"force group" with no effect on BSD

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Fri Apr 13 15:21:45 GMT 2001


Hi Jiri,
Not a bug - Samba doesn't have to call a chown or chgrp or anything like
that when you have force group parameter set;
basically what happens is that when the tconX to the share is made, samba
recognizes the force group parameter,
checks the group ownership of the unix uid being used to attach to the
share, and if he is a member of the group
specified in "force group", then samba attaches (does a become_user) to the
share with gid= the gid of the force group
parameter.  That way, any time a file is created, it is created with the
current uid and gid of the user creating the file.
Since the current gid of the user is the force group gid, it SHOULD be being
created with this gid.
You can get a feel for what may be going wrong in your senario by turning
log level = 10, and scanning your log file
for lines like this:
  switch message SMBtconX (pid 3731)
[2001/04/13 10:45:32, 3] lib/doscalls.c:(342)
  dos_ChDir to /home/root
[2001/04/13 10:45:32, 5] smbd/uid.c:(296)
  unbecome_user now uid=(0,0) gid=(0,0)
[2001/04/13 10:45:32, 4] smbd/reply.c:(311)
  Got device type ?????
[2001/04/13 10:45:32, 3] smbd/password.c:(759)
  ACCEPTED: validated uid ok as non-guest
[2001/04/13 10:45:32, 3] smbd/service.c:(428)
  Forced group grouptest
<<<<<<<<<<<heres where samba sees the force group
[2001/04/13 10:45:32, 3] smbd/service.c:(441)
  Connect path is /tmp/grouptest
[2001/04/13 10:45:32, 3] smbd/password.c:(192)
  ddmc is in 6 groups: 9871, 4, 2002, 2004, 2006, 3009
<<<<<<<<<<<<<<<heres where samba is checking group member
[2001/04/13 10:45:32, 5] smbd/connection.c:(137)
ship for the connecting user - and he IS a
  trying claim /var/opt/samba/locks STATUS. 100000
member of grouptest (gid 9871)
.......

[2001/04/13 10:45:32, 5] smbd/uid.c:(263)
  become_user uid=(0,9845) gid=(0,9871)
<<<<<<<<<<<<<<<<<note here that he does a becomeuser with 
[2001/04/13 10:45:32, 3] lib/doscalls.c:(342)
the gid in forcegroup, NOT the users home group.
  dos_ChDir to /tmp/grouptest
[2001/04/13 10:45:32, 1] smbd/service.c:(550)
  dcm (15.44.48.29) connect to service temp as user ddmc (uid=9845,
gid=9871) (p
id 3731)
<<<<<<<<<<<<<<<<and this is the uid and gid he uses to connnect to 
 
the service with...


So take a look at what's happening with YOU, and see if it makes sense.
Hope this helps,
Don


-----Original Message-----
From: Jiri Lazansky [mailto:lazan at labe.felk.cvut.cz]
Sent: Friday, April 13, 2001 4:10 AM
To: Gerald Carter
Cc: samba-technical at lists.samba.org
Subject: Re: "force group" with no effect on BSD 


Hello Jerry,

thanks for your prompt reaction to my yesterday posting.

> > [PC-tmp]
> >         path = /usr/pc.tmp
> >         force user = %U
>           ^^^^^^^^^^^^^^^
> This line is a little silly :-)
YES, this line IS silly, I was experimenting a lot with the configuration 
and this is the relics.
> 
> >         force group = nobody
> Have you tried a group other than 'nobody'?  or does the BSD filesystem
> enfore some type of sticky bit like behavior?
I have experimented with many UNIX groups at this place with no difference. 
I have tried groups where the logging-in user is primary member, secondary 
member or no member, but nothing helps. I have even tried the +group
version.

The motivation of my effort is as follows: 
I have Win users working on different projects. They are assigned to UNIX 
primary groups according to these projects. I want to allow the use the 
'PC-tmp' share for file exchange so that users of different groups don't 
garble other's work. Actually, I want:
    create mask = 0660
    directory mask = 0770  

Up to now, we are using an old SUN Sparc running SunOS 4.1.4 (based on BSD
4.3)
as our server providing smb service by Samba 1.9.18p8 where everything
worked
as desired. 
FreeBSD-4.2 that I am experimenting now is a BSD 4.4 based system. On this 
system creating new files (and directories) is done by open(2) with options 
containing O_CREAT flag. These new objects are owned by the current user and

the group ownership is that of the containing directory. To change this 
default chown(2) must be called.

Samba documentation states (smb.conf(5) - force group): ... This allows an 
administrator to decide that only users who are already in a particular 
group will create files with group ownership set to that group. ...

Having checked the log files on a higher debug level, I found that Samba 
doesn't even try to call chown()... SO I SUSPECT A BUG!

Best regards

Jiri Lazansky
Czech Technical University Prague
Faculty of Electrical Engineering
Department of Cybernetics
< lazan at labe.felk.cvut.cz >


----- Original Message ----- 
From: "Gerald Carter" <gcarter at valinux.com>
To: "Jiri Lazansky" <lazan at labe.felk.cvut.cz>
Cc: <samba-technical at lists.samba.org>
Sent: 12. dubna 2001 19:06
Subject: Re: "force group" with no effect on BSD 


> On Thu, 12 Apr 2001, Jiri Lazansky wrote:
> 
> > [PC-tmp]
> >         path = /usr/pc.tmp
> >         force user = %U
>           ^^^^^^^^^^^^^^^
> This line is a little silly :-)
> 
> >         force group = nobody
> >         writeable = Yes
> >         create mask = 0664
> >         force directory mode = 775
> >         dos filetimes = Yes
> >
> > UNIX 'ls -la' command in /usr/pc.tmp says:
> >
> > drwxrwxrwx   4 root   wheel   512 Apr 12 18:21 ./
> > drwxr-xr-x  19 root   wheel   512 Feb 22 18:07 ../
> >
> > My clients can access this share without any problems, the log file
> > seems good, showing "effective(1000, 65534)" for the connected user -
> > gid 65534=nobody. However, any object created on this share has proper
> > user ownership but the group owner is always "wheel"
> 
> Have you tried a group other than 'nobody'?  or does the BSD filesystem
> enfore some type of sticky bit like behavior?
> 
> 
> Cheers, jerry
> ----------------------------------------------------------------------
>    /\  Gerald (Jerry) Carter                     Professional Services
>  \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
>        http://www.samba.org/       SAMBA Team          jerry at samba.org
>        http://www.plainjoe.org/                     jerry at plainjoe.org
> 
>        "...a hundred billion castaways looking for a home."
>                                 - Sting "Message in a Bottle" ( 1979 )
> 
> 





More information about the samba-technical mailing list