[Samba] ACL group permissions only work on primary group
Sam Aylestock
saylestock at treev.com
Thu Apr 8 14:04:49 GMT 2004
I am currently using Samba 3.0.2 with Fedora Core 1. I have also
duplicated the problem on a test environment.
Sam
-----Original Message-----
From: Radio Gong 2000 GmbH & Co. KG [Technik]
[mailto:sascha.bieler at radiogong.de]
Sent: Thursday, April 08, 2004 2:08 AM
To: samba at lists.samba.org
Cc: Sam Aylestock
Subject: Re: [Samba] ACL group permissions only work on primary group
Maybe I am wrong now, but as far as I now there have been several
bugfixes according ADS, ldap and kerberos.
Anyway an alpha-version is not for a production environment, so update
to the latest version of samba!
Best greetz
Sascha
Am Mittwoch, 7. April 2004 23:14 schrieb Sam Aylestock:
> My apologies....this is the info from the original post and I am
> having the exact problem. The only difference is I am using the
> current version of SAMBA(3.02)and Fedora Core 1. The original is as
follows...
>
> Intro:
> There have been a few postings on this subject with few answers. If
> anyone knows where to point those of us trying to work this out, or
> will enlighten us as to the limitations of ACL's and Samba, we would
> appreciate your help. So far, acl.bestbits.at does not have any
> information on this particular problem.
>
> Environment:
> Samba 3.0 alpha 21 or 23 (I skipped 22, but most likely it had the
> same
> problem)
> Red Hat 8.0
> Kernel 2.4.20 w/ acl patches from acl.bestbits.at
> Ext3 filesystem mounted w/ acl option
>
> Problem:
> Samba is successfully authenticating users via a W2K domain using ADS.
> Logins and passwords work great, individual file access permissions
> work fine. The problem is when setting group file or directory access
> permissions, Samba/Linux only recognizes a user's "primary group".
> This means if a user is a member of more than one group (by default,
> everyone is a member of Domain Users which is also their primary
> group) only their primary group is looked at for file/directory access
> permissions on the Samba server.
>
> This causes two problems:
>
> 1) I have to manually go through every user (250+) a set their default
> group to something other than Domain Users (unless, of course, that's
> adequate for my needs). This is time consuming, but I can live with
it.
>
> 2) The bigger problem is that a person can only receive access to
> files/directories based on membership in only one group. For example,
> John is a member of coders and a member of management with coders
> being his primary group. Without assigning individual rights, John
> will only be able to access the coders directory and will not have
> access to the management directory even though the management group
> has full access to it. Yes, it would be easy to just assign John
> individual rights to the management directory, but this becomes an
> exponential headache when you multiply this scenario out across a
large company of similar situations.
>
>
>
> Sam Aylestock
> Sr. Network Administrator
> TREEV
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
>
>
> -----Original Message-----
> From: Radio Gong 2000 GmbH & Co. KG [Technik]
> [mailto:sascha.bieler at radiogong.de]
> Sent: Wednesday, April 07, 2004 5:09 PM
> To: Sam Aylestock; samba at lists.samba.org
> Subject: AW: [Samba] ACL group permissions only work on primary group
>
> Can u please describe ur problem a bit more?
>
> Regards
>
> Sascha
>
> -----Ursprungliche Nachricht-----
> Von: samba-bounces+sascha.bieler=radiogong.de at lists.samba.org
> [mailto:samba-bounces+sascha.bieler=radiogong.de at lists.samba.org]Im
> Auftrag von Sam Aylestock
> Gesendet: Mittwoch, 7. April 2004 23:02
> An: samba at lists.samba.org
> Betreff: [Samba] ACL group permissions only work on primary group
>
>
> I just join this list. Did anyone give a reply to this question? I
> have been struggling with this same problem.
>
> Sam Aylestock
> Sr. Network Administrator
> TREEV(r)
> Proven Solutions . Real Results .(tm)
> Tel: 703-904-3139
> http://www.treev.com/
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list