Hi.
I have a samba install, samba-1.9.18p4, with security=server. Users are
validated against the NT domain controller correctly, and user accounts
do exist on the unix box (AIX 4.2.1)
Problem is that while the uid of the files that users create is correct,
the group id is always sys, even though the users have as primary gid
STAFF.
The definition of the share I am trying to create is:
[cslan]
comment = cslan data. Current Managers stuff only
path = /csfiles
writable = yes
public = no
valid users = corr vsefcik bmiller rallard
create mask = 0760
force user = %U
force group = %G
I tried adding the force user/group lines to try to resolve this, but
with no luck.
Anyone have ideas? Should the gid be preserved?
TIA
--
Steve Francis
Network Analyst,
UCSB Communications Services
805 893 7775
fax 805 893 7272
Steve, On Tue, 28 Apr 1998 09:33:45 +1000, Steve Francis wrote:>I have a samba install, samba-1.9.18p4, with security=server. Users are >validated against the NT domain controller correctly, and user accounts >do exist on the unix box (AIX 4.2.1)>Problem is that while the uid of the files that users create is correct, >the group id is always sys, even though the users have as primary gid >STAFF.>The definition of the share I am trying to create is: >[cslan] > comment = cslan data. Current Managers stuff only > path = /csfiles > writable = yes > public = no > valid users = corr vsefcik bmiller rallard > create mask = 0760 > force user = %U > force group = %G>I tried adding the force user/group lines to try to resolve this, but >with no luck.Are you sure you want %U/%G ? Theres a difference between %U/%G and %u/%g ! "force user = %u" and "force group = %g" seem to be a null operations. Why don't you try "force group = staff" and leave the force user away? Anyway, there are some troubles with substition, ie. "force user = %S" definitly does not work in 1.9.18p4 (already posted to samba-bugs). Regards, Robert --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------
Steve, On Tue, 28 Apr 1998 11:14:38 -0700, Steve Francis wrote:>force group = staff does not work either. > >smbstatus shows the group correctly: > ./smbstatus > >Samba version 1.9.18p4 >Service uid gid pid machine >---------------------------------------------- >cslan bmiller staff 45176 stevefIs this different to "force group = %G"?>But files are all created with the group of sys.Are you sure you do not have an sgid-Bit set on that directory? Where does the group sys come from? Dir you try to increase the debug level and analyze the logs?>Not only that, but force group = "literal group" will not work for me anyway, >as I need to maintain file access differently for people in different groups >accessing the same share.What about %g instead of %G?>IS there a working solution for this when using security = server?I'm quite sure this does not have anything to do with "security = server". Regards, Robert -- --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------
Robert Dahlem wrote:> Are you sure you do not have an sgid-Bit set on that directory?Oops. Sgid was set: I did not realise that AIX sets the gid bit by default when creating new file systems. Thanks>-- Steve Francis Network Analyst, UCSB Communications Services 805 893 7775 fax 805 893 7272
Steve, On Wed, 29 Apr 1998 10:17:00 +1000, Steve Francis wrote:>> Are you sure you do not have an sgid-Bit set on that directory? > >Oops. Sgid was set: I did not realise that AIX sets the gid bit by default when creating new file >systems.Hard to find. I bet one would not find this in the logs even with debug level 100. I just remembered because we nearly completely rely on this in our envoronment. Regards, Robert -- --------------------------------------------------------------- Robert.Dahlem@frankfurt.netsurf.de Radio Bornheim - 2:2461/332@fidonet +49-69-4930830 (ZyX, V34) 2:2461/326@fidonet +49-69-94414444 (ISDN X.75) ---------------------------------------------------------------
Steve Francis <steve.francis@commserv.ucsb.edu> wrote:
| force group = staff does not work either.
|
| smbstatus shows the group correctly:
| ./smbstatus
|
| Samba version 1.9.18p4
| Service uid gid pid machine
| ----------------------------------------------
| cslan bmiller staff 45176 stevef
|
| But files are all created with the group of sys.
That symptom make me wonder if the problem is
the underlying system's group semantics.
BSD semantics was ``new file/directory's group is
set to the group of the containing directory''
V7 semantics was ``new file/directory's group is
set to the user's group''
Sun (and just about everyone else using fast filesystem)
have an option to set which semantic to use on a per-directory
basis. Man chmod says (on Solaris):
20#0
For directories, files are created
with BSD semantics for propagation
of the group ID. With this option,
files and subdirectories created in
the directory inherit the group ID
of the directory, rather than of
the current process. It may be
cleared only by using symbolic
mode.
If this is the problem, you've just raised an additional question:
why didn't it work that way with security = user?
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | davecb@hobbes.ss.org, canada.sun.com
M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb