Group permission issues
David Collier-Brown
davec-b at rogers.com
Fri Aug 14 11:29:47 MDT 2009
If you're not using Linux, you can easily get caught with not enough
groups. Try this
experiment:
on the SGI server, find one of the users who failed
$ su root -c " id user"
where user is the name or uid of the user in question
look and see if 15007 appears in the group list.
If it does, there's a Samba problem
If not, we have a Unix problem
--dave
Ron Short wrote:
> David,
>
> thanks
>
> The Samba server software is running on an SGI system using the SGI
> "enhanced" version of the Samba software. If we need to, we can try
> using the Samba distribution provided in the SLES distribution.
>
> David Collier-Brown wrote:
>> Ron Short wrote:
>>
>>> David,
>>>
>>> A basic test case that fails.
>>>
>>> User test user belongs to the ad domain domain users group which maps
>>> to uid 15004 on the samba server.
>>> The user also belongs to other groups for example, the NMCS\uploadwip
>>> group gid 15007
>>>
>>> They create a directory on the samba server called 6200 and it has
>>> permissions:
>>>
>>> owner a user called filemanager and group NMCS/uploadwip ie. 15007.
>>>
>>> Users that are members of group 15007 but where it is not their
>>> primary group get access denied attempting to write to the directory.
>>>
>>> just to clarify, are you
>>> talking about primary group working and
>>> supplementary groups failing, where access is controlled by giving
>>> permission to a group which is in the
>>> supplementary groups list of a user?
>>> Yes,
>>>
>>> David Collier-Brown wrote:
>>>
>>>> Ron Short wrote:
>>>>
>>>>
>>>>> We have an issue with subgroups in that permission information does
>>>>> not seem to be forwarded to Windows Samba Clients. Basically the
>>>>> primary application runs with some higher privilege level of
>>>>> permission above the normal user rights. They can't get the permission
>>>>> through the subgroups thus the application breaks.
>>>>>
>>>>> sdathengmds01:~ # cat /etc/*release
>>>>> SUSE Linux Enterprise Server 10 (x86_64)
>>>>> VERSION = 10
>>>>> PATCHLEVEL = 2
>>>>> LSB_VERSION="core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64"
>>>>>
>>>>> SGI Foundation Software 1SP3, Build 603r4-0903312302
>>>>> SGI InfiniteStorage Software Platform, version 1.6, Build
>>>>> sgi160r2-1.6, Wed Apr 1 19:00:40 UTC 2009
>>>>> SGI ProPack 6SP3 for Linux, Build 603r4-0903312302
>>>>> SGI ProPack 6SP3 for Linux, Build 603r4-0903312302
>>>>>
>>>>> sdathengmds01:~ # rpm -q -f /usr/sbin/smbd
>>>>> sgi-samba-3.2.0-24.1sgi160r2
>>>>> sdathengmds01:~ #
>>>>>
>>>>> smb.conf file
>>>>>
>>>>> sdathengmds01:~ # more /etc/samba/smb.conf
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = NMCS
>>>>> realm = NMCS.SDMENGINEERING.COM
>>>>> netbios name = ENGSMB
>>>>> name resolve order = lmhosts host wins bcast
>>>>> interfaces = 162.49.57.25/0xffffff00
>>>>> bind interfaces only = Yes
>>>>> security = ADS
>>>>> auth methods = winbind
>>>>> password server = dmcontroller2.nmcs.sdmengineering.com,
>>>>> dmcontroller3.n
>>>>> mcs.sdmengineering.com
>>>>> #passwd program = /usr/bin/passwd %u
>>>>> #passwd chat = *ew*password:* %n\n *e-enter*new*password:* %n\n
>>>>> max log size = 500
>>>>> max xmit = 65535
>>>>> os level = 0
>>>>> preferred master = No
>>>>> local master = No
>>>>> domain master = No
>>>>> ldap ssl = no
>>>>> idmap uid = 15000-20000
>>>>> idmap gid = 15000-20000
>>>>> comment = %h (Samba %v)
>>>>> hosts allow = 162.49.57.
>>>>> hide dot files = No
>>>>> locking = No
>>>>> share modes = No
>>>>>
>>>>> [library]
>>>>> path = /media/library
>>>>> read only = No
>>>>> directory mask = 0775
>>>>> #force group = +dmfwrite
>>>>> [cam]
>>>>> path = /media2/cam
>>>>> read only = No
>>>>> directory mask = 0775
>>>>> #force group = +dmfwrite
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Jeremy already asked for more information, but, just to clarify, are you
>>>> talking about primary group working and
>>>> supplementary groups failing, where access is controlled by giving
>>>> permission to a group which is in the
>>>> supplementary groups list of a user?
>>>>
>>>> If so, there is a known problem with non-Linux Sambas and having more than
>>>> 16 or 32 supplementary groups. Might this be what you're seeing on an
>>>> SGI, or is
>>>> this a purely Linux regression?
>>>>
>>>> --dave
>>>>
>>>>
>>>>
>>>>
>>> --
>>> Ron Short email: short at sgi.com
>>> Solutions Architect office: 651/683-5680
>>> SGI Global Professional Services fax: 651/683-5288
>>>
>> Ok, that makes sense, is the Samba server itself on Linux? If so it's a
>> new bug, and probably
>> a regression (;-))
>>
>> If it's on an SGI, it's an old bug for which the alternatives are
>> - fix an SGI bug (preferred)
>> - use ACLs
>> - work around it via an interposer library I just updated.
>>
>> The SGI fix is substantially the same code as in the interposer.
>>
>> --dave
>>
>>
>
> --
> Ron Short email: short at sgi.com
> Solutions Architect office: 651/683-5680
> SGI Global Professional Services fax: 651/683-5288
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net | -- Mark Twain
(416) 223-8968
More information about the samba-technical
mailing list