[Samba] ACL group permissions only work on primary group

Thu Apr 8 14:04:49 GMT 2004

I am currently using Samba 3.0.2 with Fedora Core 1.  I have also
duplicated the problem on a test environment. 

Sam

-----Original Message-----
From: Radio Gong 2000 GmbH & Co. KG [Technik]
[mailto:sascha.bieler at radiogong.de] 
Sent: Thursday, April 08, 2004 2:08 AM
To: samba at lists.samba.org
Cc: Sam Aylestock
Subject: Re: [Samba] ACL group permissions only work on primary group

Maybe I am wrong now, but as far as I now there have been several
bugfixes according ADS, ldap and kerberos.

Anyway an alpha-version is not for a production environment, so update
to the latest version of samba!

Best greetz

Sascha

Am Mittwoch, 7. April 2004 23:14 schrieb Sam Aylestock:
> My apologies....this is the info from the original post and I am 
> having the exact problem.  The only difference is I am using the 
> current version of SAMBA(3.02)and Fedora Core 1.  The original is as
follows...
>
> Intro:
> There have been a few postings on this subject with few answers.  If 
> anyone knows where to point those of us trying to work this out, or 
> will enlighten us as to the limitations of ACL's and Samba, we would 
> appreciate your help.  So far, acl.bestbits.at does not have any 
> information on this particular problem.
>
> Environment:
> Samba 3.0 alpha 21 or 23 (I skipped 22, but most likely it had the 
> same
> problem)
> Red Hat 8.0
> Kernel 2.4.20 w/ acl patches from acl.bestbits.at
> Ext3 filesystem mounted w/ acl option
>
> Problem:
> Samba is successfully authenticating users via a W2K domain using ADS.
> Logins and passwords work great, individual file access permissions 
> work fine.  The problem is when setting group file or directory access

> permissions, Samba/Linux only recognizes a user's "primary group".  
> This means if a user is a member of more than one group (by default, 
> everyone is a member of Domain Users which is also their primary 
> group) only their primary group is looked at for file/directory access

> permissions on the Samba server.
>
> This causes two problems:
>
> 1) I have to manually go through every user (250+) a set their default

> group to something other than Domain Users (unless, of course, that's 
> adequate for my needs).  This is time consuming, but I can live with
it.
>
> 2) The bigger problem is that a person can only receive access to 
> files/directories based on membership in only one group.  For example,

> John is a member of coders and a member of management with coders 
> being his primary group.  Without assigning individual rights, John 
> will only be able to access the coders directory and will not have 
> access to the management directory even though the management group 
> has full access to it.  Yes, it would be easy to just assign John 
> individual rights to the management directory, but this becomes an 
> exponential headache when you multiply this scenario out across a
large company of similar situations.
>
>
>
> Sam Aylestock
> Sr. Network Administrator
> TREEV
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
>
>
> -----Original Message-----
> From: Radio Gong 2000 GmbH & Co. KG [Technik] 
> [mailto:sascha.bieler at radiogong.de]
> Sent: Wednesday, April 07, 2004 5:09 PM
> To: Sam Aylestock; samba at lists.samba.org
> Subject: AW: [Samba] ACL group permissions only work on primary group
>
> Can u please describe ur problem a bit more?
>
> Regards
>
> Sascha
>
> -----Ursprungliche Nachricht-----
> Von: samba-bounces+sascha.bieler=radiogong.de at lists.samba.org
> [mailto:samba-bounces+sascha.bieler=radiogong.de at lists.samba.org]Im
> Auftrag von Sam Aylestock
> Gesendet: Mittwoch, 7. April 2004 23:02
> An: samba at lists.samba.org
> Betreff: [Samba] ACL group permissions only work on primary group
>
>
> I just join this list.  Did anyone give a reply to this question?  I 
> have been struggling with this same problem.
>
> Sam Aylestock
> Sr. Network Administrator
> TREEV(r)
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba