** Attachment added: "Full smb.conf" https://bugs.launchpad.net/bugs/702265/+attachment/1792367/+files/smb.conf
** Description changed: Binary package hint: samba I have set a samba domain with idmap ldap, this is my idmap config: idmap config DOMAIN:backend = ldap idmap config DOMAIN:readonly = no idmap config DOMAIN:default = yes idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com idmap config DOMAIN:ldap_user_dn = cn=admin,dc=mydomain,dc=com idmap config DOMAIN:ldap_url = ldap://localhost idmap config DOMAIN:range = 50000-59999 #idmap backend = ldap:ldap://localhost idmap uid = 10000-19999 idmap gid = 10000-19999 #idmap gid = 20000-29999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://localhost idmap alloc config:ldap_user_dn = cn=admin,dc=mydomain,dc=com idmap alloc config : ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com idmap alloc config:range = 50000-59999 Once I have set up this in smb.conf, I stop smbd service and restart winbind, then I issue "net sam provision" command, at this point everything is ok and the ldap is provisioned properly. As you know, the provision creates these users and groups: - - Administrator -> UID=10000;GID=10001 - - nobody -> UID=65534;GID=65534 - - domguests -> GID=65534 - - domusers -> GID=10000 - - domadmins -> GID=10001 + - Administrator -> UID=10000;GID=10001 + - nobody -> UID=65534;GID=65534 + - domguests -> GID=65534 + - domusers -> GID=10000 + - domadmins -> GID=10001 After that, I create a new user called usuprueba1, wich is created with uid=10001 and gid=10000. Also, I have set up a share called usuarios where the home directories of the users will be placed: [Usuarios] comment = Directorios home de los usuarios path = /opt/usuarios browseable = yes directory mask = 0700 read only = no valid users = %U hide unreadable = yes root preexec = /opt/scripts/crearHomes.sh %U The "crearHomes.sh" script creates automatically the home folder of the user, right into /opt/usuarios (i.e. /opt/usuarios/administrator or /opt/usuarios/usuprueba1). This is also working perfectly. as you can see, the home directories are created with 0700 mask, so, they are only readable by the owner user. The problem comes when I issue a smbclient command with user administrator and usuprueba1 against Usuarios share, it shows me up the both directories (administrator and usuprueba1)! - root@mambo:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200 - Enter usuprueba1's password: + root@server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200 + Enter usuprueba1's password: Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7] - . D 0 Thu Jan 13 09:45:48 2011 - .. D 0 Tue Dec 28 11:30:55 2010 - usuprueba1 D 0 Thu Jan 13 09:19:14 2011 - administrator D 0 Wed Jan 12 14:14:39 2011 + . D 0 Thu Jan 13 09:45:48 2011 + .. D 0 Tue Dec 28 11:30:55 2010 + usuprueba1 D 0 Thu Jan 13 09:19:14 2011 + administrator D 0 Wed Jan 12 14:14:39 2011 - root@mambo:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200 - Enter administrator's password: + root@server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200 + Enter administrator's password: Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7] - . D 0 Thu Jan 13 09:46:48 2011 - .. D 0 Tue Dec 28 11:30:55 2010 - usuprueba1 D 0 Thu Jan 13 09:19:14 2011 - administrator D 0 Wed Jan 12 14:14:39 2011 + . D 0 Thu Jan 13 09:46:48 2011 + .. D 0 Tue Dec 28 11:30:55 2010 + usuprueba1 D 0 Thu Jan 13 09:19:14 2011 + administrator D 0 Wed Jan 12 14:14:39 2011 I have checked permissions with ls -l and getfacl, these are the results: - root@mambo:/opt/usuarios# ls -l + root@server:/opt/usuarios# ls -l total 44 drwx------ 2 administrator root 4096 2011-01-12 14:14 administrator drwx------ 2 10001 root 4096 2011-01-13 09:19 usuprueba1 - root@mambo:/opt/usuarios# getfacl administrator/ usuprueba1/ + root@server:/opt/usuarios# getfacl administrator/ usuprueba1/ # file: administrator/ # owner: administrator # group: root user::rwx group::--- other::--- # file: usuprueba1/ # owner: 10001 # group: root user::rwx group::--- other::--- I also have done a test in windows, login in with usuprueba1 user and checking permissions of both directories: For usuprueba1 directory: - usuprueba1 -> Total access - root -> No permission - domain users -> No permission + usuprueba1 -> Total access + root -> No permission + domain users -> No permission For administrator directory: - domain users -> Total access - root -> No permission - domain admins -> No permission + domain users -> Total access + root -> No permission + domain admins -> No permission As I can see with this results, the ACLs of administrator directory are not ok, domain users should not appear, it would be administrator instead, "casually" administrator has UID=10000 and Domain Users groups has GID=10000, it makes me think that somehow, samba is confusing group and user permissions. I made another test, it was changing idmap gid values, and make it not overlap with idmap uid values, this time it worked perfectly, permissions were set properly and smbclient comand gave me the right result. Attached full smb.conf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/702265 Title: Error with overlapping idmap uids and gids -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
