Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2375: Unable to access samba share with Unix group permissions

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

12 April,16 at 11:08 AM

Applies to: CentrifyDC-Samba-3.6.5 on all platforms
 

Problem:
User with Unix group permissions is unable to access samba share.

For example, in a Samba share, a file called "testing" is created. 

Running "ls -al" shows

-rw-r-----.  1 root        entsa             3028 Nov 22 09:38 testing

A user, who is a member of the group "entsa", logs into the Samba client machine and tries to open the file "testing" on the Samba share. 

This user is should be able to open the file as he is a member of the group "entsa" which has the READ permission of this file. 

However, the user’s access is denied.
 

Cause:

Stock Samba-3.6.5's ID Mapping changed. 

When it wants to convert sids to uids/gids, it does not send the WINBINDD_SID_TO_UID/WINBINDD_SID_TO_GID request to winbindd, but instead it sends a WINBINDD_SIDS_TO_XIDS request.

Since adbindd is waiting to intercept WINBINDD_SID_TO_UID/WINBINDD_SID_TO_GID requests only, and does not intercept WINBINDD_SIDS_TO_XIDS requests, the ID mapping task is passed back to winbindd.

If user accesses shared files via Samba, the user's gid comes from winbind, but not adclient

This user gid coming from winbindd does not match with the gid that has the permission to access the file, and thus user is unable to access the file.
 

Workaround:

Stopping adbindd and winbindd to let all user and group lookups go through NSS.

A temporary fix is to modify the startup script of Centrifydc-Samba so that it will not start up winbindd and adbindd, and then restart Centrifydc-Samba:

1. Open up the Centrifydc-Samba startup script for editing:

vi /etc/init.d/centrifydc-samba

2. In the script, comment out the 6 lines as below to avoid winbindd and adbindd from starting up together with Centrifydc-Samba:

case "$cmd" in start)

        start nmbd
#      start winbindd
#      start adbindd
        start smbd
        ;; 
    stop)
        stop smbd
        stop adbindd
        stop winbindd
        stop nmbd
        ;;
    status)
        status nmbd
        status winbindd
        status adbindd
        status smbd
        RETVAL=$?
        ;;
    restart|reload)
        stop smbd
        stop adbindd
        stop winbindd
        stop nmbd
        start nmbd
#      start winbindd
#      start adbindd
        start smbd
        ;;

    condrestart)
        cond_restart nmbd

#      cond_restart winbindd
#      cond_restart adbindd
        cond_restart smbd
        ;;
    *)

3.  Restart Centrifydc-Samba in order to stop the winbindd and adbindd (while keeping only nmbd and smbd running):

/etc/init.d/centrifydc-samba restart

4.  Try to access the Samba share. It should now be successful.

 

Resolution:
CentrifyDC-Samba-3.6.9 or higher fixed this issue.  To verify Centrify Samba version on linux OS,  run 'rpm -qa | grep -i centrify'

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.