[Samba] Group permissions and recursion

Rob Tanner rtanner at linfield.edu
Wed Jun 28 00:45:08 GMT 2006 

Jeremy,

Never having worked with winbind, I claim a certain amount of ignorance 
here. I can't login as a specific user because I don't have telnet 
enabled on the samba server (none of the specific kerberos stuff is 
configured). Even though I have the template shell configured and getent 
passwd shows everything correctly for user 'CATNET\rtanner', I can't 
login via ssh. When I use smbclient I don't have access to the id 
command (or I don't know how to access it). But when logged in as root, 
I do "getent group | grep 'CATNET\\rtanner', I see what I expected. It 
shows me in the 'CATNET\adm staff' security group but not in 
'CATNET\adm'. The former is a member of the latter so, at least on 
Microsoft Windows shares access granted to 'CATNET\adm' applies to 
'CATNET\adm staff' as well, and that's what's not happening when 
mounting SAMBA shares.

So, at this point, I'm not sure how to go about starting to debug why 
winbind isn't showing my membership in the 'CATNET\adm' group as well. 
I've followed the procedures in the official HOWTO, but if there's 
something I missed that would cause just this particular problem, do you 
know what that might be?

Thanks,
Rob

On 06/27/2006 01:16 PM, Jeremy Allison wrote:
> On Tue, Jun 27, 2006 at 10:49:04AM -0700, Rob Tanner wrote:
>   
>> Here's the problem, a member of 'CATNET\adm staff' cannot access a file 
>> for which 'CATNET\adm' has r/w access (group:CATNET\134adm:rwx).  But if 
>> I add 'CATNET\adm staff' even though 'CATNET\adm staff' is a member of 
>> 'CATNET\adm', it works.  I thought this might be related to the smb.conf 
>> parameter 'winbind nested groups', which I set to 'yes', but it made no 
>> difference.  Any ideas?
>>     
>
> Yes, that's got to be nested group evaluation not working
> right. Try logging on as the specific user and then
> calling the 'id' command to see what groups you're in.
> They're the ones that winbindd is giving you (and the
> same ones smbd will be using). From that you should be
> able to start debugging why winbindd isn't giving the
> full group list.
>
> Jeremy.
>

More information about the samba mailing list