Jeremy Allison wrote:
> On Wed, Jun 28, 2006 at 10:40:38AM +1000, Adam Nielsen wrote:
Here's the problem, a member of 'CATNET\adm staff' cannot access a
file for which 'CATNET\adm' has r/w access
(group:CATNET\134adm:rwx). But if
>> FWIW, this works here (Samba 3.0.21rc2), but I did need 'winbind nested
>> groups = yes' first. I don't seem to have changed much else in
>> smb.conf that might affect this.
>
> Ah, glad we're fixing bugs moving forward :-).
>
>> This however, *doesn't* work. Running 'id' only tells me I'm a member
>> of "DOMAIN\domain users" but it doesn't list *any* other groups I'm a
>> member of.
>>
>> But Samba still gives me access if a group containing a group
>> containing me has permission.
>
> smbd has backdoors into winbindd that other processes don't.
> Still, I thought 'winbind nested groups' expanded for NSS
> groups - maybe not. I'd need to look at the code to be sure.
>
> Jeremy.
The simple scenario that I can't get to work (with nested groups = yes)
is one where a directory's group ownership is one that my user account
is a member of, but not my primary group.
Chgrp'ing the directory to my primary group ("Domain Users") will allow
changes.
Changing it to a secondary ("LTI_Dev Domain_Users") prohibits change.
# smbcacls //ma21cab5/data foo -U gdunn01
Password:
REVISION:1
OWNER:MA21CAB5\root
GROUP:HARRIS\lti_domain users_dev
ACL:MA21CAB5\root:ALLOWED/0/FULL
ACL:HARRIS\lti_domain users_dev:ALLOWED/0/FULL
ACL:\Everyone:ALLOWED/0/READ
# pw groupshow "LTI_domain users_dev"
LTI_domain users_dev:*:190045:[snip],gdunn01,[snip]
ma21cab5# getfacl foo
#file:foo
#owner:0
#group:190045
user::rwx
group::rwx
mask::rwx
other::r-x
ma21cab5# ls -ld foo
drwxrwxr-x+ 3 root lti_domain users 512 Jun 28 12:34 foo
ma21cab5# smbstatus
Samba version 3.0.22
PID Username Group Machine
---
45058 gdunn01 Domain Users dev-gdunn(137.237.160.74)
FreeBSD 5.3
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba