[Samba] Fwd: samba3.0.23d group permissions not working

Cameron Murdoch cam.murdoch at gmail.com
Wed Jan 17 12:21:34 GMT 2007


Dear all,

I am still seeing the issue described below - can anybody suggest
anything? This breaks so much stuff that I am stuck using 3.0.22. If I
am missing something really obvious then please tell me :)

There is a post from Vladimir Orlic on the 3rd that describes the same
problem. Bug 3990 in bugzilla appears to be the same issue too.

Thanks

Cam


On Wed, Dec 06, 2006 at 12:16:49PM +0000, Cameron Murdoch wrote:
> Dear all,
>
> I have samba3.0.23d running on FreeBSD 6.1. It is running with "security = ADS" and
> has been functioning correctly from about 3.0.14 to 3.0.22.
>
> Since I upgraded to 3.0.23(a|b|c|d) group permissions are not honoured by Samba.
> For example:
>
> drwxrwx---  107 setup     domain admins  3072 Nov 15 19:25 install
>
> The user setup is a windows admin user; this user can access this folder without any
> problems. Any users in the "Domain Admins" group CANNOT access this folder. When
> trying to do this from windows they are presented with a password screen. This is the
> same for all group permissions unless the group is in question is the user's primary
> group. If I explicitly add ACL user permissions to the folder then those users can access
> it. This doesn't work if I can group ACLs.
>
> This has screwed up all sorts of stuff as all group based access is broken.
>
> I am not seeing any winbind errors; winbind seems to enumerate the groups fine, eg
>
> [root at yankee /data]# id cmurdoch
> uid=15003(cmurdoch) gid=15000(domain users) groups=15000(domain users),
> 15009(group policy creator owners), 15006(enterprise admins), 15007(domain admins),
> 15008(schema admins), 15017(emlibrary users), 15030(sophos console administrators),
> 15033(sophosadministrator), 15035(pcarch), 15038(BUILTIN\administrators)
>
> But cmurdoch then won't be able to access folders with any of his group permissions set.
>
> Global section of smb.conf:
> [global]
> workgroup = BPR
> netbios name = YANKEE
> ;hosts allow = 192.168.1
> socket options = TCP_NODELAY
> server string = Samba Server
> realm = BPRARCHITECTS.COM
> security = ADS
> encrypt passwords = yes
> password server = *
> client use spnego = yes
> server signing = auto
> map acl inherit = yes
> ;allow trusted domains = no
> idmap uid = 15000-1000000
> idmap gid = 15000-1000000
> winbind use default domain = yes
> winbind enum groups = yes
> winbind enum users = yes
> winbind nested groups = yes
> template shell = /usr/local/bin/bash
> use sendfile = yes
> log file = /var/log/samba/log.%m
> load printers = no
>
>
> Cameron


More information about the samba mailing list