[Samba] ACL group permissions only work on primary group

Radio Gong 2000 GmbH & Co. KG [Technik] sascha.bieler at radiogong.de
Thu Apr 8 06:07:58 GMT 2004

Maybe I am wrong now, but as far as I now there have been several bugfixes 
according ADS, ldap and kerberos.

Anyway an alpha-version is not for a production environment, so update to the 
latest version of samba!

Best greetz


Am Mittwoch, 7. April 2004 23:14 schrieb Sam Aylestock:
> My apologies....this is the info from the original post and I am having
> the exact problem.  The only difference is I am using the current
> version of SAMBA(3.02)and Fedora Core 1.  The original is as follows...
> Intro:
> There have been a few postings on this subject with few answers.  If
> anyone knows where to point those of us trying to work this out, or will
> enlighten us as to the limitations of ACL's and Samba, we would
> appreciate your help.  So far, acl.bestbits.at does not have any
> information on this particular problem.
> Environment:
> Samba 3.0 alpha 21 or 23 (I skipped 22, but most likely it had the same
> problem)
> Red Hat 8.0
> Kernel 2.4.20 w/ acl patches from acl.bestbits.at
> Ext3 filesystem mounted w/ acl option
> Problem:
> Samba is successfully authenticating users via a W2K domain using ADS.
> Logins and passwords work great, individual file access permissions work
> fine.  The problem is when setting group file or directory access
> permissions, Samba/Linux only recognizes a user's "primary group".  This
> means if a user is a member of more than one group (by default, everyone
> is a member of Domain Users which is also their primary group) only
> their primary group is looked at for file/directory access permissions
> on the Samba server.
> This causes two problems:
> 1) I have to manually go through every user (250+) a set their default
> group to something other than Domain Users (unless, of course, that's
> adequate for my needs).  This is time consuming, but I can live with it.
> 2) The bigger problem is that a person can only receive access to
> files/directories based on membership in only one group.  For example,
> John is a member of coders and a member of management with coders being
> his primary group.  Without assigning individual rights, John will only
> be able to access the coders directory and will not have access to the
> management directory even though the management group has full access to
> it.  Yes, it would be easy to just assign John individual rights to the
> management directory, but this becomes an exponential headache when you
> multiply this scenario out across a large company of similar situations.
> Sam Aylestock
> Sr. Network Administrator
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
> -----Original Message-----
> From: Radio Gong 2000 GmbH & Co. KG [Technik]
> [mailto:sascha.bieler at radiogong.de]
> Sent: Wednesday, April 07, 2004 5:09 PM
> To: Sam Aylestock; samba at lists.samba.org
> Subject: AW: [Samba] ACL group permissions only work on primary group
> Can u please describe ur problem a bit more?
> Regards
> Sascha
> -----Ursprungliche Nachricht-----
> Von: samba-bounces+sascha.bieler=radiogong.de at lists.samba.org
> [mailto:samba-bounces+sascha.bieler=radiogong.de at lists.samba.org]Im
> Auftrag von Sam Aylestock
> Gesendet: Mittwoch, 7. April 2004 23:02
> An: samba at lists.samba.org
> Betreff: [Samba] ACL group permissions only work on primary group
> I just join this list.  Did anyone give a reply to this question?  I
> have been struggling with this same problem.
> Sam Aylestock
> Sr. Network Administrator
> TREEV(r)
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list