Voelz Alexander
2006-Dec-31 05:57 UTC
[Samba] user-group mapping not inherited from Windows-Domain?
Dear I have the following Problem: we have a windows domain (WIN2000 SP1), and a samba Server, acting as a mere client. So the WIN-DOMAIN is just used for user-to-group mapping and user authentification. Authentication on the samba-Server works, ACL inheritance works. What I would like to do, is to allow write access to ceratin groups, wich are defined in the windows domain. Other groups may only read. I found that acls are similar to unix modes, as when I allow write access to "\Everyone", it's like doing a chmod o+w on a file. I authenticate as a user vo03a in the domain, who seems to have to own the files, in order to be able to modify the acls. Here are the acls of the Media Directory on the acl_test-share: [root@saitana Media]# smbcacls //saitana/acl_test Media -U "belgium\vo03a%<pwd>" ...isn't important, is it?... OWNER:BELGIUM\vo03a GROUP:SAITANA\root ACL:BELGIUM\vo03a:ALLOWED/0/FULL ACL:BELGIUM\F_AKS_VJ-Blitz:ALLOWED/0/FULL ACL:BELGIUM\F_AKS_VJ-Admin:ALLOWED/0/FULL ACL:SAITANA\root:ALLOWED/0/FULL ACL:\Everyone:ALLOWED/0/READ Now, I want every user of the F_AKS_VJ-Blitz group to have write access in the Media directory. [root@saitana Media]# getent group F_AKS_VJ-Blitz F_AKS_VJ-Blitz:x:16782751:xxx0422z xxx0422z is a Member of this group. But, when I try to create a directory in the share from a windows computer, I get no write access. Now, if I add this line: [root@saitana Media]# smbcacls //saitana/acl_test Media -U "belgium\vo03a%<pwd>" -a "ACL:BELGIUM\xxx0422z:ALLOWED/0/FULL" He correctly adds it to the acls, and I get write access as User xxx0422z from my windows client. When I create a file, it belongs to xxx0422z:Domain Users (that's why assume the problem has to do with the primary group "Domain Users", and the system may not recognize that the user belongs to other groups, as well) [root@saitana Media]# smbcacls //saitana/acl_test Media -U "belgium\vo03a%<pwd>" ... OWNER:BELGIUM\vo03a GROUP:SAITANA\root ACL:BELGIUM\vo03a:ALLOWED/0/FULL ACL:BELGIUM\F_AKS_VJ-Blitz:ALLOWED/0/FULL ACL:BELGIUM\F_AKS_VJ-Admin:ALLOWED/0/FULL ACL:SAITANA\root:ALLOWED/0/FULL ACL:BELGIUM\xxx0422z:ALLOWED/0/FULL ACL:\Everyone:ALLOWED/0/READ [root@saitana Media]# My conclusion is that he disregards the membership of xxx0422z in the F_AKS_VJ-Blitz group. Do you have any idea why and more important: how I could get this to work? Note: the user xxx0422z primary's group is "Domain Users", and this is the group under which he creates files and directories. So it seems to have to do with that primary group... I tried also to create the group locally with wbinfo -O, as well as the user, but that didn't work, either. I guess that at a certain point I got also confused with the domain the users where from. My Goal is to use the acls to deny write-access to \\saitana\acl_test\Media\Blitz to all Members of F_AKS_VJ-Blitz (which is administered in the windows domain), while all members of F_AKS_VJ-Admin should be able to write on that share. I don't want to administer the groups on the linux box! That should be taken care of by the windows domain! The Linux box does not have any local groups for the samba-share! Antoher thing that may be useful: When I chown the dir "\Media\Blitz" to the F_AKS_VJ_Blitz group (and set chmod g+w), xxx0422z STILL can't write in it! Oh, and the user is correctly recognized as a member of the group in the "valid users"-Section: smb.conf-excerpt: [global] workgroup = BELGIUM netbios name = SAITANA server string = saitana security = domain password server = belgium client schannel = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = yes ... [acl_test] comment = Media path = /media1/acl_test valid users = @F_AKS_VJ-Admin, @F_AKS_VJ-Blitz read only = No inherit permissions = Yes inherit acls = Yes map acl inherit = Yes Any ideas what else I could try, or where I could post this question, or how I could just get along someway? I have found similar problems on the mailing list, but not one that applies good engouh to my case. No Linux boxes have to map the share. It is mounted by windows XP clients, only. And no other folders than the already existin shares should have to be created. Do I have to add user-logon scripts, local groups, group mappings, etc. (I'd like to avoid all of that)? Thank you for your time, Alexander PS: I almost forgot: smbd: Version 3.0.10-1.4E.2 nmdb: Version 3.0.10-1.4E.2 winbindd: Version 3.0.10-1.4E.9 I installed this as a rpm-packet samba-3.0.10-1.4E.2 on a 2.6.9-42.0.2.Elsmp Kernel x86 RedHat Linux