[Samba] Re: Group permissions and recursion

Graham Dunn graham.dunn at leitch.com
Wed Jun 28 16:46:30 GMT 2006

Jeremy Allison wrote:
> On Wed, Jun 28, 2006 at 10:40:38AM +1000, Adam Nielsen wrote:
>>>> Here's the problem, a member of 'CATNET\adm staff' cannot access a
>>>> file for which 'CATNET\adm' has r/w access
>>>> (group:CATNET\134adm:rwx).  But if
>> FWIW, this works here (Samba 3.0.21rc2), but I did need 'winbind nested
>> groups = yes' first.  I don't seem to have changed much else in
>> smb.conf that might affect this.
> Ah, glad we're fixing bugs moving forward :-).
>> This however, *doesn't* work.  Running 'id' only tells me I'm a member
>> of "DOMAIN\domain users" but it doesn't list *any* other groups I'm a
>> member of.
>> But Samba still gives me access if a group containing a group
>> containing me has permission.
> smbd has backdoors into winbindd that other processes don't.
> Still, I thought 'winbind nested groups' expanded for NSS
> groups - maybe not. I'd need to look at the code to be sure.
> Jeremy.

The simple scenario that I can't get to work (with nested groups = yes)
is one where a directory's group ownership is one that my user account
is a member of, but not my primary group.

Chgrp'ing the directory to my primary group ("Domain Users") will allow

Changing it to a secondary ("LTI_Dev Domain_Users") prohibits change.

# smbcacls //ma21cab5/data foo -U gdunn01
GROUP:HARRIS\lti_domain users_dev
ACL:HARRIS\lti_domain users_dev:ALLOWED/0/FULL

# pw groupshow "LTI_domain users_dev"
LTI_domain users_dev:*:190045:[snip],gdunn01,[snip]

ma21cab5# getfacl foo

ma21cab5# ls -ld foo
drwxrwxr-x+ 3 root  lti_domain users  512 Jun 28 12:34 foo

ma21cab5# smbstatus

Samba version 3.0.22
PID     Username      Group         Machine
45058   gdunn01       Domain Users  dev-gdunn    (

FreeBSD 5.3

More information about the samba mailing list