[Samba] Very strange permissions issue with Samba 3.0.20(a/b)
ascrivner at oppenheimerfunds.com
Wed Nov 16 05:39:16 GMT 2005
First, thanks for all the hard work! You all rock.
I am running Samba 3.0.20a on RHEL 3 u5 x86, my configuration is working
perfectly except for cvs commits for 3 users. We are using ADS, pam_winbind, and pam_require to authenticate CVS users against AD.
Our CVS directories are mod 2775, and the group ownership of all dirs is
the AD group "DEN-CVS-Users". Every valid user is a member of this group. But
a few users, while they are able to authenticate, and checkout, cannot commit files to the depot. Their group membership is hosed up somehow. Everything is working perfectly except for these few troublemakers.
The users can log into CVS, so their group membership is seen by winbind and passed to pam_require, but when it comes writing to a file with AD group
ownership they are denied. It works for the rest of us though, so we're baffled. The files are all mod 664.
This isn't a CVS issue, as I can login to our CVS server as an affected AD user and replicate the problem. For me, I can write to the depot just fine.
1. Is there a limit to the number of groups a user may be a member of ( The most so far is 48 groups ) that would cause winbind problems?
2. Are the any special characters within an AD group name that would break winbind?
3. Besides a user's SID, and group membership, what could be different between users ?
This is our setup:
# workgroup = NT-Domain-Name or Workgroup-Name
netbios name = CVS-DR
workgroup = DEN
realm = DEN.FOO.COM
security = ADS
password server = den-dc1.den.foo.com
winbind use default domain = no
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
log level = 3
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /cvsroot
winbind cache time = 3600
winbind separator = -
RHEL 3 u5 pam config
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_require.so @DEN-CVS-Admins @DEN-CVS-Users @NY-CVS-Users @NY-CVS-Admins cvs
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password sufficient pam_winbind.so use_authtok
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_unix.so
As always, any suggestions would be much appreciated.
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or disclose the content of all email communications.
More information about the samba