System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

CIFS Winbind ACL secondary groups

Frido Roose_1
Occasional Advisor

CIFS Winbind ACL secondary groups

I'm trying to set up a CIFS share for a CIFS A.02.04 domain member (ADS) using HP-UX 11.31. Winbind is working fine.

However it seems that secondary groups are ignored in ACL's. I can set the acl, with eg:
# setacl -m group:DOMAIN\\somegroup:rwx

But the access is still denied. In this example somegroup is a secondary group when running:
# id \\DOMAIN\user

Is this a configuration issue or rather a bug?

Thanks for any ideas!
3 REPLIES
eric roseme
Respected Contributor

Re: CIFS Winbind ACL secondary groups

Probably a config issue. Use this whitepaper and go to Appendix C. This particular example is for Unified Login, but most of the config stuff applies to winbind too. What you are probably missing is the group mapping step. I have set this up for pretty much all Samba 3 version with CIFS Server, so it's gotta be a config issue.

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Eric Roseme
Frido Roose_1
Occasional Advisor

Re: CIFS Winbind ACL secondary groups

Thanks for your reply and the interesting document. I followed the information in appendix C, and added a mapping:

# wbinfo -G 32868
# net groupmap add sid=-2868 ntgroup=gl_informatica type=domain unixgroup=gl_informatica
Successfully added group gl_informatica to the mapping db as a domain group
# net groupmap list
gl_informatica (-2868) -> gl_informatica

Then I set the ACL for gl_informatica to rwx:

# getacl new.txt
# file: new.txt
# owner: root
# group: root
user::rwx
group::rwx
group:gl_informatica:rwx
group:dba:rwx
class:rwx
other:r--

When I try to modify new.txt with a domain user, not belonging to any other group except for gl_informatica, the user is denied write access from a Windows client... It seems the ACL is ignored.

# strings /var/opt/samba/locks/group_mapping.tdb
TDB file
INFO/version
UNIXGROUP/S--2868
gl_informatica
Domain Unix group

I will go on reading the documentation to see if something else is missing...
eric roseme
Respected Contributor

Re: CIFS Winbind ACL secondary groups

Any chance that your user is a member of more than 20 groups? If so then you may need the ngroups_max enhancement to 11.31 that was released in 0908 (to allow 1024 groups per user).