[Samba] Re: Group authentication

Alexander Muth alexander.muth at lgb-rlp.de
Thu Nov 13 08:57:38 GMT 2003


Marcos Martins da Silva schrieb:

> I have installed samba 3.0.0 on a RedHat 9.0 box. I have used the rpm binary i got from Canada mirror. The server is a dual Pentium II 400 IBM NetFinity 5000. Installation was easy. Testparm outputs:
> 
> [root at seth root]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[desenv]"
> Loaded services file OK.
> 'winbind separator = +' might cause problems with group membership.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>         workgroup = HUCFF
>         server string = Servidor Samba
>         security = DOMAIN
>         password server = ROMULO
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         name resolve order = wins lmhosts bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = No
>         wins server = 10.12.10.15
>         idmap uid = 20000-30000
>         idmap gid = 20000-30000
>         template shell = /bin/bash
>         winbind separator = +
>         winbind cache time = 10
>         winbind use default domain = Yes
>         hosts allow = 10., 127.
> 
> [desenv]
>         comment = diretório de desenvolvimento
>         path = /compart/desenv
>         valid users = @Desenv
>         write list = @Desenv
>         read only = No
> wbinfo -u and wbinfo -g gets users and groups from a Win2K domain controller (ROMULO) with no problem.
> 
> The "desenv" share is configured to permit access from group "Desenv", as we can see from testparm output. 
> The /compart/desenv path is configured like this:
> [root at seth compart]# ls -lia
> total 12
>   16403 drwxr-xr-x    3 root     root         4096 Out 17 18:57 .
>       2 drwxr-xr-x   20 root     root         4096 Out 20 17:03 ..
>   16404 drwxrwsr-x   23 marcosm  Desenv       4096 Out 18 14:34 desenv
> "Desenv" is a global group from my win2K domain (HUCFF) and marcosm is a "Desenv" member. Since I could use chown to set Linux permissions to this group and this user, I assume winbind is working fine.
> Samba can see marcosm is member of desenv and also that Desenv (ID:20035) is among marcosm's groups:
> [root at seth compart]# getent group Desenv
> Desenv:x:20035:santanna,marcosm,velasco,analucia,anabraga,anarangel,trindade,bet
> h,evandro,gloria,gustavom,jcarlos,bortnyk,luzimar,mgsoares,cida,osmario,mbfranca
> ,leonardo,gmps
> [root at seth compart]# wbinfo -r marcosm
> 20010
> 20035
> 20037
> But I can not access the share from win2k neither from linux:
> [root at seth compart]# smbclient //seth/desenv -U marcosm
> Password:
> tree connect failed: NT_STATUS_ACCESS_DENIED
> But If I put the user "marcosm" in write list and valid users lines, like this
> [desenv]
>         comment = diretório de desenvolvimento
>         path = /compart/desenv
>         valid users = marcosm @Desenv
>         write list = marcosm @Desenv
>         read only = No
> Everything works just fine as we can see:
> [root at seth compart]# smbclient //seth/desenv -U marcosm
> Password:
> smb: \> ls
>   .                                   D        0  Sat Oct 18 14:34:05 2003
>   ..                                  D        0  Fri Oct 17 18:57:17 2003
>   Diretoria                           D        0  Sat Oct 18 14:18:51 2003
>   Evandro                             D        0  Sat Oct 18 14:21:46 2003
>   Gloria                              D        0  Sat Oct 18 14:22:50 2003
>   Gustavo                             D        0  Sat Oct 18 14:22:51 2003
>   JCarlos                             D        0  Sat Oct 18 14:22:54 2003
> 
>                 33001 blocks of size 1048576. 26191 blocks available
> 
> The problem looks like samba is not expanding @Desenv as an user list that contains marcosm.
> Any clues? Thanks in advance.
HI,

I have  exactly the same Problem after upgrading from samba 2.2.8a to 3.0.0.
I run Samba on Linux SLES8 and Sun Solaris 7.

Users and groups are managed on w2k domain controler.

With Samba 2.2.8a group membership works fine and is now broken in 3.0.0.

On Samba 3.0.0. "wbinfo -r" and "getent group" show the right group 
membership, but Samba is ignoring the Group membership an i get 
NT_STATUS_ACCESS_DENIED when am accessing files or directorys with group 
  read status.

Is this a general Problem? Configuration Problem?
Thanks in advance.





More information about the samba mailing list