FW: [Samba] force group parameter problem

Chris Wright cwright at itos.uga.edu
Thu May 8 14:12:40 GMT 2003 

I accidently replied to the individual instead of the message board when
I sent this the first time.

Chris Wright
Network Specialist
Information Technology Outreach Services (ITOS)
University of Georgia
(706) 542-1976
cwright at itos.uga.edu 


-----Original Message-----
From: Chris Wright 
Sent: Thursday, May 08, 2003 10:05 AM
To: 'John H Terpstra'
Subject: RE: [Samba] force group parameter problem

I tried setting the chmod g+s and the valid users = parameter, but it
still says access denied if I try to connect.


>When you do a "force group" or "force user" you are telling samba to
make
>the current Widows user to have the rights of the group you are forcing
it
>to

Isn't that what I want to do?  If I do not force the windows user to a
specific group, their connection from a windows client will use only
their primary group which does not give them permissions to the share.
They need to be forced into using the permissions of a secondary group.

>From the earlier example, user bob is a member of both marketing and
sales.  His primary group is marketing.  If he tries to connect to a
samba share where only the sales group has permissions, he is denied
access even though he is a member of the group.  To me it looks as if
when he connects to the share, he is connecting as marketing and not
sales.  Am I confused about that?


Chris Wright
Network Specialist
Information Technology Outreach Services (ITOS)
University of Georgia
(706) 542-1976
cwright at itos.uga.edu 


-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org] 
Sent: Wednesday, May 07, 2003 2:57 PM
To: Chris Wright
Cc: samba at lists.samba.org
Subject: Re: [Samba] force group parameter problem

Chris,

You need to become more familiar with Unix file and directory
permissions
handling.

The simple solution is:

On /sales set owner and group as you want. Lets sat chrisw is the owner
and sales is the group.

	chown -R shrisw.sales /sales

Next set the SGIU bit on the directory:

	chmod g+s /sales

This means that all files in the directory will be created with group
sales.

Now make sure that your create mask is set correctly, or the force
create
mode is set correctly in your smb.conf.

ie: force create mode = 0550

Note: You probably do NOT want to set the Unix execute bits on a file
that
can not be executed in Unix! But you should familiarise yourself with
the
"map system", "map archive", "map hidden" parameters which do use the
three unix execute bits.

Lestly, in your share definition you could put "valid users = +sales"


When you do a "force group" or "force user" you are telling samba to
make
the current Widows user to have the rights of the group you are forcing
it
to, or in the case of "force user" you are causing Samba to behave as if
the user is actually the name being forced. This is NOT what you want if
you want to not allow Mary (who is not a member of sales) access to the
files.

Note: You can also set up an Access Control List on the Share itself
using
the Server Manager from MS Windows (this is part of the Nexus toolkit
that
is available from Microsoft's Web site), or from MS Windows 200x or XP
you
can do this from the Microsoft Management Console.

- John T.


On Wed, 7 May 2003, Chris Wright wrote:

> Hello.  I'm having some trouble with the force group parameter in the
> smb.conf file.  I'm running samba 2.2.8a on RedHat 9.
>
>
>
> The smb.conf file has the following entries:
>
>
>
> [sales]
>
>             comment = Sales Share
>
>             path = /sales
>
>             public = no
>
>             writable = yes
>
>             create mask = 0770
>
>             directory mask = 0770
>
>             force group = +sales
>
>
>
> The UNIX permissions on /sales are 770.
>
>
>
> User bob has a primary UNIX group of marketing and a secondary group
of
> sales.  The command "groups bob" shows that he IS a member of both
> groups.  When he tries to connect, however, access is denied.  The log
> file reads:
>
>
>
> [2003/05/07 13:38:17, 0] smbd/service.c:set_current_service(60)
>
>   chdir (/sales) failed
>
>
>
> If I change the force group entry to "force group = sales", then bob
can
> connect and created files and folders.  Further an ls -l on the file
> shows:
>
>
>
> -rwxrw----           1          bob       sales    0          May
7
> 08:40    filename
>
>
>
> With this configuration, the user sue, who is not a member of sales
and
> therefore should not have access to the files, can also create and
edit
> files on the share.
>
>
>
> -rwxrw----           1          sue       sales    0          May
7
> 08:45    suesfile
>
>
>
> If I understood the smb.conf man page correctly, the "force group =
> sales" line is functioning correctly because it changes the users
> primary group to sales giving them the rwx permissions on the share
> regardless of whether or not the user is in the sales group.  The line
> "force group = +sales" should allow bob to connect with rwx because he
> actually IS a member of sales, but deny sue because she is not a
member
> of sales.
>
>
>
> Does anybody have any ideas on how to get this to work?  Any help
would
> be greatly appreciated.  Thank you.
>
>
>
> Chris Wright
> Network Specialist
> Information Technology Outreach Services (ITOS)
> University of Georgia
> (706) 542-1976
> cwright at itos.uga.edu
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list