[Samba] AD auth + local unix groups: access denied?
Albrecht Dreß
albrecht.dress at lios-tech.com
Tue Apr 5 09:47:34 GMT 2005
Hi,
I have an access problem related to local unix groups on a FC2 box
running the samba-3.0.10-1.fc2 rpms.
The goal is to have a read-only share with sub-folders accessible only
by one user. All users lised in a local unix group "admin" shall have
access to all folders. The samba box uses an external active directory
machine for authentication. Winbind is running on the machine.
The sub-folders in the share are owned by the respective AD users, and
the group is fixed (using the setgid bit) to the local "admin" group.
The "admin" group is listed in the local /etc/group file, and respective
AD users are listed there. The listing of the archive folder looks like
<snip>
[root at machine root]# ls -l /opt/share/Archiv/
total 0
dr-xr-s--- 2 DOMAIN_user1 admin 128 Apr 4 14:08 User1
dr-xr-s--- 2 DOMAIN_user2 admin 154 Apr 1 16:14 User2
</snip>
(The archive is filled by a virtual cups printer based upon the user
name of the request, so having everything ro is wanted here).
The situation is now as follows:
- clicking in the win explorer on any subfolder which should be accessed
via the "admin" group access rights returns a "permission denied" error.
Right-clicking on the folders and showing the security settings in Win
correctly shows the ownership and unix group name;
- log in on the FC2 box via ssh, using the AD user name provided via
winbind (e.g. "DOMAIN_user1"): users listed in the "admin" group can
access all subfolders with unix commands like "ls" as expected;
- "getent group admin" correctly lists the valid admin users;
- running "groups" as user in the "admin" group lists inter alia "admin".
The relevant (?) winbind and share setup in smb.conf looks as follows
(note: all users are member in the AD "DOMAIN_USERS" group):
<snip>
winbind separator = _
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
[Archiv]
comment = Read-Only document archive
path = /opt/share/Archiv
browsable = yes
guest ok = no
writable = no
valid users = @DOMAIN_USER
admin users =
</snip>
Any idea what causes the "permission denied" error and how I can fix it?
How could I get more debug information about the cause?
Thanks in advance,
Albrecht
--
LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln
Germany
Phone +49 221 676 2742
Fax +49 221 676 2069
More information about the samba
mailing list