Group permission issues

David Collier-Brown davec-b at rogers.com
Fri Aug 14 09:39:14 MDT 2009 

Ron Short wrote:
> David,
>
> A basic test case that fails.
>
> User test user belongs to the ad domain domain users group which maps
> to uid 15004 on the samba server.
> The user also belongs to other groups for example, the NMCS\uploadwip
> group gid 15007
>
> They create a directory on the samba server called 6200 and it has
> permissions:
>
> owner a user called filemanager and group NMCS/uploadwip ie. 15007.
>
> Users that are members of group 15007 but where it is not their
> primary group get access denied attempting to write to the directory.
>
> just to clarify, are you
> talking about primary group working and
> supplementary groups failing, where access is controlled by giving
> permission to a group which is in the
> supplementary groups list of a user?
> Yes,
>
> David Collier-Brown wrote:
>> Ron Short wrote:
>>   
>>> We have an issue with subgroups in that permission information does
>>> not seem to be forwarded to Windows Samba Clients. Basically the
>>> primary application runs with some higher privilege level of
>>> permission above the normal user rights. They can't get the permission
>>> through the subgroups thus the application breaks.
>>>
>>> sdathengmds01:~ # cat /etc/*release
>>> SUSE Linux Enterprise Server 10 (x86_64)
>>> VERSION = 10
>>> PATCHLEVEL = 2
>>> LSB_VERSION="core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64"
>>>
>>> SGI Foundation Software 1SP3, Build 603r4-0903312302
>>> SGI InfiniteStorage Software Platform, version 1.6, Build
>>> sgi160r2-1.6, Wed Apr  1 19:00:40 UTC 2009
>>> SGI ProPack 6SP3 for Linux, Build 603r4-0903312302
>>> SGI ProPack 6SP3 for Linux, Build 603r4-0903312302
>>>
>>> sdathengmds01:~ # rpm -q -f /usr/sbin/smbd
>>> sgi-samba-3.2.0-24.1sgi160r2
>>> sdathengmds01:~ #
>>>
>>> smb.conf file
>>>
>>> sdathengmds01:~ # more /etc/samba/smb.conf
>>>
>>> # Global parameters
>>> [global]
>>>        workgroup = NMCS
>>>        realm = NMCS.SDMENGINEERING.COM
>>>        netbios name = ENGSMB
>>>        name resolve order = lmhosts host wins bcast
>>>        interfaces = 162.49.57.25/0xffffff00
>>>        bind interfaces only = Yes
>>>        security = ADS
>>>        auth methods = winbind
>>>        password server = dmcontroller2.nmcs.sdmengineering.com,
>>> dmcontroller3.n
>>> mcs.sdmengineering.com
>>>        #passwd program = /usr/bin/passwd %u
>>>        #passwd chat = *ew*password:* %n\n *e-enter*new*password:* %n\n
>>>        max log size = 500
>>>        max xmit = 65535
>>>        os level = 0
>>>        preferred master = No
>>>        local master = No
>>>        domain master = No
>>>        ldap ssl = no
>>>        idmap uid = 15000-20000
>>>        idmap gid = 15000-20000
>>>        comment = %h (Samba %v)
>>>        hosts allow = 162.49.57.
>>>        hide dot files = No
>>>        locking = No
>>>        share modes = No
>>>
>>> [library]
>>>        path = /media/library
>>>        read only = No
>>>        directory mask = 0775
>>>        #force group = +dmfwrite
>>> [cam]
>>>        path = /media2/cam
>>>        read only = No
>>>        directory mask = 0775
>>>        #force group = +dmfwrite
>>>
>>>
>>>     
>> Jeremy already asked for more information, but, just to clarify, are you
>> talking about primary group working and
>> supplementary groups failing, where access is controlled by giving
>> permission to a group which is in the
>> supplementary groups list of a user?
>>
>> If so, there is a known problem with non-Linux Sambas and having more than
>> 16 or 32  supplementary groups. Might this be what you're seeing on an
>> SGI, or is
>> this a purely Linux regression?
>>
>> --dave
>>
>>
>>   
>
> -- 
> Ron Short                                       email: short at sgi.com
> Solutions Architect                             office: 651/683-5680
> SGI Global Professional Services                fax: 651/683-5288   
Ok, that makes sense, is the Samba server itself on Linux? If so it's a
new bug, and probably
a regression (;-))

If it's on an SGI, it's an old bug for which the alternatives are
- fix an SGI bug (preferred)
- use ACLs
- work around it via an interposer library I just updated.

The SGI fix is substantially the same code as in the interposer.

--dave

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain
(416) 223-8968

More information about the samba-technical mailing list