samba - Apr 2013 - member server and groups

I have a samba 3 member server joined to a samba pdc using ldap. Join is OK.
Version is from debian wheezy: 3.6.6

With servers that are bdc's I have no problems with authentication, with 
the member server I cannot get group file permissions to work.
User file permissions work fine
Samba share user and group permissions work fine
getent group shows expected groups with correct gid, which is an 
improvement on the 3.5.4 that I tried before.
Only thing interesting the logs show is access denied.
BUT if I change the dir/file permission to domain users group THEN it 
works.
So I think samba is only looking up the primary group. I know there was 
bug like this somewhere around 3.6.0

Is "net idmap secret alloc" no longer needed? It responds with
"The only
currently supported backend is LDAP". smbpasswd -w seemed to do all I 
needed.

Critical parts of my smb.conf
I'm using the nss_ldap method with nss-ldapd

    security = domain
    workgroup = DOMAIN
    ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com

    ldap suffix = dc=domain,dc=com

    ldap user suffix = ou=people

    ldap group suffix = ou=groups

    ldap idmap suffix = ou=idmap

    ldap machine suffix = ou=winstations,ou=systems

    ldap ssl = Off

         idmap config DOMAIN : backend     = ldap
         idmap config DOMAIN : range        = 80000-99000
         idmap config DOMAIN : ldap_url     = ldap://my.ldap.serverl/

    winbind use default domain = yes

[comp]
path = /home/shares/comp
inherit permissions = yes
public = no
browsable = yes
writeable = yes
valid users = @computer

Directory perms
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp


nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns wins
networks:       files

/etc/nslcd.conf
# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://my.ldap.server/

# The search base that will be used for all queries.
base dc=domain,dc=com

# The LDAP protocol version to use.
#ldap_version 3


# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

When running a samba 3 member server joined to a samba AD with winbind, we were
having some issues with ACLs over CIFS mounts. If you are noticing issues with
CIFS mounts, then something to keep in mind that I only found out after quite
some time, is that permissions over mounts work as the logical AND of basic unix
permissions and ACLs. That is if your user would be denied by the basic unix
permissions, ACLs are never checked. However, if you get the greenlight from
basic permissions, it then contacts the server and does the ACL checks.

The reason that you are noticing no issue when you chgrp it to Domain Users is
that at that point your domain users pass on the unix permissions. Without them
owning (say the file/dir is root/root) then they fall to the last octal, the
'other' portion of file permissions.

So what I'd try is chmod 777 the file/dir and then adding ACLs on top of
that to restrict access.

Hope that helps, 
Mike Ray 

----- Original Message -----

From: "Neil Price" <nprice at gibb.co.za> 
To: samba at lists.samba.org 
Sent: Thursday, April 4, 2013 8:42:06 AM 
Subject: [Samba] member server and groups 

I have a samba 3 member server joined to a samba pdc using ldap. Join is OK. 
Version is from debian wheezy: 3.6.6 

With servers that are bdc's I have no problems with authentication, with 
the member server I cannot get group file permissions to work. 
User file permissions work fine 
Samba share user and group permissions work fine 
getent group shows expected groups with correct gid, which is an 
improvement on the 3.5.4 that I tried before. 
Only thing interesting the logs show is access denied. 
BUT if I change the dir/file permission to domain users group THEN it 
works. 
So I think samba is only looking up the primary group. I know there was 
bug like this somewhere around 3.6.0 

Is "net idmap secret alloc" no longer needed? It responds with
"The only
currently supported backend is LDAP". smbpasswd -w seemed to do all I 
needed. 

Critical parts of my smb.conf 
I'm using the nss_ldap method with nss-ldapd 

security = domain 
workgroup = DOMAIN 
ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com 

ldap suffix = dc=domain,dc=com 

ldap user suffix = ou=people 

ldap group suffix = ou=groups 

ldap idmap suffix = ou=idmap 

ldap machine suffix = ou=winstations,ou=systems 

ldap ssl = Off 

idmap config DOMAIN : backend = ldap 
idmap config DOMAIN : range = 80000-99000 
idmap config DOMAIN : ldap_url = ldap://my.ldap.serverl/ 

winbind use default domain = yes 

[comp] 
path = /home/shares/comp 
inherit permissions = yes 
public = no 
browsable = yes 
writeable = yes 
valid users = @computer 

Directory perms 
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp 


nsswitch.conf 
passwd: compat ldap 
group: compat ldap 
shadow: compat ldap 

hosts: files dns wins 
networks: files 

/etc/nslcd.conf 
# The user and group nslcd should run as. 
uid nslcd 
gid nslcd 

# The location at which the LDAP server(s) should be reachable. 
uri ldap://my.ldap.server/ 

# The search base that will be used for all queries. 
base dc=domain,dc=com 

# The LDAP protocol version to use. 
#ldap_version 3 


# SSL options 
#ssl off 
#tls_reqcert never 

# The search scope. 
#scope sub 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba