[Samba] Non primary group permissions not working
Hi, I'm having a major problem here. We are running Samba 3.5.11 on Debian Squeeze. Authentication is via ADS When I create a directory with group rwx access I cannot access that directory through Windows or smbclient unless that group is my primary group. If I'm a member of the group (but it's not my primary), I can't access it. If I ssh to the server it works AOK Here's me and my groups on the samba server cfowler@staffpgstore:~$ id -Gn staff sss scssadmin scssunixadmin BUILTIN\users Here's my testcase. $ ls -ld testcase/ drwxrwx--- 2 wwwowner scssadmin 4096 Nov 4 09:28 testcase/ I can easily access this directory as a user on the sever. This makes sense as I'm in the scssadmin group. Here's what happens when I try to get in via smbclient from a Linux workstation $ smbclient //staffpgstore/cfowler -U itserv/cfowler Enter itserv/cfowler's password: Domain=[ITSERV] OS=[Unix] Server=[Samba 3.5.11] smb: \> cd testcase smb: \testcase\> dir NT_STATUS_ACCESS_DENIED listing \testcase\* 64507 blocks of size 33553920. 50979 blocks available Atemmpting to access the directory in Windows gives me "Windows cannot access." "You do not have permission" Here's my smb.conf [global] workgroup = ITSERV realm = ITSERV.SCSS.TCD.IE security = ADS password server = zeus.itserv.scss.tcd.ie log level = 3 passdb:10 auth:10 winbind:10 vfs:10 idmap:10 acls:10 log file = /var/log/samba/samba.log.%m unix extensions = No idmap uid = 900 - 999 idmap gid = 900 - 999 winbind cache time = 5 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes idmap alloc config: range = 1000-40 idmap config ITSERV: range = 1000-40 idmap config ITSERV: schema_mode = rfc2307 idmap config ITSERV: backend = ad admin users = administrator wide links = Yes [homes] comment = Home directories (%h) read only = No create mask = 0700 inherit acls = Yes browseable = No ANY help at all would be much appreciated. I'm pulling my hair out here! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Non-primary group permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 gibbs, simon wrote: | Hi, | | I have a problem that if I set a file or directory group owner, users | that are members of this group cannot access it unless this is | their primary group. | | This is using samba 3.0.2a - all user and group info is coming from | winbind. Just out of curiousity, could you try the patch included at https://bugzilla.samba.org/show_bug.cgi?id=1165. Mail me directly and let me know if that works. Thanks. cheers, jerry - -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUJAWIR7qMdg1EfYRAsCYAJ9P0jF60mtsvk//lHJ/XFW4YiqQgQCdHzqD JHjMOVOnXBCSSgH4C/4l2Co= =sFyN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Non-primary group permissions
Hi, I have a problem that if I set a file or directory group owner, users that are members of this group cannot access it unless this is their primary group. This is using samba 3.0.2a - all user and group info is coming from winbind. I've tried using the setgid bit so users run with the permission of the group that owns the directory but this only works if the permissions are set to 2777 which is effectively allowing any user access with the setgid group permission. I could use the 'force group' option on the share, but this still means that only one group can be of any use for that share which isn't practical. Is this expected behaviour or is something going wrong? Thanks, Simon Here's my smb.conf: # Global parameters [global] workgroup = DOMAINNAME realm = KERBEROS.REALM server string = data-cl2a samba server security = DOMAIN password server = kerberosserver.domain idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = / [Data] comment = Test Data Dir path = /Data read only = No The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
winbind users/group in smb.conf [was Re: [Samba] non-primary group permissions]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Dawson wrote: | I can get rid of the problem it seems by setting: | winbind use default domain = no | | There's a bugzilla entry here: | https://bugzilla.samba.org/show_bug.cgi?id=336 Just to clarify, in Samba 3.0 we taking the position that winbind users/groups in smb.conf must always be full qualified. So things like write list = +'Domain Admins' will not work if what you really meant was write list = +'FOO\Domain Admins' And the issue with secondary groups and 'winbind use default domain = yes' is actually https://bugzilla.samba.org/show_bug.cgi?id=406 which has been fixed. cheers, jerry |> -Original Message- |> I have a problem that if I set a file or directory group owner, users |> that are members of this group can still not access it unless this is |> their primary group. |> |> This is using samba 3.0rc3, all user and group info is coming from |> winbind and permissions work as expected when using a linux shell but |> not from a windows client. |> |> The problem goes away if I use the 'force group' option on the share, |> but this still means that ony one group can be of any use for that |> share. Is this expected behaviour or is something going wrong? ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/0J7DIR7qMdg1EfYRAkD8AJ9a4Sdj/Lk8hJHRlAo4k3uo9hyZTgCgoZ+N Lqi65qPQ9f+9mGnZNAWxi1s= =K/8M -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] non-primary group permissions
I can get rid of the problem it seems by setting: winbind use default domain = no There's a bugzilla entry here: https://bugzilla.samba.org/show_bug.cgi?id=336 Mike Allen Bolderoff wrote: Did you get any answer on this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Dawson Sent: Thursday, 11 September 2003 8:40 PM To: [EMAIL PROTECTED] Subject: [Samba] non-primary group permissions Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] non-primary group permissions
Please provide your smb.conf file and details on how to reproduce the problem. - John T. On Wed, 26 Nov 2003, Allen Bolderoff wrote: > Did you get any answer on this? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike > Dawson > Sent: Thursday, 11 September 2003 8:40 PM > To: [EMAIL PROTECTED] > Subject: [Samba] non-primary group permissions > > Hi, > > I have a problem that if I set a file or directory group owner, users > that are members of this group can still not access it unless this is > their primary group. > > This is using samba 3.0rc3, all user and group info is coming from > winbind and permissions work as expected when using a linux shell but > not from a windows client. > > The problem goes away if I use the 'force group' option on the share, > but this still means that ony one group can be of any use for that > share. Is this expected behaviour or is something going wrong? > > Thanks > Mike > > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] non-primary group permissions
Did you get any answer on this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Dawson Sent: Thursday, 11 September 2003 8:40 PM To: [EMAIL PROTECTED] Subject: [Samba] non-primary group permissions Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] non-primary group permissions
Mike, CAn you document a test case and then file a bug with https://bugzilla.samba.org please. - John T. -- John H Terpstra Email: [EMAIL PROTECTED]Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] non-primary group permissions
Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba