# Samba permissions broken (was samba roaming profiles)

## moofbong

Hey,

I'm having trouble getting roaming profiles to work correctly with Samba as a server and Win2k and XP clients.  On the first login, the profile is created successfully, but on subsequent logins, windows claims it doesn't have permission to access the profile.  If I ssh to the server, I can read/write/edit the files just fine.  getfacl returns the following for my profile directory:

```
brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ getfacl .

# file: .

# owner: brandon.dimcheff

# group: westpole

user::rwx

group::---

other::---

default:user::rwx

default:group::---

default:other::---
```

If I create a file:

```
brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ echo 'foo' > bar

brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ cat bar

foo
```

So that works fine.  If I try to open the file from Windows, I get "access denied".  In the security tab of the properties window, it shows my domain account having read and write access to the file.  In Windows, even though it says I have rw privs, I can only create and delete files.  Once saved in the profile share, I can no longer read them.

Here's my smb.conf:

```
# Samba config file created using SWAT

# from 127.0.0.1 (127.0.0.1)

# Date: 2005/10/11 11:59:26

# Global parameters

[global]

        workgroup = WESTPOLE_BETA

        server string = Unity

        map to guest = Bad User

        smb passwd file = /etc/samba/private/smbpasswd

        passdb backend = ldapsam:ldap://unity.westpole.com/

        log file = /var/log/samba3/log.%m

        max log size = 50

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        printcap name = cups

        dns proxy = No

        add user script = /usr/sbin/smbldap-useradd -m "%u"

        ldap delete dn = Yes

        #delete user script = /usr/sbin/smbldap-userdel "%u"

        add machine script = /usr/sbin/smbldap-useradd -w "%u"

        add group script = /usr/sbin/smbldap-groupadd -p "%g"

        #delete group script = /usr/sbin/smbldap-groupdel "%g"

        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        ldap admin dn = cn=Manager,dc=westpole,dc=com

        ldap delete dn = Yes

        ldap group suffix = ou=Group

        ldap idmap suffix = ou=People

        ldap machine suffix = ou=Computers

        ldap passwd sync = Yes

        ldap suffix = dc=westpole,dc=com

        ldap ssl = start tls

        ldap user suffix = ou=People

        printer admin = @adm

        create mask = 0774

        directory mask = 0775

        domain logons = yes

        preferred master = yes

        domain master = yes

        os level = 65

        hide dot files = yes

        load printers = yes

        printing = cups

        printcap name = cups

        security = user

        guest ok = no

        use client driver = no

        # For Samba 3.x. This enables ClamAV on access scanning.

        vfs object = vscan-clamav

        vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

        wins support = yes

        name resolve order = wins lmhosts host bcast

        dns proxy = no

                                            

[homes]

        comment = Home Directories

        read only = No

        browseable = No

[printers]

        comment = All Printers

        path = /var/spool/samba

        create mask = 0700

        guest ok = Yes

        printable = Yes

        browseable = No

        writeable = No

[brother_hl_2700cn] 

        comment = Brother HL2700cn Network Printer 

        printable = yes 

        path = /var/spool/samba 

        public = yes 

        guest ok = yes 

        printer admin = root 

[hp_laserjet_4000] 

        comment = HP LaserJet 4000 Network Printer 

        printable = yes 

        path = /var/spool/samba 

        public = yes 

        guest ok = yes 

        printer admin = root 

# Now we setup our print drivers information!

[print$]

        comment = Printer Drivers

        path = /etc/samba/printer

        guest ok = yes

        browseable = yes

        read only = yes

        # Modify this to "username,root" if you don't want root to

        # be the only printer admin)

        write list = @adm,root

[fileserver]

        comment = West Pole File Server

        path = /mnt/fileserver

        read only = No

        hide dot files = yes

[backups]

        comment = West Pole File Server Daily Backups

        path = /mnt/dailies

        read only = Yes

        hide dot files = yes

[netlogon]

        path = /var/lib/samba/netlogon

        guest ok = no

        read only = yes

        browseable = no

[profiles]

        path = /var/lib/samba/profiles

        browseable = no

        writeable = yes

        default case = lower

        preserve case = no

        short preserve case = no

        case sensitive = no

        hide files = /desktop.ini/ntuser.ini/NTUSER.*/

        write list = @smbusers @root @westpole

        create mask = 0600

        directory mask = 0700

        profile acls = no
```

Frankly I'm at a loss.  I've tried playing with the sticky bit in the profiles directory to no avail.  It also seems that permissions work incorrectly in other shares as well.  For instance, if I change the group of a file to something other than my default group, I will not be able to do anything to the file as my user.  Is there something I'm missing about permissions in general maybe?

Thanks,

BrandonLast edited by moofbong on Thu Dec 15, 2005 4:33 pm; edited 1 time in total

----------

## Scoody

[profiles]

profile acls = yes

Could fix it.

----------

## Zeos

Try this ...

On your windows box click start => run => gpedit.msc

Navigate to "Computer Configuration" => "Administrative Templates" => "System" => "User Profiles", change the setting "Do not check for user ownership of Roaming Profile Folders" to enabled. 

I try to stay as far away from the windows boxen @ work as possible, but iirc there was some issue with this for us in the past   :Laughing: 

----------

## Po0ky

 *Scoody wrote:*   

> [profiles]
> 
> profile acls = yes
> 
> Could fix it.

 

This doesn't really help with the acl's. By setting this directive, samba will always set specific acl's that are known to work with winxp clients.

 *man smb.conf wrote:*   

> 
> 
> When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the  logged  in
> 
>               user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes
> ...

 

----------

## moofbong

Aha!  I have made some progress on this.  The real reason why the files can't be accessed seems to be that samba doesn't handle user and group read permissions correctly.  

I cannot open the file when logged in as brandon.dimcheff via Samba when the perms are like this:

```
brandon.dimcheff@unity ~ $ ls -als test

4 -rw-------  1 brandon.dimcheff westpole 668 Dec 14 15:00 test
```

OR when they're 640.  But I can when I change them to 644.  NOTE:  I can still WRITE to the files even when they're 600, I just can't READ them.  Bizarre.

So anyhow, is there some setting that tweaks how Samba handles read bits?

Thanks again,

Brandon

----------

## moofbong

I'm still having these problems.  We're starting to do stuff that really needs permissions to be working right, so I'm bringing it up again.  :Wink: 

Is there any way of asking samba what it thinks the permissions of a file are?  Something like getfacl except with samba?  Or is there detailed debugging output that I can enable that will show every file access attempt?

NOTE: This is NOT just profiles, either.  All files in the samba share will not be accessible from Samba if they are not world readable.

Thanks again,

Brandon

----------

## moofbong

Here's some info from the log when I attempted to 'cat test2' from a remote computer.  It seems to think that permission is denied, even though the permissions should allow access:

```
[2006/07/03 15:51:45, 3] smbd/process.c:process_smb(1194)

  Transaction 321 of length 134

[2006/07/03 15:51:45, 3] smbd/process.c:switch_message(993)

  switch message SMBntcreateX (pid 22541) conn 0x803b73f8

[2006/07/03 15:51:45, 3] smbd/dosmode.c:unix_mode(121)

  unix_mode(untitled folder/test2) returning 0764

[2006/07/03 15:51:45, 3] smbd/open.c:open_file(276)

  Error opening file untitled folder/test2 (Permission denied) (local_flags=0) (flags=0)

[2006/07/03 15:51:45, 3] smbd/error.c:unix_error_packet(90)

  unix_error_packet: error string = Permission denied

[2006/07/03 15:51:45, 3] smbd/error.c:error_packet(146)

  error packet at smbd/trans2.c(2632) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
```

The actual file permissions (not 0764 like the log claims, that's for sure)

```
brandon.dimcheff@unity ~/untitled folder $ ls -als

total 17

0 drwx--S---   3 brandon.dimcheff westpole  160 Jul  3 15:51 .

1 drwx------  12 brandon.dimcheff westpole  816 Jul  3 15:51 ..

4 -rw--w----   1 brandon.dimcheff westpole    4 Apr 12 17:41 test2
```

----------

## moofbong

Here's a dialog I made in smbclient illustrating the problem:

```
smb: \User\Brandon\test\> ls

  .                                   D        0  Wed Jul  5 16:51:41 2006

  ..                                  D        0  Mon Jul  3 16:06:45 2006

  bar                                 A       10  Mon Jul  3 16:09:54 2006

  foo                                          5  Mon Jul  3 16:07:16 2006

                61438 blocks of size 524288. 33649 blocks available

smb: \User\Brandon\test\> get foo  

NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\foo

smb: \User\Brandon\test\> stat foo

File: \User\Brandon\test\foo

Size: 5                 Blocks: 8       regular file

Inode: 17100    Links: 1

Access: (0600/-rw-------)       Uid: 5000       Gid: 5000

Access: 2006-07-03 16:11:02 -0400

Modify: 2006-07-03 16:07:16 -0400

Change: 2006-07-05 09:58:33 -0400

smb: \User\Brandon\test\> get bar

getting file \User\Brandon\test\bar of size 10 as bar (9.8 kb/s) (average 1.8 kb/s)

smb: \User\Brandon\test\> stat bar

File: \User\Brandon\test\bar

Size: 10                Blocks: 8       regular file

Inode: 17101    Links: 1

Access: (0764/-rwxrw-r--)       Uid: 5000       Gid: 5000

Access: 2006-07-05 16:52:02 -0400

Modify: 2006-07-03 16:09:54 -0400

Change: 2006-07-05 09:58:33 -0400

smb: \User\Brandon\test\> put baz

putting file baz as \User\Brandon\test\baz (3.9 kb/s) (average 0.6 kb/s)

smb: \User\Brandon\test\> get baz

getting file \User\Brandon\test\baz of size 4 as baz (3.9 kb/s) (average 1.9 kb/s)

smb: \User\Brandon\test\> stat baz

File: \User\Brandon\test\baz

Size: 4                 Blocks: 8       regular file

Inode: 17099    Links: 1

Access: (0764/-rwxrw-r--)       Uid: 5000       Gid: 5000

Access: 2006-07-05 16:52:15 -0400

Modify: 2006-07-05 16:52:07 -0400

Change: 2006-07-05 16:52:07 -0400

smb: \User\Brandon\test\> chmod 0600 baz

Pushing string of 'unlimited' length into non-SMB buffer!

smb: \User\Brandon\test\> stat baz

File: \User\Brandon\test\baz

Size: 4                 Blocks: 8       regular file

Inode: 17099    Links: 1

Access: (0600/-rw-------)       Uid: 5000       Gid: 5000

Access: 2006-07-05 16:52:15 -0400

Modify: 2006-07-05 16:52:07 -0400

Change: 2006-07-05 16:52:31 -0400

smb: \User\Brandon\test\> get baz

NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\baz

smb: \User\Brandon\test\> 

```

----------

