[Samba] member server and groups

Mike Ray mray at xes-inc.com
Thu Apr 4 08:48:32 MDT 2013 

When running a samba 3 member server joined to a samba AD with winbind, we were having some issues with ACLs over CIFS mounts. If you are noticing issues with CIFS mounts, then something to keep in mind that I only found out after quite some time, is that permissions over mounts work as the logical AND of basic unix permissions and ACLs. That is if your user would be denied by the basic unix permissions, ACLs are never checked. However, if you get the greenlight from basic permissions, it then contacts the server and does the ACL checks. 

The reason that you are noticing no issue when you chgrp it to Domain Users is that at that point your domain users pass on the unix permissions. Without them owning (say the file/dir is root/root) then they fall to the last octal, the 'other' portion of file permissions. 

So what I'd try is chmod 777 the file/dir and then adding ACLs on top of that to restrict access. 

Hope that helps, 
Mike Ray 

----- Original Message -----

From: "Neil Price" <nprice at gibb.co.za> 
To: samba at lists.samba.org 
Sent: Thursday, April 4, 2013 8:42:06 AM 
Subject: [Samba] member server and groups 

I have a samba 3 member server joined to a samba pdc using ldap. Join is OK. 
Version is from debian wheezy: 3.6.6 

With servers that are bdc's I have no problems with authentication, with 
the member server I cannot get group file permissions to work. 
User file permissions work fine 
Samba share user and group permissions work fine 
getent group shows expected groups with correct gid, which is an 
improvement on the 3.5.4 that I tried before. 
Only thing interesting the logs show is access denied. 
BUT if I change the dir/file permission to domain users group THEN it 
works. 
So I think samba is only looking up the primary group. I know there was 
bug like this somewhere around 3.6.0 

Is "net idmap secret alloc" no longer needed? It responds with "The only 
currently supported backend is LDAP". smbpasswd -w seemed to do all I 
needed. 

Critical parts of my smb.conf 
I'm using the nss_ldap method with nss-ldapd 

security = domain 
workgroup = DOMAIN 
ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com 

ldap suffix = dc=domain,dc=com 

ldap user suffix = ou=people 

ldap group suffix = ou=groups 

ldap idmap suffix = ou=idmap 

ldap machine suffix = ou=winstations,ou=systems 

ldap ssl = Off 

idmap config DOMAIN : backend = ldap 
idmap config DOMAIN : range = 80000-99000 
idmap config DOMAIN : ldap_url = ldap://my.ldap.serverl/ 

winbind use default domain = yes 

[comp] 
path = /home/shares/comp 
inherit permissions = yes 
public = no 
browsable = yes 
writeable = yes 
valid users = @computer 

Directory perms 
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp 


nsswitch.conf 
passwd: compat ldap 
group: compat ldap 
shadow: compat ldap 

hosts: files dns wins 
networks: files 

/etc/nslcd.conf 
# The user and group nslcd should run as. 
uid nslcd 
gid nslcd 

# The location at which the LDAP server(s) should be reachable. 
uri ldap://my.ldap.server/ 

# The search base that will be used for all queries. 
base dc=domain,dc=com 

# The LDAP protocol version to use. 
#ldap_version 3 


# SSL options 
#ssl off 
#tls_reqcert never 

# The search scope. 
#scope sub 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list