samba - Jan 2006 - winbind + nested groups in ssh = permission denied

Samba 3.0.21a, winbind setup to auth for ssh sessions.

Active Directory (windows 2003 server)

 

I have a group (workpaper admins)

which has 4 other groups as members of the group.

 

I have a file under the filesystem (/data/workpapers)

that has the permissions rwxrwx--- root.workpaper admins

 

so that anyone that is a member of one of the 4 groups should be able to
create new files in the /data/workpapers directory.

 

Getent group shows members of all groups, except the workpaper admins
group

 

workpaper admins:x:15007:

 

is that because it is a nested group?

 

 

Now the strange thing is, some members of the 4 groups can create new
files in that folder, and some get permission denied.

I can't find a pattern.

 

Can someone recommend a log to watch, or a smb.conf setting for winbind
that will make it log more, 

 

Any help appreciated in figuring this one out.

 

Barry Smoke

Network Administrator

AR Division of Legislative Audit

> so that anyone that is a member of one of the 4 groups should be able
> to create new files in the /data/workpapers directory.
> 
> Getent group shows members of all groups, except the workpaper admins
> group
You'll find that "getent group" doesn't list users within
nested
groups, but Samba should pick up nested groups and obey them with
regard to filesystem permissions.
> Now the strange thing is, some members of the 4 groups can create new
> files in that folder, and some get permission denied.
> I can't find a pattern.
When did you add the users to these groups?  I have to completely shut
down Samba and restart before any group changes are recognised, so if
you added some users to this group after you started Samba that could
explain why.

Also make sure "getent group" works for all of the subgroups.

I assume you have "winbind nested groups = yes" in smb.conf?

Cheers,
Adam.