[Bug 702265] [NEW] Error with overlapping idmap uids and gids

Jesús Martínez 702265 at bugs.launchpad.net
Thu Jan 13 09:08:06 UTC 2011 

Public bug reported:

Binary package hint: samba

I have set a samba domain with idmap ldap, this is my idmap config:

idmap config DOMAIN:backend = ldap
idmap config DOMAIN:readonly = no
idmap config DOMAIN:default = yes
idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com
idmap config DOMAIN:ldap_user_dn = cn=admin,dc=mydomain,dc=com
idmap config DOMAIN:ldap_url = ldap://localhost
idmap config DOMAIN:range = 50000-59999

#idmap backend = ldap:ldap://localhost
idmap uid = 10000-19999
idmap gid = 10000-19999
#idmap gid = 20000-29999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost
idmap alloc config:ldap_user_dn = cn=admin,dc=mydomain,dc=com
idmap alloc config : ldap_base_dn = ou=idmap,ou=baseou,dc=mydomain,dc=com
idmap alloc config:range = 50000-59999

Once I have set up this in smb.conf, I stop smbd service and restart winbind, then I issue "net sam provision" command, at this point everything is ok and the ldap is provisioned properly. As you know, the provision creates these users and groups:
        - Administrator -> UID=10000;GID=10001
        - nobody -> UID=65534;GID=65534
        - domguests -> GID=65534
        - domusers -> GID=10000
        - domadmins -> GID=10001

After that, I create a new user called usuprueba1, wich is created with
uid=10001 and gid=10000.

Also, I have set up a share called usuarios where the home directories of the users will be placed:
[Usuarios]
comment = Directorios home de los usuarios
path = /opt/usuarios
browseable = yes
directory mask = 0700
read only = no
valid users = %U
hide unreadable = yes
root preexec = /opt/scripts/crearHomes.sh %U

The "crearHomes.sh" script creates automatically the home folder of the
user, right into /opt/usuarios (i.e. /opt/usuarios/administrator or
/opt/usuarios/usuprueba1). This is also working perfectly.

as you can see, the home directories are created with 0700 mask, so,
they are only readable by the owner user.

The problem comes when I issue a smbclient command with user
administrator and usuprueba1 against Usuarios share, it shows me up the
both directories (administrator and usuprueba1)!

root at server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1'  -d 0  -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200
Enter usuprueba1's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
  .                                   D        0  Thu Jan 13 09:45:48 2011
  ..                                  D        0  Tue Dec 28 11:30:55 2010
  usuprueba1                          D        0  Thu Jan 13 09:19:14 2011
  administrator                       D        0  Wed Jan 12 14:14:39 2011

root at server:/opt/usuarios# smbclient '//SERVER/Usuarios' -c 'dir' -U 'usuprueba1'  -d 0  -W 'DOMAIN' -O 'TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192' -b 1200
Enter administrator's password:
Domain=[SAMBA-SEF] OS=[Unix] Server=[Samba 3.4.7]
  .                                   D        0  Thu Jan 13 09:46:48 2011
  ..                                  D        0  Tue Dec 28 11:30:55 2010
  usuprueba1                          D        0  Thu Jan 13 09:19:14 2011
  administrator                       D        0  Wed Jan 12 14:14:39 2011

I have checked permissions with ls -l and getfacl, these are the results:
root at server:/opt/usuarios# ls -l
total 44
drwx------ 2 administrator root  4096 2011-01-12 14:14 administrator
drwx------ 2         10001 root  4096 2011-01-13 09:19 usuprueba1

root at server:/opt/usuarios# getfacl administrator/ usuprueba1/
# file: administrator/
# owner: administrator
# group: root
user::rwx
group::---
other::---

# file: usuprueba1/
# owner: 10001
# group: root
user::rwx
group::---
other::---

I also have done a test in windows, login in with usuprueba1 user and checking permissions of both directories:
For usuprueba1 directory:
    usuprueba1 -> Total access
    root -> No permission
    domain users -> No permission

For administrator directory:
    domain users -> Total access
    root -> No permission
    domain admins -> No permission

As I can see with this results, the ACLs of administrator directory are
not ok, domain users should not appear, it would be administrator
instead, "casually" administrator has UID=10000 and Domain Users groups
has GID=10000, it makes me think that somehow, samba is confusing group
and user permissions.

I made another test, it was changing idmap gid values, and make it not
overlap with idmap uid values, this time it worked perfectly,
permissions were set properly and smbclient comand gave me the right
result.

Attached full smb.conf

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: idmap permission samba winbind

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.
https://bugs.launchpad.net/bugs/702265

Title:
  Error with overlapping idmap uids and gids

More information about the Ubuntu-server-bugs mailing list