Ubuntu
samba package

Error with overlapping idmap uids and gids

Bug #702265 reported by Jesús Martínez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: samba

I have set a samba domain with idmap ldap, this is my idmap config:

idmap config DOMAIN:backend = ldap
idmap config DOMAIN:readonly = no
idmap config DOMAIN:default = yes
idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com
idmap config DOMAIN:ldap_user_dn = cn=admin,dc=mydomain,dc=com
idmap config DOMAIN:ldap_url = ldap://localhost
idmap config DOMAIN:range = 50000-59999

#idmap backend = ldap:ldap://localhost
idmap uid = 10000-19999
idmap gid = 10000-19999
#idmap gid = 20000-29999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost
idmap alloc config:ldap_user_dn = cn=admin,dc=mydomain,dc=com
idmap alloc config : ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com
idmap alloc config:range = 50000-59999

Once I have set up this in smb.conf, I stop smbd service and restart winbind, then I issue "net sam provision" command, at this point everything is ok and the ldap is provisioned properly. As you know, the provision creates these users and groups:
        - Administrator -> UID=10000;GID=10001
        - nobody -> UID=65534;GID=65534
        - domguests -> GID=65534
        - domusers -> GID=10000
        - domadmins -> GID=10001

After that, I create a new user called usuprueba1, wich is created with uid=10001 and gid=10000.

Also, I have set up a share called usuarios where the home directories of the users will be placed:
[Usuarios]
comment = Directorios home de los usuarios
path = /opt/usuarios
browseable = yes
directory mask = 0700
read only = no
valid users = %U
hide unreadable = yes
root preexec = /opt/scripts/crearHomes.sh %U

The "crearHomes.sh" script creates automatically the home folder of the user, right into /opt/usuarios (i.e. /opt/usuarios/administrator or /opt/usuarios/usuprueba1). This is also working perfectly.

as you can see, the home directories are created with 0700 mask, so, they are only readable by the owner user.

The problem comes when I issue a smbclient command with user administrator and usuprueba1 against Usuarios share, it shows me up the both directories (administrator and usuprueba1)!

root@server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200
Enter usuprueba1's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
  . D 0 Thu Jan 13 09:45:48 2011
  .. D 0 Tue Dec 28 11:30:55 2010
  usuprueba1 D 0 Thu Jan 13 09:19:14 2011
  administrator D 0 Wed Jan 12 14:14:39 2011

root@server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1' -d 0 -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200
Enter administrator's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
  . D 0 Thu Jan 13 09:46:48 2011
  .. D 0 Tue Dec 28 11:30:55 2010
  usuprueba1 D 0 Thu Jan 13 09:19:14 2011
  administrator D 0 Wed Jan 12 14:14:39 2011

I have checked permissions with ls -l and getfacl, these are the results:
root@server:/opt/usuarios# ls -l
total 44
drwx------ 2 administrator root 4096 2011-01-12 14:14 administrator
drwx------ 2 10001 root 4096 2011-01-13 09:19 usuprueba1

root@server:/opt/usuarios# getfacl administrator/ usuprueba1/
# file: administrator/
# owner: administrator
# group: root
user::rwx
group::---
other::---

# file: usuprueba1/
# owner: 10001
# group: root
user::rwx
group::---
other::---

I also have done a test in windows, login in with usuprueba1 user and checking permissions of both directories:
For usuprueba1 directory:
    usuprueba1 -> Total access
    root -> No permission
    domain users -> No permission

For administrator directory:
    domain users -> Total access
    root -> No permission
    domain admins -> No permission

As I can see with this results, the ACLs of administrator directory are not ok, domain users should not appear, it would be administrator instead, "casually" administrator has UID=10000 and Domain Users groups has GID=10000, it makes me think that somehow, samba is confusing group and user permissions.

I made another test, it was changing idmap gid values, and make it not overlap with idmap uid values, this time it worked perfectly, permissions were set properly and smbclient comand gave me the right result.

Attached full smb.conf

See original description
Revision history for this message
Jesús Martínez (jesus-martinez) wrote :
description: updated
Revision history for this message
James Page (james-page) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal:

apport-collect 702265

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Changed in samba (Ubuntu):
status: New → Incomplete
Revision history for this message
James Page (james-page) wrote :

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Revision history for this message
Chuck Short (zulcss) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in samba (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.