I ran into a problem today which surprised me, and after two hours of reading and testing I am more confused than ever, so I feel the need for a sanity check. It would be good to have a clear and authoritative article about this somewhere; I thought it would be in either "Using Samba" or in the HOWTO, but I don't see it there.
I am using Samba in several installations in homes and small businesses that are all Windows desktops (typically XP Home edition) and Linux servers (typically Fedora Core 8), and I use the Linux user database (/etc/passwd + /etc/shadow) as the primary authentication. To make this work, I edit the Windows registry to set EnablePlainTextPasswd=1. (Why? When I started setting these systems up, it was Windows95 so there was no authentication on the Windows side. To make use of Windows administration tools, you need Windows XP Pro on the desktops, and need to learn lots of windows stuff. My background is Unix, so that seems like un-necessary money to give to Microsoft, plus a large learning curve.) In my standard setup, I create a Unix user group for each SMB share (the shares reflect functional data groupings) and set up unix groups of the users allowed write access to each share, and in each share I make the tree of directories owned by and writeable by that group with a set-group bit to propagate that group ownership. Unfortunately, the group-write permission will not propagate that way, so a cron job runs twice a day to set group-write on all directories with the tree of each share. This has worked really well for a long time. Today, suddenly I see that a windows user cannot write to directories that are not owned by him. It appears that the SAMBA proxy does not get to use the group privilege. It may in fact only have the user's PRIMARY group affiliation, not the secondary ones derived from the definitions in /etc/group. This is quite painful. Once I lost confidence, I started looking for places that documented how the various definitions of access rights interact with each other. In particular the interaction of Unix group rights versus Samba userids (write list, admin users etc). Since the primary documents are not clear, I find that various user-written notes on the web found by Google have conflicting and often downright wrong information on the topic. My testing of this is hampered by me not knowing how much information is cached in the SMB daemon and in the Windows redirector; i.e. when I make changes to smb.conf, do I need to "sudo service smb restart"? Do I need to reboot the Windows client? To logout and back in on Windows? To disconnect the network drive from the share? The server where this problem surfaced runs samba-3.0.28a-0.fc8 and I think yum updated this quite recently. It it likely that the behavior changed an a recent Samba update? Is there a good source of documentation that I just plain overlooked? Should I be using a different mechanism to set up the access rights? / Lars Poulsen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba