[Samba] Samba ignores groups for ACL !

1 view
Skip to first unread message

Neuwald, Björn

unread,
Sep 26, 2006, 8:40:09 AM9/26/06
to
Hello, i hope u guys can help me.
This is the first time I write to the list. Sorry about my english...

i got a solaris 10 machine and installed "samba 3.0.2.3c" with "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6".

i configured kerberos and all the other things. all good.

i added the samba-server (solaris10) to a active directory domain.
with "kinit ...." and then "net ads join" and so on.
all worked good.

then i configured my smb.conf via swat-websoncole.
i created a share that was named "all".
i added in swat to the "valid users"-option the AD-Group "MyDomain\group_alpha".

After this i mounted the share on my Windows-Xp machine.
The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
all good.

i can access an create folders .....

Now i created on my solaris-machine in my Samba-Share-folder "all" 2 Folders.
Folders: Permissions Owner Acl
1. "folderA" with rwxrwx--- root root group: group_beta:rwx
2. "folderB" with rwxrwx--- root root group: group_gama:rwx

after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a" the group "group_beta" to the first folder.
The Same i did with the folder "folderB", i added the group "group_gama" (rwx).

Now, i am at the windows machine, my user "winuser" mountet the Samba Share.
So, "winuser" is a member of the valid share user group "group_alpha", all AD-users are members of this group.
On the two other folders in the share i added permissions for two other groups.
So, i as "winuser" should have rights to read,write,execute the "folderA", because "winuser" is a also a member of "group_beta" but i dont have permissions for "folderB".

my Problem is now that i can not enter and "folderA" and "folderB"!
(windows-prompt : i dont have permissions for this..)

The same scenario with adding "users" directly without "group" is working.

So i think that samba ignores my supplementary groups for acl!!!

i googel'ed a lot for this problem, but no solution.

Help me ;)



Ciao, Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Felipe Augusto van de Wiel

unread,
Sep 29, 2006, 9:30:13 AM9/29/06
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/26/2006 09:25 AM, Neuwald escreveu:
> Hello, i hope u guys can help me.

Let's try. :)


> This is the first time I write to the list. Sorry about my
> english...

No problem.


> i got a solaris 10 machine and installed "samba 3.0.2.3c" with
> "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6".

Just for the sake of logs, it is 3.0.23c and 2.3.21.


> i configured kerberos and all the other things. all good.

The all other things include the groupmaps?


> i added the samba-server (solaris10) to a active directory domain.
> with "kinit ...." and then "net ads join" and so on.
> all worked good.

Ok, so you samba server is a Member Server of an AD.


> then i configured my smb.conf via swat-websoncole.
> i created a share that was named "all".
> i added in swat to the "valid users"-option the AD-Group
> "MyDomain\group_alpha".


> After this i mounted the share on my Windows-Xp machine.
> The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
> all good.
>
> i can access an create folders .....
>
> Now i created on my solaris-machine in my Samba-Share-folder "all"
> 2 Folders.
> Folders: Permissions Owner Acl
> 1. "folderA" with rwxrwx--- root root group: group_beta:rwx
> 2. "folderB" with rwxrwx--- root root group: group_gama:rwx
>
> after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a"
> the group "group_beta" to the first folder.
> The Same i did with the folder "folderB", i added the group "group_gama"
> (rwx).

I hope that the above commands are really right, because you
said folder_a but the name of the folder is "folderA".


> Now, i am at the windows machine, my user "winuser" mountet the Samba
> Share.
> So, "winuser" is a member of the valid share user group "group_alpha",
> all AD-users are members of this group.
> On the two other folders in the share i added permissions for two
> other groups.
> So, i as "winuser" should have rights to read,write,execute the
> "folderA", because "winuser" is a also a member of "group_beta"
> but i dont have permissions for "folderB".


> my Problem is now that i can not enter and "folderA" and "folderB"!
> (windows-prompt : i dont have permissions for this..)

Ok, we will need the smb.conf and a log when you are trying
to access the share (increase the loglevel/debuglevel, please).


> The same scenario with adding "users" directly without "group" is
> working.

Sounds like an ACL problem with regards to groups from AD.


> So i think that samba ignores my supplementary groups for acl!!!

Maybe...


> i googel'ed a lot for this problem, but no solution.
> Help me ;)
> Ciao, Björn


Kind regards,

- --
Felipe Augusto van de Wiel <fel...@paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFHR6sCj65ZxU4gPQRApJTAJ9Gff10PCewAgb0Sj1NBfqga2vmdACfeb8A
GN3eJRmcWXcdgn3jMhKD8Cw=
=xxbW
-----END PGP SIGNATURE-----

Peter Trifonov

unread,
Oct 12, 2006, 3:00:17 AM10/12/06
to
Hi,

> then i configured my smb.conf via swat-websoncole.
> i created a share that was named "all".

What are the Unix permissions on this directory?

> After this i mounted the share on my Windows-Xp machine.
> The user on the WindowsXP MAchine is in the Group
> "MyDomain\group_alpha".
> all good.
>
> i can access an create folders .....
>
> Now i created on my solaris-machine in my Samba-Share-folder
> "all" 2 Folders.
> Folders: Permissions Owner Acl
> 1. "folderA" with rwxrwx--- root root group: group_beta:rwx
> 2. "folderB" with rwxrwx--- root root group: group_gama:rwx

> So, i as "winuser" should have rights to read,write,execute
> the "folderA", because "winuser" is a also a member of
> "group_beta" but i dont have permissions for "folderB".
>
> my Problem is now that i can not enter and "folderA" and "folderB"!
> (windows-prompt : i dont have permissions for this..)

Could you please run the following commands on your Unix box:

#id winuser
#wbinfo -r winuser

and post here the output?

With best regards,
P. Trifonov

Peter Trifonov

unread,
Oct 12, 2006, 4:50:09 AM10/12/06
to
Hi,

> Here is the Output:
>
> bash-3.00# id NTBV+neuwald
> uid=5000(NTBV+neuwald) gid=5006(NTBV+dom+nnen-benutzer)
>
> bash-3.00# /usr/local/samba/bin/wbinfo -r NTBV+neuwald
> 5001
> 5002
> 5003
> 5004


This looks like another instance of this bug:
https://bugzilla.samba.org/show_bug.cgi?id=3990
The problem is that the group membership information is lost somewhere on
the way from winbind to Unix kernel.
It started with version 3.0.23.
Could you please add a comment to that bug report describing your case?
This should bring attention of Samba developers to this problem.

Reply all
Reply to author
Forward
0 new messages