[Samba] Group permissions and recursion

Rob Tanner rtanner at linfield.edu
Tue Jun 27 17:49:04 GMT 2006


Now that we have successfully moved a first department share on to our 
mega SAMBA server, we're in the 20% of the old 80/20 rule.  Our problem 
has to do with group permissions within the extended acl.

We have implemented winbind along with the ADS security mode.  This 
means that a user isn't just "jdoe", but is "MYDOMAIN\jdoe".  We are 
using the extended ACL model which means that we can set specific 
permissions for specific security groups for access to any particular 
file.  The other thing I need to point out is that we have a hierarchy 
of security groups.  We have a security group, 'CATNET\adm' and the 
members of that security group are the security groups 'CATNET\adm 
staff' and 'CATNET\adm faculty'.  The members of the latter two groups 
are the actual users.

Here's the problem, a member of 'CATNET\adm staff' cannot access a file 
for which 'CATNET\adm' has r/w access (group:CATNET\134adm:rwx).  But if 
I add 'CATNET\adm staff' even though 'CATNET\adm staff' is a member of 
'CATNET\adm', it works.  I thought this might be related to the smb.conf 
parameter 'winbind nested groups', which I set to 'yes', but it made no 
difference.  Any ideas?



Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR

More information about the samba mailing list