[Samba] Re: Group permissions and recursion
graham.dunn at leitch.com
Wed Jun 28 16:46:30 GMT 2006
Jeremy Allison wrote:
> On Wed, Jun 28, 2006 at 10:40:38AM +1000, Adam Nielsen wrote:
>>>> Here's the problem, a member of 'CATNET\adm staff' cannot access a
>>>> file for which 'CATNET\adm' has r/w access
>>>> (group:CATNET\134adm:rwx). But if
>> FWIW, this works here (Samba 3.0.21rc2), but I did need 'winbind nested
>> groups = yes' first. I don't seem to have changed much else in
>> smb.conf that might affect this.
> Ah, glad we're fixing bugs moving forward :-).
>> This however, *doesn't* work. Running 'id' only tells me I'm a member
>> of "DOMAIN\domain users" but it doesn't list *any* other groups I'm a
>> member of.
>> But Samba still gives me access if a group containing a group
>> containing me has permission.
> smbd has backdoors into winbindd that other processes don't.
> Still, I thought 'winbind nested groups' expanded for NSS
> groups - maybe not. I'd need to look at the code to be sure.
The simple scenario that I can't get to work (with nested groups = yes)
is one where a directory's group ownership is one that my user account
is a member of, but not my primary group.
Chgrp'ing the directory to my primary group ("Domain Users") will allow
Changing it to a secondary ("LTI_Dev Domain_Users") prohibits change.
# smbcacls //ma21cab5/data foo -U gdunn01
# pw groupshow "LTI_domain users_dev"
ma21cab5# getfacl foo
ma21cab5# ls -ld foo
drwxrwxr-x+ 3 root lti_domain users 512 Jun 28 12:34 foo
Samba version 3.0.22
PID Username Group Machine
45058 gdunn01 Domain Users dev-gdunn (18.104.22.168)
More information about the samba