After upgrade from samba 3.2.8 to samba 3.2.11 shares with force user: [reklama-root] comment = Udzial dla Transferu Reklam path = /home/specjalne/reklama valid users = solarz, majewska, krawczak, kulma, miler, jmlynarc force user = reklama force group = others read only = No stop working. oceanic:/home/specjalne/reklama# smbclient \\\\oceanic\\reklama-root -U solarz Enter solarz's password: Domain=[WSISIZ.EDU.PL] OS=[Unix] Server=[Samba 3.2.11-0.30.fc10] smb: \> dir NT_STATUS_NETWORK_ACCESS_DENIED listing \* 0 blocks of size 0. 511 blocks available smb: \> quit in logs there seems that: [2009/04/24 09:35:40, 1, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:make_connection_snum(1194) oceanic (::ffff:213.135.44.33) signed connect to service reklama-root initially as user reklama (uid=1761, gid=103) (pid 31518) [2009/04/24 09:35:43, 0, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:set_current_service(187) chdir (/home/specjalne/reklama) failed [2009/04/24 09:35:43, 0, pid=31518, effective(1761, 103), real(0, 0)] smbd/service.c:set_current_service(187) chdir (/home/specjalne/reklama) failed [2009/04/24 09:35:44, 1, pid=31518, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(1405) oceanic (::ffff:213.135.44.33) closed connection to service reklama-root that samba does NOT change effective uid (but it changes gid) after connecting to share with force user (3.2.8 CHANGES effective uid) user reklama has: id -a reklama uid=8878(reklama) gid=103(others) groups=103(others),100(users) Best Regards
Your forced user isn't in your valid user list. Can you add reklama to that list to see if that makes a difference ? Jeremy.
(In reply to comment #1) > Your forced user isn't in your valid user list. Can you add reklama > to that list to see if that makes a difference ? > Jeremy. Tested: [reklama-root] comment = Udzial dla Transferu Reklam path = /home/specjalne/reklama valid users = reklama, solarz, majewska, krawczak, kulma, miler, jmlynarc force user = reklama force group = others read only = No oceanic:/home/specjalne/reklama# smbclient \\\\oceanic\\reklama-root -U solarz Enter solarz's password: Domain=[WSISIZ.EDU.PL] OS=[Unix] Server=[Samba 3.2.11-0.30.fc10] smb: \> dir NT_STATUS_NETWORK_ACCESS_DENIED listing \* 0 blocks of size 0. 511 blocks available smb: \> quit It does not help
Ok, I'll check here and try and reproduce. Just for comparison, can you reproduce this problem with 3.3.3 ? Jeremy
(In reply to comment #3) > Ok, I'll check here and try and reproduce. Just for comparison, can you > reproduce this problem with 3.3.3 ? > Jeremy On 3.3.3 it works as desired - tested on different server
I've tried to reproduce this with current 3.2 git tree and cannot with a simple attempt. Can you post your full smb.conf, and also a tree listing (including user and group permissions) of the share directory you're trying to access. Also a list of what groups the user is in would help. Jeremy.
(In reply to comment #5) > I've tried to reproduce this with current 3.2 git tree and cannot with a simple > attempt. Can you post your full smb.conf, and also a tree listing (including > user and group permissions) of the share directory you're trying to access. > Also a list of what groups the user is in would help. > Jeremy. [global] #dos charset = CP852 unix charset = UTF8 display charset = UTF8 workgroup = WSISIZ.EDU.PL allow trusted domains = No passdb backend = ldapsam:"ldap://mythodea.wsisiz.edu.pl/ ldap://portraits.wsisiz.edu.pl/" pam password change = Yes check password script = /usr/local/sbin/crackcheck -s -d /usr/lib64/cracklib_dict client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 1 max log size = 10240000000 debug pid = Yes debug uid = Yes time server = Yes server signing = auto deadtime = 60 hostname lookups = Yes printcap cache time = 600 printcap name = cups add user script = /usr/local/sbin/smbldap-useradd -m "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd -t 5 -w "%u" logon script = login.bat logon drive = z: logon home = \\%N\%U\profile domain logons = Yes os level = 128 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes ldap admin dn = cn=Manager,dc=wsisiz,dc=edu,dc=pl ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=wsisiz,dc=edu,dc=pl ldap ssl = no ldap user suffix = ou=Users remote browse sync = oxygene.ibspan.waw.pl antarctica china spiral direct odyssey winbind use default domain = Yes create mask = 0644 inherit acls = Yes hosts allow = 127., 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 2001:1a68:a::/48 ea support = Yes map acl inherit = Yes printing = cups cups options = raw print command = lpq command = %p lprm command = hide dot files = No store dos attributes = Yes [reklama-root] comment = Udzial dla Transferu Reklam path = /home/specjalne/reklama valid users = reklama, solarz, majewska, krawczak, kulma, miler, jmlynarc force user = reklama force group = others read only = No oceanic:~# ls -ld /home lrwxrwxrwx 1 root root 5 Nov 24 20:09 /home -> home1 oceanic:~# ls -ld /home1 drwxr-xr-x 14 root root 1024 Apr 10 00:45 /home1 oceanic:~# ls -ld /home1/specjalne/ drwxr-xr-x 42 root root 1024 Mar 30 13:06 /home1/specjalne/ oceanic:~# ls -ld /home1/specjalne/reklama/ drwx------ 11 reklama others 1024 Nov 6 19:12 /home1/specjalne/reklama/ oceanic:~# id -a reklama uid=8878(reklama) gid=103(others) groups=103(others),100(users) oceanic:~# id -a solarz uid=1761(solarz) gid=101(staff) groups=101(staff),0(root),87(www),100(users),205(cron),69(ping),39(music),215(adminswin),303(biblioteka),512(Domain Admins),1005(terminal-max),1006(terminal),1007(sas),1008(spss),1010(vnc-users),1011(studencien),1013(dziekanatwitz),1014(sourcesafe),1019(pob-rw),1020(windykacja),1021(projektbr)
Same problem here. The following may be interresting: creation of items fails (so force user doesn't work) but deletion just works - which suggests that force user is in effect.
I reported the bug to the fedora folks as well, as both mine and the initially reported bug are related to 3.2.11-0.30.fc1, which is Fedora. https://bugzilla.redhat.com/show_bug.cgi?id=497708
Ok, reproduced this with 3-2-test as well as 3.2.9 and 3.2.11. (It is fine in master,3-4-test,3-3-test,3.3.3 and 3.2.8)
Ok Guenther, how did you reproduce this ? I tried locally but couldn't (reproduce it) in the 3.2.x git tree. Jeremy.
[share] path = /tmp/share force user = gd force group = users write list = simo is my example config, just a standalone box. git bisect from 3.2.8 and 3.2.9 (where it is broken) reveals f816072e3f8b92886b891a3101f4e50ffb727c6f as the first commit that breaks it. (the function modified in that commit is called from the find_forced_user() call. In 3.3 we moved away from find_forced_user() with this: ddcea20947fb3ca5ccd9e2a1e024ac8296dc4055
(In reply to comment #11) > [share] > path = /tmp/share > force user = gd > force group = users > write list = simo then I just smbclient as simo into the box and create a folder, the folder is owned by simo then (instead of gd).
Yeah, that's pretty much what I did but couldn't reproduce it. Although my forced user wasn't a user with a Samba passdb entry... Hmm. Anyway, I'll look at this now you've found a commit that breaks things. Jeremy.
Can't find f816072e3f8b92886b891a3101f4e50ffb727c6f doing a git-log on 3-2-test. Any ideas as to what might be wrong ? Jeremy.
Created attachment 4085 [details] Patch for all branches. This works here for me. Please review and test. Jeremy.
Created attachment 4086 [details] Updated patch for all branches. Added comment, correct error exits for the previous patch. Jeremy.
Created attachment 4087 [details] Alternate patch for all branches. Alternate way of fixing this. Depends on internal knowledge of what passdb does for guest user. Both of these patches fix the problem, now we need to decide which way to chose. Jeremy.
As already discussed last night with Jeremy, I like the first patch (from Comment #16) better.
(In reply to comment #18) > As already discussed last night with Jeremy, > I like the first patch (from Comment #16) better. Yes, me too. I've built test packages for fedora10 and tested them. force user worked as expected.
(In reply to comment #19) > (In reply to comment #18) > > As already discussed last night with Jeremy, > > I like the first patch (from Comment #16) better. > Yes, me too. I've built test packages for fedora10 and tested them. force user > worked as expected. Confirmed
Closing out bug report. Patch is included in Samba 3.3.4. Thanks for reporting!
Patch will be included in 3.2.12.
*** Bug 6354 has been marked as a duplicate of this bug. ***