Secondary groups and file permissions

[Andrew Bartlett]

On Thu, 2012-08-09 at 12:10 +0200, Daniel Lundqvist wrote:
> Hi, first of all, thank you for the great piece of software Samba4, you're
> doing a great job!
> 
> I've setup Samba4 as our primary Windows Domain, everything works smoothly
> except for one thing. Secondary groups does not give our users access to
> files which those groups own neither on windows 7 or linux machine which is
> joined via winbind, files own by users primary group gid 513 (Domain Users)
> works as it's expected. My setup is as follow:
> 
> 
>    - Samba 4 is running the latest git version och Ubuntu 12.04 with all
>    dependencies listed on Samba4/HOWTO wiki-page
>    - Files is on a iSCSI device with EXT4 which is mounted with acl,And
>    user_xattr options, the filesystem is then shared via NFS3 to the machine
>    running samba4.

Don't do this.  You should never re-share an NFS filesystem with Samba.

>    - I've added the gidNumber (which i got from wbinfo --sid-to-gid) and
>    objectClass posixGroup. The group is a *Global* *Security* group.
>    - The owner of the shared files are root:<samba_group> and chmod 770
> 
> i suspect that NFS3 is the culprit here as it does not seem to support
> user_xattr, but i'm not sure and I want to confirm this suspicion with you
> guys. Or am I doing something else wrong?
> 
> I could try to set up a samba share on the machine that the ext4 partition
> is on, may that help?

I certainly would start with that.  

You don't say exactly which version or configuration you are using, but
you may be interested to know that we now (current master) set correct
posix ACLs on files crated for GPOs during provision.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org