following options:


[root@hdxchangeserver sbin]# ldd /sbin/mount.smbfs => /lib/ (0x00694000) => /lib/ (0x00c25000) => /lib/ (0x00ece000) => /lib/ (0x00dc3000) => /usr/lib/ (0x00d08000) => /usr/lib/ (0x00111000) => /usr/lib/ (0x009c1000) => /lib/ (0x00ce1000) => /usr/lib/ (0x00943000) => /usr/lib/ (0x005f0000) => /lib/tls/ (0x00176000)
        /lib/ (0x00f71000) => /usr/lib/ (0x0029f000) => /lib/ (0x00a71000) => /lib/ (0x0046c000) => /usr/lib/ (0x002b3000)
[root@hdxchangeserver sbin]# ldd /sbin/mount.cifs => /lib/tls/ (0x00bc5000)
        /lib/ (0x00bac000)
[root@hdxchangeserver sbin]# ldd /bin/mount => /lib/tls/ (0x00bc5000)
        /lib/ (0x00bac000)

Does this mean I need to recompile mount.cifs with acl/attr support? Or does it inherit support from smbd and/or mount.smbfs?

rockfx01 07-14-2008 09:22 AM

For anyone with the same problem, RHEL support responded and said that they do not support Windows ACLs in their cifs.ko module (in both RHEL 4 or 5). You can build a new module for the kernel, but will have to do any QA for it yourself, risking possible data loss or server downtime if there are problems.

All times are GMT -5. The time now is 06:58 AM.