[Samba] Mapping of Unix groups to Samba user permissions

[Lars Poulsen]

I ran into a problem today which surprised me, and after two hours of
reading and testing I am more confused than ever, so I feel the need
for a sanity check. It would be good to have a clear and authoritative
article about this somewhere; I thought it would be in either "Using
Samba" or in the HOWTO, but I don't see it there.

I am using Samba in several installations in homes and small businesses
that are all Windows desktops (typically XP Home edition) and Linux
servers (typically Fedora Core 8), and I use the Linux user database
(/etc/passwd + /etc/shadow) as the primary authentication. To make
this work, I edit the Windows registry to set EnablePlainTextPasswd=1.
(Why? When I started setting these systems up, it was Windows95 so
there was no authentication on the Windows side. To make use of
Windows administration tools, you need Windows XP Pro on the desktops,
and need to learn lots of windows stuff. My background is Unix, so
that seems like un-necessary money to give to Microsoft, plus a large
learning curve.)

In my standard setup, I create a Unix user group for each SMB
share (the shares reflect functional data groupings) and set
up unix groups of the users allowed write access to each share,
and in each share I make the tree of directories owned by
and writeable by that group with a set-group bit to propagate
that group ownership. Unfortunately, the group-write permission
will not propagate that way, so a cron job runs twice a day to set
group-write on all directories with the tree of each share.

This has worked really well for a long time.

Today, suddenly I see that a windows user cannot write to directories
that are not owned by him. It appears that the SAMBA proxy does
not get to use the group privilege. It may in fact only have the
user's PRIMARY group affiliation, not the secondary ones derived
from the definitions in /etc/group. This is quite painful.

Once I lost confidence, I started looking for places that documented
how the various definitions of access rights interact with each other.
In particular the interaction of Unix group rights versus Samba
userids (write list, admin users etc). Since the primary documents are
not clear, I find that various user-written notes on the web found by
Google have conflicting and often downright wrong information on the
topic.

My testing of this is hampered by me not knowing how much information
is cached in the SMB daemon and in the Windows redirector; i.e. when
I make changes to smb.conf, do I need to "sudo service smb restart"?
Do I need to reboot the Windows client? To logout and back in on
Windows? To disconnect the network drive from the share?

The server where this problem surfaced runs samba-3.0.28a-0.fc8
and I think yum updated this quite recently. It it likely that
the behavior changed an a recent Samba update?

Is there a good source of documentation that I just plain overlooked?

Should I be using a different mechanism to set up the access rights?

/ Lars Poulsen