[Samba] sub-directory permissions and active directory group membership

Joey Officer JOfficer at istreamfs.com
Mon Aug 3 11:42:42 MDT 2009 

I'm not sure where the problem is, but security group membership and
access to sub-directories is giving me fits.

 

Take 2 unique security groups as example, group1 and group2.  If within
my top level share there is a directory labeled marketing and a second
directory labeled legal, where group1 and group2 are assigned to
marketing and legal respectively, then the group1 members should not be
able get into Legal and group2 should not get into Marketing.

 

I have 1 working example, the IT folder (as example).  The problem I am
facing, however, is subsequent new folders.

 

In this specific problem, I created 2 new directories in
/other/sambashares/public/joey labeled group1 and group2.  I updated the
ACL on the directory for group1 to 0770 and changed the group owner to
'group1'.  On my AD server, I added myself to the group1 security group
and attempted to access the directory (via Windows XP client) using
Explorer T:\joey\group1 and receive the Access Denied error message.

 

Using wbinfo, I am able to confirm that winbind sees that I am indeed a
member of the appropriate group.

 

(dc2: 12:33:20 </other/sambashares/public/joey>) 0 # ls -l

total 4

drwxrwx---  2 root  group1   512 Aug  3 10:32 group1

drwxr-xr-x  2 root  DomainUsers  512 Aug  3 10:19 group2

 

(dc2: 12:33:21 </other/sambashares/public/joey>) 0 # ls -ln

total 4

drwxrwx---  2 0  10093  512 Aug  3 10:32 group1

drwxr-xr-x  2 0  10018  512 Aug  3 10:19 group2

 

(dc2: 12:33:46 </other/sambashares/public/joey>) 0 # wbinfo -r jofficer

10018

10093

 

(dc2: 12:41:05 </other/sambashares/public/joey>) 0 # ls -ld
/other/sambashares/public/

drwxrwxrwx  55 nobody  DomainUsers  4096 Jul  9 10:54
/other/sambashares/public/

 

Any help would be greatly appreciated.  I'm at a loss as to where the
problem is, especially since it's working on a pre-existing directory.
I've tried restarting the samba server and also have removed/added the
directories several times.

 

 

Joey Officer
Systems Administrator 
iStream Financial Services

262-432-1536

 

CONFIDENTIALITY NOTICE
This electronic mail and the information contained herein are intended
for the named recipient only.  It may contain confidential, proprietary
and/or privileged information.  If you have received this electronic
mail in error, please do not read any text other than the text of this
notice and do not open any attachments. Also, please immediately notify
the sender by replying to this electronic mail or by collect call to
(262) 796-0925. After notifying the sender as described above, please
delete this electronic mail message immediately and purge the item from
the deleted items folder (or the equivalent) of your electronic mail
system. Thank you.

More information about the samba mailing list