HPE Community
Operating System - Linux
1840156 Members
3732 Online
110162 Solutions
New Discussion

Re: Samba ADS member, group permissions problem

 
SOLVED
Go to solution
Dave Falloon
Trusted Contributor

‎01-20-2005 12:21 PM

‎01-20-2005 12:21 PM

Samba ADS member, group permissions problem

I'm having trouble getting group permissions to work when I have winbind use default domain = yes, which is fairly necessary for a bunch of applications to work, ie. CVS, mail, some home made web apps.

Here's the technical background:

Debian Woody Box
Samba 3.0.10-1 deb package
Win2k AD
security = ADS

Here's the trouble, if I set up a share such as this:

[shared]
comment = Network Drive
path = /home/shared
valid users = @testgroup, @"DOMAIN+testgroup"
read only = no
browseable = yes

and I try to connect as my test user account, test which is in the test group as verified like so:

styx~# getent group |grep test
Domain Users:x:15002:test
testgroup:x:15010:test
styx~#

The primary group for the test user is domain users, the secondary group is testgroup. Thats all working, if I run id on test it shows all the groups:

styx:~# id test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)

Here's were everything breaks down. If you connect to the share from a windows 2000 machine while logged in as test the password box pops telling me I'm denied access. Here is the auth log for the connection:

[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)
user 'DOMAIN+test' (from session setup) not permitted to access this share (shared)

So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is a different user than test. If I run id on the DOMAIN+test user I get this:

styx:~# id DOMAIN+test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)

Same UID and same primary GID, but when searching the group file for the username DOMAIN+test, it rightfully finds no entries because winbind has stripped the domain from all users.

So the question of the day, is this a bug, and am I screwed?

--Dave
Clothes make the man, Naked people have little to no effect on society
0 Kudos
Reply
2 REPLIES 2
Ivan Ferreira
Honored Contributor

‎06-20-2005 08:32 AM

‎06-20-2005 08:32 AM

Solution

Re: Samba ADS member, group permissions problem

How are the filesystem permissions configured on /home/shared?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Dave Falloon
Trusted Contributor

‎06-20-2005 10:35 AM

‎06-20-2005 10:35 AM

Re: Samba ADS member, group permissions problem

It was a winbind problem, I installed a patch that I got from a developer on the samba mailing list. The code was later included in the main source.

The filesystem in question used ext3 with posix ACL's. The ACL's work fine now.

Also don't use '+' for the domain delimiter character its a PITA for scripts later.

--Dave
Clothes make the man, Naked people have little to no effect on society
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.