[Samba] ACL group permissions only work on primary group

Sam Aylestock saylestock at treev.com
Wed Apr 7 21:14:14 GMT 2004 

My apologies....this is the info from the original post and I am having
the exact problem.  The only difference is I am using the current
version of SAMBA(3.02)and Fedora Core 1.  The original is as follows...

Intro:
There have been a few postings on this subject with few answers.  If
anyone knows where to point those of us trying to work this out, or will
enlighten us as to the limitations of ACL's and Samba, we would
appreciate your help.  So far, acl.bestbits.at does not have any
information on this particular problem.

Environment:
Samba 3.0 alpha 21 or 23 (I skipped 22, but most likely it had the same
problem)
Red Hat 8.0
Kernel 2.4.20 w/ acl patches from acl.bestbits.at
Ext3 filesystem mounted w/ acl option

Problem:
Samba is successfully authenticating users via a W2K domain using ADS.
Logins and passwords work great, individual file access permissions work
fine.  The problem is when setting group file or directory access
permissions, Samba/Linux only recognizes a user's "primary group".  This
means if a user is a member of more than one group (by default, everyone
is a member of Domain Users which is also their primary group) only
their primary group is looked at for file/directory access permissions
on the Samba server.  

This causes two problems:

1) I have to manually go through every user (250+) a set their default
group to something other than Domain Users (unless, of course, that's
adequate for my needs).  This is time consuming, but I can live with it.

2) The bigger problem is that a person can only receive access to
files/directories based on membership in only one group.  For example,
John is a member of coders and a member of management with coders being
his primary group.  Without assigning individual rights, John will only
be able to access the coders directory and will not have access to the
management directory even though the management group has full access to
it.  Yes, it would be easy to just assign John individual rights to the
management directory, but this becomes an exponential headache when you
multiply this scenario out across a large company of similar situations.
 


Sam Aylestock
Sr. Network Administrator
TREEV
Proven Solutions . Real Results .(tm)
Tel: 703-904-3139
http://www.treev.com/


-----Original Message-----
From: Radio Gong 2000 GmbH & Co. KG [Technik]
[mailto:sascha.bieler at radiogong.de] 
Sent: Wednesday, April 07, 2004 5:09 PM
To: Sam Aylestock; samba at lists.samba.org
Subject: AW: [Samba] ACL group permissions only work on primary group

Can u please describe ur problem a bit more?

Regards

Sascha

-----Ursprungliche Nachricht-----
Von: samba-bounces+sascha.bieler=radiogong.de at lists.samba.org
[mailto:samba-bounces+sascha.bieler=radiogong.de at lists.samba.org]Im
Auftrag von Sam Aylestock
Gesendet: Mittwoch, 7. April 2004 23:02
An: samba at lists.samba.org
Betreff: [Samba] ACL group permissions only work on primary group


I just join this list.  Did anyone give a reply to this question?  I
have been struggling with this same problem.

Sam Aylestock
Sr. Network Administrator
TREEV(r)
Proven Solutions . Real Results .(tm)
Tel: 703-904-3139
http://www.treev.com/


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list