[Samba] Bug in "force group" parameter,
or group membership checking?
Wim Bakker
koreander at planet.nl
Sat Apr 17 18:21:50 GMT 2004
Hello,
I have the following situation:
Samba with ldap passdb backend.
In my setup I have a group called exact:
------------
dn: cn=exact,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: exact
gidNumber: 1000
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
sambaGroupType: 4
memberUid: gerrit,piet,hornie
------------
maps to the unix group exact:
exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
/etc/group:
exact:x:1000:
Users gerrit,piet and hornie can't use the share exact unless I specify
the parameter : force group = exact : (smb.conf entry):
[exact]
path = /shares/exact
browseable = no
read only = no
force group = exact
If I don't specify force group = exact , apparently the authorized users
(gerrit, piet and hornie) connect as members of their default group,
being "Domain Users" and they aren't allowed anyhting on the share
exact.
permissions on this share exact:
# file: shares/exact
# owner: root
# group: exact
user::rwx
group::rwx
group:exact:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:exact:rwx
default:mask::rwx
default:other::---
So I take it that there is no checking whether a user that tries to
connect to a share is , besides it's default group, the user connects
with, allso member of the group that is auhorized to connect to
that share, in this case being the group exact, so I have to set
force group = exact , so a user that connects to that share,
connects with default group exact , and is allowed to access the
share and do it's thing. But apparently there is no checking whether
that user is actually a member of that group , because when I connect
as a completely different user, not at all listed in the group exact as a
member , I get full access allso. Now I add the parameter :
valid users = @exact
to that entry in the smb.conf, but than not one user can connect anymore,
allso not the users that are listed in the groupparameters as being a member
of that group.
Where is it going wrong?
When I make the default group of the users that are allowed to access the
share exact , members of the group exact, there is no problem, than they
are recognized as being members of the group exact and get access, when
exact is not their default group , but just one of the groups they are allso a
member of, there is no way to grant them access , without granting evryone
access.
TIA
Wim bakker
More information about the samba
mailing list