Error with overlapping idmap uids and gids
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: samba
I have set a samba domain with idmap ldap, this is my idmap config:
idmap config DOMAIN:backend = ldap
idmap config DOMAIN:readonly = no
idmap config DOMAIN:default = yes
idmap config DOMAIN:ldap_base_dn = ou=idmap,
idmap config DOMAIN:ldap_user_dn = cn=admin,
idmap config DOMAIN:ldap_url = ldap://localhost
idmap config DOMAIN:range = 50000-59999
#idmap backend = ldap:ldap:
idmap uid = 10000-19999
idmap gid = 10000-19999
#idmap gid = 20000-29999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost
idmap alloc config:ldap_user_dn = cn=admin,
idmap alloc config : ldap_base_dn = ou=idmap,
idmap alloc config:range = 50000-59999
Once I have set up this in smb.conf, I stop smbd service and restart winbind, then I issue "net sam provision" command, at this point everything is ok and the ldap is provisioned properly. As you know, the provision creates these users and groups:
- Administrator -> UID=10000;GID=10001
- nobody -> UID=65534;GID=65534
- domguests -> GID=65534
- domusers -> GID=10000
- domadmins -> GID=10001
After that, I create a new user called usuprueba1, wich is created with uid=10001 and gid=10000.
Also, I have set up a share called usuarios where the home directories of the users will be placed:
[Usuarios]
comment = Directorios home de los usuarios
path = /opt/usuarios
browseable = yes
directory mask = 0700
read only = no
valid users = %U
hide unreadable = yes
root preexec = /opt/scripts/
The "crearHomes.sh" script creates automatically the home folder of the user, right into /opt/usuarios (i.e. /opt/usuarios/
as you can see, the home directories are created with 0700 mask, so, they are only readable by the owner user.
The problem comes when I issue a smbclient command with user administrator and usuprueba1 against Usuarios share, it shows me up the both directories (administrator and usuprueba1)!
root@server:
Enter usuprueba1's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
. D 0 Thu Jan 13 09:45:48 2011
.. D 0 Tue Dec 28 11:30:55 2010
usuprueba1 D 0 Thu Jan 13 09:19:14 2011
administrator D 0 Wed Jan 12 14:14:39 2011
root@server:
Enter administrator's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
. D 0 Thu Jan 13 09:46:48 2011
.. D 0 Tue Dec 28 11:30:55 2010
usuprueba1 D 0 Thu Jan 13 09:19:14 2011
administrator D 0 Wed Jan 12 14:14:39 2011
I have checked permissions with ls -l and getfacl, these are the results:
root@server:
total 44
drwx------ 2 administrator root 4096 2011-01-12 14:14 administrator
drwx------ 2 10001 root 4096 2011-01-13 09:19 usuprueba1
root@server:
# file: administrator/
# owner: administrator
# group: root
user::rwx
group::---
other::---
# file: usuprueba1/
# owner: 10001
# group: root
user::rwx
group::---
other::---
I also have done a test in windows, login in with usuprueba1 user and checking permissions of both directories:
For usuprueba1 directory:
usuprueba1 -> Total access
root -> No permission
domain users -> No permission
For administrator directory:
domain users -> Total access
root -> No permission
domain admins -> No permission
As I can see with this results, the ACLs of administrator directory are not ok, domain users should not appear, it would be administrator instead, "casually" administrator has UID=10000 and Domain Users groups has GID=10000, it makes me think that somehow, samba is confusing group and user permissions.
I made another test, it was changing idmap gid values, and make it not overlap with idmap uid values, this time it worked perfectly, permissions were set properly and smbclient comand gave me the right result.
Attached full smb.conf
Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal:
apport-collect 702265
When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https:/ /wiki.ubuntu. com/ReportingBu gs.