User confusion when mounting a share

I have a problem editing files in a samba share, this share is accessed from a Windows xp and a Linux client, when I open a Word Document from windows there is no problem, but when I try to edit the same file from the linux pc with writer, it opens the file in read mode, I have checked the file permissions from the linux client and all the fields are blank, but if I copy the file to the local drive I can edit it, this is a openSUSE 11.2 box.

This is how I created the folder containing the files in the Linux server (openSUSE 11.2), this server is setup as a PDC using LDAP as backend

mkdir /datos

chmod 2775 /datos

This is the share in the smb.conf

[archivos1]
path = /home/easgs/datos
comment = datos varios
guest ok = No
inherit acls = Yes
valid users = @ntusers
write list = @ntusers
force create mode = 0660
force directory mode = 0770
force group = ntusers

This is the command I have used:

mount -t cifs -o username=amartinez //192.168.0.2/archivos1 /home/SIENIC/amartinez/recurso2

these are the permissions of the folder before mount command

drwxrws— 3 SIENIC\amartinez SIENIC\domain users 4096 nov 17 09:58 prueba2

these are the permissions of the folder after mount command

drwsrwsr-x 3 adolfo BUILTIN\administrators 0 nov 17 15:05 recurso2

this is why the share is read only, the current user is the domain user “amartinez”, adolfo is a local user, this machine is part of a DOMAIN, the PDC is a openSUSE 11.2 domain controller

how can I mount this share as a read/write share for the domain users logged in the current workstation?

Note: If I run chmod 777 recurso2 I am able to edit the files, but this is not a secure solution, the optimal solution would be to mount the share as:

drwxrws— 3 SIENIC\amartinez SIENIC\domain users 4096 nov 17 09:58 prueba2

On Wed November 18 2009 02:36 pm, Easgs wrote:

>
> I have a problem editing files in a samba share, this share is accessed
> from a Windows xp and a Linux client, when I open a Word Document from
> windows there is no problem, but when I try to edit the same file from
> the linux pc with writer, it opens a new file, not the file I want to
> edit, I have checked the file permissions from the linux client and all
> the fields are blank, but if I copy the file to the local drive I can
> edit it, this is a openSUSE 11.2 box.
>
> This is how I created the folder containing the files in the Linux
> server (openSUSE 11.2), this server is setup as a PDC using LDAP as
> backend
>
> mkdir /datos
>
> chmod 2775 /datos
>
> This is the share in the smb.conf
>
> [archivos1]
> path = /home/easgs/datos
> comment = datos varios
> guest ok = No
> inherit acls = Yes
> valid users = @ntusers
> write list = @ntusers
> force create mode = 0660
> force directory mode = 0770
> force group = ntusers
>
>
> This is the command I have used:
>
> mount -t cifs -o username=amartinez //192.168.0.2/archivos1
> /home/SIENIC/amartinez/recurso2
>
> these are the permissions of the folder before mount command
>
> drwxrws— 3 SIENIC\amartinez SIENIC\domain users 4096 nov 17 09:58
> prueba2
>
> these are the permissions of the folder after mount command
>
> drwsrwsr-x 3 adolfo BUILTIN\administrators 0 nov 17
> 15:05 recurso2
>
>
> this is why the share is read only, the current user is the domain user
> “amartinez”, adolfo is a local user, this machine is part of a DOMAIN,
> the PDC is a openSUSE 11.2 domain controller
>
> how can I mount this share as a read/write share for the domain users
> logged in the current workstation?
>
> Note: If I run chmod 777 recurso2 I am able to edit the files, but this
> is not a secure solution, the optimal solution would be to mount the
> share as:
>
> drwxrws— 3 SIENIC\amartinez SIENIC\domain users 4096 nov 17 09:58
> prueba2
>
>
Easgs;

Have you looked at:
http://opensuse.swerdna.org/susesambacifs.html

Note that the UID,GID options allow you to specify the owner/group of the
mounted directory.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

I have tried all that, I have found something interesting, if I run the command wbinfo -u I get this

SIENIC\root
SIENIC\administrator
SIENIC\amartinez
SIENIC\esotomayor
SIENIC\contador

if I run the command wbinfo -g

SIENIC\domain admins
SIENIC\domain guests
SIENIC\domain users

but if I run the command getent passwd I get this

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:101:104:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:102:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:106:109:User for haldaemon:/var/run/hald:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:101:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:108:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:104:106:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:103:105:RealtimeKit:/proc:/sbin/nologin
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:107:110:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
adolfo:x:1000:100:adolfo:/home/adolfo:/bin/bash

as you can see, the domain users are not present, only the local users, may be that is why I can not use the options UID or GID, and if I run

chown amartinez recurso2

I get

chown: Invalid User: amartinez

where amartinez is a domain user

this is the content of the nsswitch.conf file

passwd: compat winbind
group: compat winbind

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

I have shutdown the nscd service as recommended in the samba how to book

On Thu November 19 2009 09:46 am, Easgs wrote:

>
> I have tried all that, I have found something interesting, if I run the
> command wbinfo -u I get this
>
> SIENIC\root
> SIENIC\administrator
> SIENIC\amartinez
> SIENIC\esotomayor
> SIENIC\contador
>
> if I run the command wbinfo -g
>
> SIENIC\domain admins
> SIENIC\domain guests
> SIENIC\domain users
>
> but if I run the command getent passwd I get this
>
> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
> avahi:x:101:104:User for Avahi:/var/run/avahi-daemon:/bin/false
> bin:x:1:1:bin:/bin:/bin/bash
> daemon:x:2:2:Daemon:/sbin:/bin/bash
> dnsmasq:x:102:65534:dnsmasq:/var/lib/empty:/bin/false
> ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
> games:x:12:100:Games account:/var/games:/bin/bash
> haldaemon:x:106:109:User for haldaemon:/var/run/hald:/bin/false
> lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
> mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
> messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
> news:x:9:13:News system:/etc/news:/bin/bash
> nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
> ntp:x:74:101:NTP daemon:/var/lib/ntp:/bin/false
> polkituser:x:105:108:PolicyKit:/var/run/PolicyKit:/bin/false
> postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
> pulse:x:104:106:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
> root:x:0:0:root:/root:/bin/bash
> rtkit:x:103:105:RealtimeKit:/proc:/sbin/nologin
> sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
> suse-ncc:x:107:110:Novell Customer Center
> User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
> wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
> adolfo:x:1000:100:adolfo:/home/adolfo:/bin/bash
>
>
> as you can see, the domain users are not present, only the local users,
> may be that is why I can not use the options UID or GID, and if I run
>
> chown amartinez recurso2
>
> I get
>
> chown: Invalid User: amartinez
>
>
> where amartinez is a domain user
>
> this is the content of the nsswitch.conf file
>
>
>
> passwd: compat winbind
> group: compat winbind
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files dns
>
> services: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files nis
> publickey: files
>
> bootparams: files
> automount: files nis
> aliases: files
>
>
>
> I have shutdown the nscd service as recommended in the samba how to
> book
>
>
Easgs;

Try adding ldap to the passwd:, shadow: and group: fields of nsswitch.

See: The section “PAM and NSS Client Configuration” of:
http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-PAM-NSS
and also section “NT4/Samba Domain with Samba Domain Member Server: Using NSS
and Winbind” of:
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#wdcsdm

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Hi, I solved by adding the followin lines to the smb.conf fine in the [global] section.

winbind enum user = yes

winbind enum group = yes

Now when I enter getent passwd I get:

t:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:101:104:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:102:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:106:109:User for haldaemon:/var/run/hald:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:101:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:108:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:104:106:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:103:105:RealtimeKit:/proc:/sbin/nologin
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:107:110:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
adolfo:x:1000:100:adolfo:/home/adolfo:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:101:104:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:102:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:106:109:User for haldaemon:/var/run/hald:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:101:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:108:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:104:106:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:103:105:RealtimeKit:/proc:/sbin/nologin
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:107:110:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
adolfo:x:1000:100:adolfo:/home/adolfo:/bin/bash
SIENIC\root::10004:10000:root:/home/SIENIC/root:/bin/bash
SIENIC\administrator:
:10002:10000::/home/SIENIC/administrator:/bin/bash
SIENIC\amartinez::10000:10000::/home/SIENIC/amartinez:/bin/bash
SIENIC\esotomayor:
:10001:10000::/home/SIENIC/esotomayor:/bin/bash
SIENIC\contador:*:10003:10000::/home/SIENIC/contador:/bin/bash

and when I type getent group I get

at:!:25:
audio:x:17:pulse
avahi:!:104:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:
disk:x:6:
floppy:x:19:
ftp:x:49:
games:x:40:
haldaemon:!:109:
kmem:x:9:
lp:x:7:
mail:x:12:
maildrop:!:59:
man:x:62:
messagebus:!:102:
modem:x:43:
news:x:13:
nobody:x:65533:
nogroup:x:65534:nobody
ntadmin:!:71:
ntp:!:101:
polkituser:!:108:
postfix:!:51:
public:x:32:
pulse:!:106:
pulse-access:!:107:
root:x:0:
rtkit:!:105:
shadow:x:15:
sshd:!:65:
suse-ncc:!:110:
sys:x:3:
tape:!:103:
trusted:x:42:
tty:x:5:
utmp:x:22:
uucp:x:14:
video:x:33:adolfo
wheel:x:10:
winbind:!:111:
www:x:8:
xok:x:41:
users:x:100:adolfo
at:!:25:
audio:x:17:pulse
avahi:!:104:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:
disk:x:6:
floppy:x:19:
ftp:x:49:
games:x:40:
haldaemon:!:109:
kmem:x:9:
lp:x:7:
mail:x:12:
maildrop:!:59:
man:x:62:
messagebus:!:102:
modem:x:43:
news:x:13:
nobody:x:65533:
nogroup:x:65534:nobody
ntadmin:!:71:
ntp:!:101:
polkituser:!:108:
postfix:!:51:
public:x:32:
pulse:!:106:
pulse-access:!:107:
root:x:0:
rtkit:!:105:
shadow:x:15:
sshd:!:65:
suse-ncc:!:110:
sys:x:3:
tape:!:103:
trusted:x:42:
tty:x:5:
utmp:x:22:
uucp:x:14:
video:x:33:adolfo
wheel:x:10:
winbind:!:111:
www:x:8:
xok:x:41:
users:x:100:adolfo
SIENIC\domain admins:x:10010:SIENIC\administrator
SIENIC\domain guests:x:10011:
SIENIC\domain users:x:10000:SIENIC\amartinez,SIENIC\contador,SIENIC\esotomayor

The question here is, why openSUSE 11.2 has those two options set to No?

I have read in the samba3-HOWTO page the following.

*In a large domain with many users it is imperative to disable enumeration
of users and groups. For example, at a site that has 22,000 users in Active
Directory the winbind-based user and group resolution is unavailable
for nearly 12 minutes following rst startup of winbind. Disabling enumeration
resulted in instantaneous response. The disabling of user and group
enumeration means that it will not be possible to list users or groups using
the getent passwd and getent group commands.
*

What do you think about it