[Samba] user-group mapping not inherited from Windows-Domain?

Voelz Alexander Alexander.Voelz at P7S1Produktion.de
Fri Dec 29 13:15:15 GMT 2006 

Dear

I have the following Problem:

we have a windows domain (WIN2000 SP1), and a samba Server, acting as a
mere client. So the WIN-DOMAIN is just used for user-to-group mapping
and user authentification.

Authentication on the samba-Server works, ACL inheritance works.

What I would like to do, is to allow write access to ceratin groups,
wich are defined in the windows domain. Other groups may only read. I
found that acls are similar to unix modes, as when I allow write access
to "\Everyone", it's like doing a chmod o+w on a file.

I authenticate as a user vo03a in the domain, who seems to have to own
the files, in order to be able to modify the acls.

Here are the acls of the Media Directory on the acl_test-share:
[root at saitana Media]# smbcacls //saitana/acl_test Media -U
"belgium\vo03a%<pwd>"
...isn't important, is it?...
OWNER:BELGIUM\vo03a
GROUP:SAITANA\root
ACL:BELGIUM\vo03a:ALLOWED/0/FULL
ACL:BELGIUM\F_AKS_VJ-Blitz:ALLOWED/0/FULL
ACL:BELGIUM\F_AKS_VJ-Admin:ALLOWED/0/FULL
ACL:SAITANA\root:ALLOWED/0/FULL
ACL:\Everyone:ALLOWED/0/READ

Now, I want every user of the F_AKS_VJ-Blitz group to have write access
in the Media directory.

[root at saitana Media]# getent group F_AKS_VJ-Blitz
F_AKS_VJ-Blitz:x:16782751:xxx0422z

xxx0422z is a Member of this group.

But, when I try to create a directory in the share from a windows
computer, I get no write access.
Now, if I add this line:

[root at saitana Media]# smbcacls //saitana/acl_test Media -U
"belgium\vo03a%<pwd>" -a "ACL:BELGIUM\xxx0422z:ALLOWED/0/FULL"

He correctly adds it to the acls, and I get write access as User
xxx0422z from my windows client. When I create a file, it belongs to
xxx0422z:Domain Users
(that's why assume the problem has to do with the primary group "Domain
Users", and the system may not recognize that the user belongs to other
groups, as well)

[root at saitana Media]# smbcacls //saitana/acl_test Media -U
"belgium\vo03a%<pwd>"
...
OWNER:BELGIUM\vo03a
GROUP:SAITANA\root
ACL:BELGIUM\vo03a:ALLOWED/0/FULL
ACL:BELGIUM\F_AKS_VJ-Blitz:ALLOWED/0/FULL
ACL:BELGIUM\F_AKS_VJ-Admin:ALLOWED/0/FULL
ACL:SAITANA\root:ALLOWED/0/FULL
ACL:BELGIUM\xxx0422z:ALLOWED/0/FULL
ACL:\Everyone:ALLOWED/0/READ
[root at saitana Media]#

My conclusion is that he disregards the membership of xxx0422z in the
F_AKS_VJ-Blitz group. Do you have any idea why and more important: how I
could get this to work?

Note: the user xxx0422z primary's group is "Domain Users", and this is
the group under which he creates files and directories. So it seems to
have to do with that primary group...
I tried also to create the group locally with wbinfo -O, as well as the
user, but that didn't work, either. I guess that at a certain point I
got also confused with the domain the users where from.

My Goal is to use the acls to deny write-access to
\\saitana\acl_test\Media\Blitz to all Members of F_AKS_VJ-Blitz (which
is administered in the windows domain), while all members of
F_AKS_VJ-Admin should be able to write on that share.

I don't want to administer the groups on the linux box! That should be
taken care of by the windows domain! The Linux box does not have any
local groups for the samba-share!

Antoher thing that may be useful: When I chown the dir "\Media\Blitz" to
the F_AKS_VJ_Blitz group (and set chmod g+w), xxx0422z STILL can't write
in it!
Oh, and the user is correctly recognized as a member of the group in the
"valid users"-Section:

smb.conf-excerpt:

[global]
    workgroup = BELGIUM
    netbios name = SAITANA
    server string = saitana
    security = domain
    password server = belgium

   client schannel = no

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

   template shell = /bin/false
   winbind use default domain = yes

...
[acl_test]
        comment = Media
        path = /media1/acl_test
        valid users = @F_AKS_VJ-Admin, @F_AKS_VJ-Blitz
        read only = No
        inherit permissions = Yes
        inherit acls = Yes
        map acl inherit = Yes

Any ideas what else I could try, or where I could post this question, or
how I could just get along someway?

I have found similar problems on the mailing list, but not one that
applies good engouh to my case.

No Linux boxes have to map the share. It is mounted by windows XP
clients, only. And no other folders than the already existin shares
should have to be created.

Do I have to add user-logon scripts, local groups, group mappings, etc.
(I'd like to avoid all of that)?


Thank you for your time,
Alexander

PS: I almost forgot:
smbd: Version 3.0.10-1.4E.2
nmdb: Version 3.0.10-1.4E.2
winbindd: Version 3.0.10-1.4E.9

I installed this as a rpm-packet samba-3.0.10-1.4E.2 on a
2.6.9-42.0.2.Elsmp Kernel x86 RedHat Linux

More information about the samba mailing list