[Samba] Samba ignores groups for ACL !
Felipe Augusto van de Wiel
felipe at paranacidade.org.br
Fri Sep 29 13:25:00 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
On 09/26/2006 09:25 AM, Neuwald escreveu:
> Hello, i hope u guys can help me.
Let's try. :)
> This is the first time I write to the list. Sorry about my
> i got a solaris 10 machine and installed "samba 18.104.22.168c" with
> "openldap 22.214.171.124" , "openssl 0.9.8" and "gcc 3.4.6".
Just for the sake of logs, it is 3.0.23c and 2.3.21.
> i configured kerberos and all the other things. all good.
The all other things include the groupmaps?
> i added the samba-server (solaris10) to a active directory domain.
> with "kinit ...." and then "net ads join" and so on.
> all worked good.
Ok, so you samba server is a Member Server of an AD.
> then i configured my smb.conf via swat-websoncole.
> i created a share that was named "all".
> i added in swat to the "valid users"-option the AD-Group
> After this i mounted the share on my Windows-Xp machine.
> The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
> all good.
> i can access an create folders .....
> Now i created on my solaris-machine in my Samba-Share-folder "all"
> 2 Folders.
> Folders: Permissions Owner Acl
> 1. "folderA" with rwxrwx--- root root group: group_beta:rwx
> 2. "folderB" with rwxrwx--- root root group: group_gama:rwx
> after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a"
> the group "group_beta" to the first folder.
> The Same i did with the folder "folderB", i added the group "group_gama"
I hope that the above commands are really right, because you
said folder_a but the name of the folder is "folderA".
> Now, i am at the windows machine, my user "winuser" mountet the Samba
> So, "winuser" is a member of the valid share user group "group_alpha",
> all AD-users are members of this group.
> On the two other folders in the share i added permissions for two
> other groups.
> So, i as "winuser" should have rights to read,write,execute the
> "folderA", because "winuser" is a also a member of "group_beta"
> but i dont have permissions for "folderB".
> my Problem is now that i can not enter and "folderA" and "folderB"!
> (windows-prompt : i dont have permissions for this..)
Ok, we will need the smb.conf and a log when you are trying
to access the share (increase the loglevel/debuglevel, please).
> The same scenario with adding "users" directly without "group" is
Sounds like an ACL problem with regards to groups from AD.
> So i think that samba ignores my supplementary groups for acl!!!
> i googel'ed a lot for this problem, but no solution.
> Help me ;)
> Ciao, Björn
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba