samba - Apr 2005 - AD auth + local unix groups: access denied?

Hi,

I have an access problem related to local unix groups on a FC2 box 
running the samba-3.0.10-1.fc2 rpms.

The goal is to have a read-only share with sub-folders accessible only 
by one user. All users lised in a local unix group "admin" shall have 
access to all folders. The samba box uses an external active directory 
machine for authentication. Winbind is running on the machine.

The sub-folders in the share are owned by the respective AD users, and 
the group is fixed (using the setgid bit) to the local "admin" group. 
The "admin" group is listed in the local /etc/group file, and
respective
AD users are listed there. The listing of the archive folder looks like

<snip>
[root@machine root]# ls -l /opt/share/Archiv/
total 0
dr-xr-s---  2 DOMAIN_user1 admin 128 Apr  4 14:08 User1
dr-xr-s---  2 DOMAIN_user2 admin 154 Apr  1 16:14 User2
</snip>

(The archive is filled by a virtual cups printer based upon the user 
name of the request, so having everything ro is wanted here).

The situation is now as follows:

- clicking in the win explorer on any subfolder which should be accessed 
via the "admin" group access rights returns a "permission
denied" error.
Right-clicking on the folders and showing the security settings in Win 
correctly shows the ownership and unix group name;
- log in on the FC2 box via ssh, using the AD user name provided via 
winbind (e.g. "DOMAIN_user1"): users listed in the "admin"
group can
access all subfolders with unix commands like "ls" as expected;
- "getent group admin" correctly lists the valid admin users;
- running "groups" as user in the "admin" group lists inter
alia "admin".

The relevant (?) winbind and share setup in smb.conf looks as follows 
(note: all users are member in the AD "DOMAIN_USERS" group):

<snip>
winbind separator = _
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes

[Archiv]
     comment = Read-Only document archive
     path = /opt/share/Archiv
     browsable = yes
     guest ok = no
     writable = no
     valid users = @DOMAIN_USER
     admin users </snip>

Any idea what causes the "permission denied" error and how I can fix
it?
How could I get more debug information about the cause?

Thanks in advance,
Albrecht

-- 
LIOS Technology GmbH
Dr. Albrecht Dre?
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 K?ln
Germany

Phone +49 221 676 2742
Fax   +49 221 676 2069

Having a closer look at this problem, I am now at the point that I can 
reproduce the effect with a minimal test app being run as root when I 
change the privileges using setres[ug]id() as smbd does...

The relevant code snipplet looks as follows (more or less the same smbd 
does before the failed access, as I found out running it in strace):

<snip>
   setresgid(-1, 10001, -1);
   setresuid(10007, 10007, -1);
   f = fopen("/tmp/URGA/test", "r");
</snip>

10001 is the primary group id, 10007 the user id. Secondary groups are:

id -G
10001 1001 10005 10006 10007 10008

1001 is a group listed in the local /etc/groups file, 10005 up to 10008 
are more groups reported by Active Directory.

The folder /tmp/URGA belongs to user root with perms rwxrwx---. If the 
group ownership is set to 10001, the folder is accessible. For *all* 
other (secondary) groups listed by 'id -G', the fopen() call above 
failes with "permission denied". In each case, a "ls" from a
linux
terminal does work (as expected), though!

So I am really lost here, as this looks like a weird Linux (glibc?) 
problem to me... May box is a FC 2 system, running a self-compiled 
kernel 2.6.11 with the glibc-2.3.3-27.1 rpm.

HELP!!!

Cheers, Albrecht.


Albrecht Dre? schrieb:
> Hi,
> 
> I have an access problem related to local unix groups on a FC2 box 
> running the samba-3.0.10-1.fc2 rpms.
> 
> The goal is to have a read-only share with sub-folders accessible only 
> by one user. All users lised in a local unix group "admin" shall
have
> access to all folders. The samba box uses an external active directory 
> machine for authentication. Winbind is running on the machine.
> 
> The sub-folders in the share are owned by the respective AD users, and 
> the group is fixed (using the setgid bit) to the local "admin"
group.
> The "admin" group is listed in the local /etc/group file, and
respective
> AD users are listed there. The listing of the archive folder looks like
> 
> <snip>
> [root@machine root]# ls -l /opt/share/Archiv/
> total 0
> dr-xr-s---  2 DOMAIN_user1 admin 128 Apr  4 14:08 User1
> dr-xr-s---  2 DOMAIN_user2 admin 154 Apr  1 16:14 User2
> </snip>
> 
> (The archive is filled by a virtual cups printer based upon the user 
> name of the request, so having everything ro is wanted here).
> 
> The situation is now as follows:
> 
> - clicking in the win explorer on any subfolder which should be accessed 
> via the "admin" group access rights returns a "permission
denied" error.
> Right-clicking on the folders and showing the security settings in Win 
> correctly shows the ownership and unix group name;
> - log in on the FC2 box via ssh, using the AD user name provided via 
> winbind (e.g. "DOMAIN_user1"): users listed in the
"admin" group can
> access all subfolders with unix commands like "ls" as expected;
> - "getent group admin" correctly lists the valid admin users;
> - running "groups" as user in the "admin" group lists
inter alia "admin".
> 
> The relevant (?) winbind and share setup in smb.conf looks as follows 
> (note: all users are member in the AD "DOMAIN_USERS" group):
> 
> <snip>
> winbind separator = _
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> 
> [Archiv]
>     comment = Read-Only document archive
>     path = /opt/share/Archiv
>     browsable = yes
>     guest ok = no
>     writable = no
>     valid users = @DOMAIN_USER
>     admin users > </snip>
> 
> Any idea what causes the "permission denied" error and how I can
fix it?
> How could I get more debug information about the cause?
> 
> Thanks in advance,
> Albrecht
> 

Albrecht Dre?

-- 
LIOS Technology GmbH
Dr. Albrecht Dre?
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 K?ln
Germany

Phone +49 221 676 2742
Fax   +49 221 676 2069