[Samba] Maybe Linux problem: AD auth + local unix groups: access denied?

Tue Apr 5 14:40:21 GMT 2005

Having a closer look at this problem, I am now at the point that I can 
reproduce the effect with a minimal test app being run as root when I 
change the privileges using setres[ug]id() as smbd does...

The relevant code snipplet looks as follows (more or less the same smbd 
does before the failed access, as I found out running it in strace):

<snip>
   setresgid(-1, 10001, -1);
   setresuid(10007, 10007, -1);
   f = fopen("/tmp/URGA/test", "r");
</snip>

10001 is the primary group id, 10007 the user id. Secondary groups are:

id -G
10001 1001 10005 10006 10007 10008

1001 is a group listed in the local /etc/groups file, 10005 up to 10008 
are more groups reported by Active Directory.

The folder /tmp/URGA belongs to user root with perms rwxrwx---. If the 
group ownership is set to 10001, the folder is accessible. For *all* 
other (secondary) groups listed by 'id -G', the fopen() call above 
failes with "permission denied". In each case, a "ls" from a linux 
terminal does work (as expected), though!

So I am really lost here, as this looks like a weird Linux (glibc?) 
problem to me... May box is a FC 2 system, running a self-compiled 
kernel 2.6.11 with the glibc-2.3.3-27.1 rpm.

HELP!!!

Cheers, Albrecht.

Albrecht Dreß schrieb:
> Hi,
> 
> I have an access problem related to local unix groups on a FC2 box 
> running the samba-3.0.10-1.fc2 rpms.
> 
> The goal is to have a read-only share with sub-folders accessible only 
> by one user. All users lised in a local unix group "admin" shall have 
> access to all folders. The samba box uses an external active directory 
> machine for authentication. Winbind is running on the machine.
> 
> The sub-folders in the share are owned by the respective AD users, and 
> the group is fixed (using the setgid bit) to the local "admin" group. 
> The "admin" group is listed in the local /etc/group file, and respective 
> AD users are listed there. The listing of the archive folder looks like
> 
> <snip>
> [root at machine root]# ls -l /opt/share/Archiv/
> total 0
> dr-xr-s---  2 DOMAIN_user1 admin 128 Apr  4 14:08 User1
> dr-xr-s---  2 DOMAIN_user2 admin 154 Apr  1 16:14 User2
> </snip>
> 
> (The archive is filled by a virtual cups printer based upon the user 
> name of the request, so having everything ro is wanted here).
> 
> The situation is now as follows:
> 
> - clicking in the win explorer on any subfolder which should be accessed 
> via the "admin" group access rights returns a "permission denied" error. 
> Right-clicking on the folders and showing the security settings in Win 
> correctly shows the ownership and unix group name;
> - log in on the FC2 box via ssh, using the AD user name provided via 
> winbind (e.g. "DOMAIN_user1"): users listed in the "admin" group can 
> access all subfolders with unix commands like "ls" as expected;
> - "getent group admin" correctly lists the valid admin users;
> - running "groups" as user in the "admin" group lists inter alia "admin".
> 
> The relevant (?) winbind and share setup in smb.conf looks as follows 
> (note: all users are member in the AD "DOMAIN_USERS" group):
> 
> <snip>
> winbind separator = _
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> 
> [Archiv]
>     comment = Read-Only document archive
>     path = /opt/share/Archiv
>     browsable = yes
>     guest ok = no
>     writable = no
>     valid users = @DOMAIN_USER
>     admin users =
> </snip>
> 
> Any idea what causes the "permission denied" error and how I can fix it? 
> How could I get more debug information about the cause?
> 
> Thanks in advance,
> Albrecht
> 

Albrecht Dreß

-- 
LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln
Germany

Phone +49 221 676 2742
Fax   +49 221 676 2069