[Samba] sub-directory permissions and active directory group membership
Joey Officer
JOfficer at istreamfs.com
Mon Aug 3 11:42:42 MDT 2009
I'm not sure where the problem is, but security group membership and
access to sub-directories is giving me fits.
Take 2 unique security groups as example, group1 and group2. If within
my top level share there is a directory labeled marketing and a second
directory labeled legal, where group1 and group2 are assigned to
marketing and legal respectively, then the group1 members should not be
able get into Legal and group2 should not get into Marketing.
I have 1 working example, the IT folder (as example). The problem I am
facing, however, is subsequent new folders.
In this specific problem, I created 2 new directories in
/other/sambashares/public/joey labeled group1 and group2. I updated the
ACL on the directory for group1 to 0770 and changed the group owner to
'group1'. On my AD server, I added myself to the group1 security group
and attempted to access the directory (via Windows XP client) using
Explorer T:\joey\group1 and receive the Access Denied error message.
Using wbinfo, I am able to confirm that winbind sees that I am indeed a
member of the appropriate group.
(dc2: 12:33:20 </other/sambashares/public/joey>) 0 # ls -l
total 4
drwxrwx--- 2 root group1 512 Aug 3 10:32 group1
drwxr-xr-x 2 root DomainUsers 512 Aug 3 10:19 group2
(dc2: 12:33:21 </other/sambashares/public/joey>) 0 # ls -ln
total 4
drwxrwx--- 2 0 10093 512 Aug 3 10:32 group1
drwxr-xr-x 2 0 10018 512 Aug 3 10:19 group2
(dc2: 12:33:46 </other/sambashares/public/joey>) 0 # wbinfo -r jofficer
10018
10093
(dc2: 12:41:05 </other/sambashares/public/joey>) 0 # ls -ld
/other/sambashares/public/
drwxrwxrwx 55 nobody DomainUsers 4096 Jul 9 10:54
/other/sambashares/public/
Any help would be greatly appreciated. I'm at a loss as to where the
problem is, especially since it's working on a pre-existing directory.
I've tried restarting the samba server and also have removed/added the
directories several times.
Joey Officer
Systems Administrator
iStream Financial Services
262-432-1536
CONFIDENTIALITY NOTICE
This electronic mail and the information contained herein are intended
for the named recipient only. It may contain confidential, proprietary
and/or privileged information. If you have received this electronic
mail in error, please do not read any text other than the text of this
notice and do not open any attachments. Also, please immediately notify
the sender by replying to this electronic mail or by collect call to
(262) 796-0925. After notifying the sender as described above, please
delete this electronic mail message immediately and purge the item from
the deleted items folder (or the equivalent) of your electronic mail
system. Thank you.
More information about the samba
mailing list