[Samba] Samba ignores groups for ACL !

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Fri Sep 29 13:25:00 GMT 2006

Hash: SHA1

On 09/26/2006 09:25 AM, Neuwald escreveu:
> Hello, i hope u guys can help me.

	Let's try. :)

> This is the first time I write to the list. Sorry about my 
> english...

	No problem.

> i got a solaris 10 machine and installed "samba" with 
> "openldap" , "openssl 0.9.8" and "gcc 3.4.6".

	Just for the sake of logs, it is 3.0.23c and 2.3.21.

> i configured kerberos and all the other things. all good.

	The all other things include the groupmaps?

> i added the samba-server (solaris10) to a active directory domain.
> with "kinit ...." and then "net ads join" and so on.
> all worked good.

	Ok, so you samba server is a Member Server of an AD.

> then i configured my smb.conf via swat-websoncole.
> i created a share that was named "all".
> i added in swat to the "valid users"-option the AD-Group 
> "MyDomain\group_alpha".

> After this i mounted the share on my Windows-Xp machine. 
> The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha".
> all good.
> i can access an create folders .....
> Now i created on my solaris-machine in my Samba-Share-folder "all" 
> 2 Folders.
> Folders:            Permissions      Owner        Acl
> 1. "folderA" with rwxrwx---     root  root    group: group_beta:rwx
> 2. "folderB" with rwxrwx---     root  root    group: group_gama:rwx
> after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a" 
> the group "group_beta" to the first folder.
> The Same i did with the folder "folderB", i added the group "group_gama" 
> (rwx).

	I hope that the above commands are really right, because you
said folder_a but the name of the folder is "folderA".

> Now, i am at the windows machine, my user "winuser" mountet the Samba 
> Share.
> So, "winuser" is a member of the valid share user group "group_alpha", 
> all AD-users are members of this group.
> On the two other folders in the share i added permissions for two 
> other groups.
> So, i as "winuser" should have rights to read,write,execute the 
> "folderA", because "winuser" is a also a member of "group_beta"
> but i dont have permissions for "folderB".

> my Problem is now that i can not enter and "folderA" and "folderB"!
> (windows-prompt : i dont have permissions for this..)

	Ok, we will need the smb.conf and a log when you are trying
to access the share (increase the loglevel/debuglevel, please).

> The same scenario with adding "users" directly without "group" is 
> working.

	Sounds like an ACL problem with regards to groups from AD.

> So i think that samba ignores my supplementary groups for acl!!!


> i googel'ed a lot for  this problem, but no solution.
> Help me ;)
> Ciao, Björn

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list