[Samba] Re: 3.0.23d UNIX vs. AD group permissions

David Pullman david.pullman at gmail.com
Thu May 3 18:10:59 GMT 2007


I've compiled samba-3.0.25rc3, using Sun Studio11, and linking in
openldap-2.3.21 and krb5-1.4.3 client libraries.  The same problem
that I've reported since 3.0.23d still exists.  If anyone has a
suggestion, or if I missed something in release notes or anything,
please let me know.

Fundamentally, the SAMBA server is not honouring the UNIX file system
permissions.

My groups listing in UNIX:
[root at chrome samba]$ groups dpullman
melsaunx wwwmel melsa gss gssreq office root sensor lp melsapw sa
webgroup admin tac

The test directory:
[root at chrome testing]$ ls -al
total 4
drwxrwsr-x   2 carolyn  adacs        512 May  3 13:12 .
drwxr-xr-x   8 root     sys          512 Jan  5 13:37 ..
-rw-r--r--   1 dpullman adacs          0 May  3 13:12 New Text Document.txt

The directory is owned by a different user and a group that I'm not a
member of in UNIX.  I am a member of this group in AD.  Yet it allows
me to create the New Text Document.txt in this directory.

In other testing, as reported previiously, when we tried to go to
production with 3.0.23 the users who are members of groups in UNIX
could not access directories or files, because SAMBA was only looking
to AD for group membership listings.

We do not maintain groups in AD, only in NIS/LDAP.  We use winbind to
map UIDs and GIDs in UNIX to SIDS to allow ACL control from Windows
workstations.  With winibind running the SAMBA server is ignoring UNIX
permissions and using the Windows group definitions, which we don't
maintain in AD.  We have to maintain the groups in NIS/LDAP.  So if we
try to use the system like this all of our group definitions are
broken.

--
David Pullman


More information about the samba mailing list