Hello, i hope u guys can help me. This is the first time I write to the list. Sorry about my english... i got a solaris 10 machine and installed "samba 3.0.2.3c" with "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6". i configured kerberos and all the other things. all good. i added the samba-server (solaris10) to a active directory domain. with "kinit ...." and then "net ads join" and so on. all worked good. then i configured my smb.conf via swat-websoncole. i created a share that was named "all". i added in swat to the "valid users"-option the AD-Group "MyDomain\group_alpha". After this i mounted the share on my Windows-Xp machine. The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha". all good. i can access an create folders ..... Now i created on my solaris-machine in my Samba-Share-folder "all" 2 Folders. Folders: Permissions Owner Acl 1. "folderA" with rwxrwx--- root root group: group_beta:rwx 2. "folderB" with rwxrwx--- root root group: group_gama:rwx after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a" the group "group_beta" to the first folder. The Same i did with the folder "folderB", i added the group "group_gama" (rwx). Now, i am at the windows machine, my user "winuser" mountet the Samba Share. So, "winuser" is a member of the valid share user group "group_alpha", all AD-users are members of this group. On the two other folders in the share i added permissions for two other groups. So, i as "winuser" should have rights to read,write,execute the "folderA", because "winuser" is a also a member of "group_beta" but i dont have permissions for "folderB". my Problem is now that i can not enter and "folderA" and "folderB"! (windows-prompt : i dont have permissions for this..) The same scenario with adding "users" directly without "group" is working. So i think that samba ignores my supplementary groups for acl!!! i googel'ed a lot for this problem, but no solution. Help me ;) Ciao, Bj?rn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/26/2006 09:25 AM, Neuwald escreveu:> Hello, i hope u guys can help me.Let's try. :)> This is the first time I write to the list. Sorry about my > english...No problem.> i got a solaris 10 machine and installed "samba 3.0.2.3c" with > "openldap 2.3.2.1" , "openssl 0.9.8" and "gcc 3.4.6".Just for the sake of logs, it is 3.0.23c and 2.3.21.> i configured kerberos and all the other things. all good.The all other things include the groupmaps?> i added the samba-server (solaris10) to a active directory domain. > with "kinit ...." and then "net ads join" and so on. > all worked good.Ok, so you samba server is a Member Server of an AD.> then i configured my smb.conf via swat-websoncole. > i created a share that was named "all". > i added in swat to the "valid users"-option the AD-Group > "MyDomain\group_alpha".> After this i mounted the share on my Windows-Xp machine. > The user on the WindowsXP MAchine is in the Group "MyDomain\group_alpha". > all good. > > i can access an create folders ..... > > Now i created on my solaris-machine in my Samba-Share-folder "all" > 2 Folders. > Folders: Permissions Owner Acl > 1. "folderA" with rwxrwx--- root root group: group_beta:rwx > 2. "folderB" with rwxrwx--- root root group: group_gama:rwx > > after this i added via "setfacl -m g:MyDomain\\group_beta:rwx folder_a" > the group "group_beta" to the first folder. > The Same i did with the folder "folderB", i added the group "group_gama" > (rwx).I hope that the above commands are really right, because you said folder_a but the name of the folder is "folderA".> Now, i am at the windows machine, my user "winuser" mountet the Samba > Share. > So, "winuser" is a member of the valid share user group "group_alpha", > all AD-users are members of this group. > On the two other folders in the share i added permissions for two > other groups. > So, i as "winuser" should have rights to read,write,execute the > "folderA", because "winuser" is a also a member of "group_beta" > but i dont have permissions for "folderB".> my Problem is now that i can not enter and "folderA" and "folderB"! > (windows-prompt : i dont have permissions for this..)Ok, we will need the smb.conf and a log when you are trying to access the share (increase the loglevel/debuglevel, please).> The same scenario with adding "users" directly without "group" is > working.Sounds like an ACL problem with regards to groups from AD.> So i think that samba ignores my supplementary groups for acl!!!Maybe...> i googel'ed a lot for this problem, but no solution. > Help me ;) > Ciao, Bj?rnKind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFHR6sCj65ZxU4gPQRApJTAJ9Gff10PCewAgb0Sj1NBfqga2vmdACfeb8A GN3eJRmcWXcdgn3jMhKD8Cw=xxbW -----END PGP SIGNATURE-----
Hi,> then i configured my smb.conf via swat-websoncole. > i created a share that was named "all".What are the Unix permissions on this directory?> After this i mounted the share on my Windows-Xp machine. > The user on the WindowsXP MAchine is in the Group > "MyDomain\group_alpha". > all good. > > i can access an create folders ..... > > Now i created on my solaris-machine in my Samba-Share-folder > "all" 2 Folders. > Folders: Permissions Owner Acl > 1. "folderA" with rwxrwx--- root root group: group_beta:rwx > 2. "folderB" with rwxrwx--- root root group: group_gama:rwx> So, i as "winuser" should have rights to read,write,execute > the "folderA", because "winuser" is a also a member of > "group_beta" but i dont have permissions for "folderB". > > my Problem is now that i can not enter and "folderA" and "folderB"! > (windows-prompt : i dont have permissions for this..)Could you please run the following commands on your Unix box: #id winuser #wbinfo -r winuser and post here the output? With best regards, P. Trifonov
Hi,> Here is the Output: > > bash-3.00# id NTBV+neuwald > uid=5000(NTBV+neuwald) gid=5006(NTBV+dom+nnen-benutzer) > > bash-3.00# /usr/local/samba/bin/wbinfo -r NTBV+neuwald > 5001 > 5002 > 5003 > 5004This looks like another instance of this bug: https://bugzilla.samba.org/show_bug.cgi?id=3990 The problem is that the group membership information is lost somewhere on the way from winbind to Unix kernel. It started with version 3.0.23. Could you please add a comment to that bug report describing your case? This should bring attention of Samba developers to this problem. With best regards, P. Trifonov