Hi, I'm running samba 3.0.14a-3 on Debian sarge (sparc). The filesystem is ext3 with acl support. winbind works fine. Please see below. when I am logged in using ssh, I can list the files in a folder (/var/Share) for which the group "staff" has r-x permissions. The problem is I can't list the folder through samba: $ ssh cyberlab+kent@cladms003 Password: Linux cladms003 2.6.8-2-sparc64 #1 Wed Mar 23 04:23:37 EST 2005 sparc64 GNU/Linux Last login: Thu Jul 28 10:13:46 2005 from 172.18.17.237 CYBERLAB+kent@cladms003:~$ getfacl /var/Share/ getfacl: Removing leading '/' from absolute path names # file: var/Share # owner: root # group: root user::rwx group::r-x group:staff:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:staff:r-x default:mask::r-x default:other::--- CYBERLAB+kent@cladms003:~$ id uid=10000(CYBERLAB+kent) gid=10000(CYBERLAB+domain users) groups=50(staff),10000 (CYBERLAB+domain users),10001(CYBERLAB+staffs) CYBERLAB+kent@cladms003:~$ ls -l /var/Share/ total 24 drwxr-x---+ 16 root root 4096 2005-07-25 18:14 Applications drwxr-x---+ 11 root root 4096 2005-07-25 21:30 Data drwxr-x---+ 63 root root 4096 2005-07-26 17:37 Packages In a DOS prompt on a Windows 2000 client: C:\>net use f: \\cladms003\Share command completed successfully C:\>dir f: access denied I believe this problem only happens when used with winbind (a domain user whose is in a linux group). If I set security to user and access the share as linux user "kent" who is in the "staff" group (but not primary group), then it will work. Thanks for any info!
Gerald (Jerry) Carter
2005-Jul-30 04:57 UTC
[Samba] samba ignores supplementary groups for acl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kent Tong wrote: | CYBERLAB+kent@cladms003:~$ getfacl /var/Share/ | getfacl: Removing leading '/' from absolute path names | # file: var/Share | # owner: root | # group: root | user::rwx | group::r-x | group:staff:r-x | mask::r-x | other::--- | default:user::rwx | default:group::r-x | default:group:staff:r-x | default:mask::r-x | default:other::--- | | CYBERLAB+kent@cladms003:~$ id | uid=10000(CYBERLAB+kent) gid=10000(CYBERLAB+domain users) | groups=50(staff),10000 (CYBERLAB+domain users), | 10001(CYBERLAB+staffs) .... | I believe this problem only happens when used with | winbind (a domain user whose is in a linux group). If I | set security to user and access the share as linux user | "kent" who is in the "staff" group (but not primary group), | then it will work. This is actually by design. smbd only uses the Windows group when setting the group list for a domain user. So you cannot mix winbind and unix groups. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6qjjIR7qMdg1EfYRAgbPAKCOkMi/VFbQ1Wwn+1Ijk8AdMXqS5wCfQxdy 9Ck0NkIQpGlq/U8mypf3dco=Z7yc -----END PGP SIGNATURE-----