Hi all. I'm having a strange issue with a server running Samba 3.0.2a. The server has a single share, and under that are subfolders that contain documents. Each subfolder is owned by a different folder-specific group, and users belong to the groups that own the folders to which they need access. But suddenly one user can't access any folders. Windows (the client) suggests that she might not have access, Mac OS X just displays the folders as empty, and the Samba server's logs reveal a telling NT_STATUS_ACCESS_DENIED error. So I've tried to use her account to access those shares in unSamba ways, like from the command line or via SFTP, and everything works fnie. Only Samba refuses to let her in. Here's the clincher: if I make the contents of any folder universally read/write (chmod -R o+rw foldername), the user can connect to that folder and read the contents via Samba. So the issue isn't that somethign is wrong with her account, but just that Samba won't recognize any of the secondary groups to which she belongs. But it does recognize them for other users. I've seen references to this issue on the web, and apparently removing the user from some nonessential groups helps to un-confuse Samba. Anyone have other solutions to (or experience with) this bug? Thanks, Ed Holden Any information, including protected health information (PHI), transmitted in this email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential and or exempt from disclosure under applicable Federal or State law. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, protected health information (PHI) by persons or entities other than the intended recipient is prohibited. If you received this email in error, please contact the sender and delete the material from any computer.
Ed, Suggest you update to Samba-3.0.11 when it is released. It should be out within 48 hours and has many fixes since 3.0.2. One fix is for multiple group membership. Check the WHATSNEW.txt file in the tarball for specifics. Cheers, John T. On Thursday 27 January 2005 15:10, Ed Holden wrote:> Hi all. I'm having a strange issue with a server running Samba 3.0.2a. > The server has a single share, and under that are subfolders that > contain documents. Each subfolder is owned by a different > folder-specific group, and users belong to the groups that own the > folders to which they need access. > > But suddenly one user can't access any folders. Windows (the client) > suggests that she might not have access, Mac OS X just displays the > folders as empty, and the Samba server's logs reveal a telling > NT_STATUS_ACCESS_DENIED error. So I've tried to use her account to > access those shares in unSamba ways, like from the command line or via > SFTP, and everything works fnie. Only Samba refuses to let her in. > > Here's the clincher: if I make the contents of any folder universally > read/write (chmod -R o+rw foldername), the user can connect to that > folder and read the contents via Samba. So the issue isn't that somethign > is wrong with her account, but just that Samba won't recognize any of the > secondary groups to which she belongs. But it does recognize them for > other users. > > I've seen references to this issue on the web, and apparently removing the > user from some nonessential groups helps to un-confuse Samba. Anyone have > other solutions to (or experience with) this bug? > > Thanks, > Ed Holden > > > Any information, including protected health information (PHI), transmitted > in this email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential and > or exempt from disclosure under applicable Federal or State law. Any > review, retransmission, dissemination or other use of or taking of any > action in reliance upon, protected health information (PHI) by persons or > entities other than the intended recipient is prohibited. If you received > this email in error, please contact the sender and delete the material from > any computer.-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
Is the user assigned to more groups than the max allowed for the operating sytem? For example, on AIX, the max groups is 32. AIX will let you assign a user to more than 32 groups, but there may be some strange behavior with permissions, Samba, etc, Ed Holden <eholden@mclean.harvard.edu> Sent by: samba-bounces+vlkidder=tabasco.com@lists.samba.org 01/27/2005 04:10 PM To samba@lists.samba.org cc Subject [Samba] Samba not recognizing secondary groups Hi all. I'm having a strange issue with a server running Samba 3.0.2a. The server has a single share, and under that are subfolders that contain documents. Each subfolder is owned by a different folder-specific group, and users belong to the groups that own the folders to which they need access. But suddenly one user can't access any folders. Windows (the client) suggests that she might not have access, Mac OS X just displays the folders as empty, and the Samba server's logs reveal a telling NT_STATUS_ACCESS_DENIED error. So I've tried to use her account to access those shares in unSamba ways, like from the command line or via SFTP, and everything works fnie. Only Samba refuses to let her in. Here's the clincher: if I make the contents of any folder universally read/write (chmod -R o+rw foldername), the user can connect to that folder and read the contents via Samba. So the issue isn't that somethign is wrong with her account, but just that Samba won't recognize any of the secondary groups to which she belongs. But it does recognize them for other users. I've seen references to this issue on the web, and apparently removing the user from some nonessential groups helps to un-confuse Samba. Anyone have other solutions to (or experience with) this bug? Thanks, Ed Holden Any information, including protected health information (PHI), transmitted in this email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential and or exempt from disclosure under applicable Federal or State law. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, protected health information (PHI) by persons or entities other than the intended recipient is prohibited. If you received this email in error, please contact the sender and delete the material from any computer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba