samba - Feb 2011 - samba authenticates only against the primary group of a user?

Hello everyone!

I seem to be have a bit of a problem setting up a few network folders for a
my office on a Qnap storage device running Samba -v3.5.2. So I ask:

when the 'write list' of a share contains ONLY groups, and a user tries
to
log on to that share, then samba authenticates against the primary group
only of that user only??

Here is the example that fails:

-the user is 'isak'

-the group of interest is 'iso_ops'. This user belongs these groups:
everyone, engineers, iso_ops (this is the order I get when I run the command
'groups' from a shell)

-The shared folder in question is 'iso'. this folder has the following
permissions: no individual user permissions have been set (every tickbox is
blank). group 'everyone' is denied access. group 'iso_ops' has
read/write
access.

the relevant smb.conf part is this:

[iso]
comment = ISO files
path = /share/MD0_DATA/iso
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users = "guest",@"everyone"
read list write list = @"iso_ops",@"administrators"
valid users = "root",@"iso_ops",@"administrators"
inherit permissions = yes


So normally, I would expect that user 'isak', is allowed read/write
access
to 'iso' folder, because he is member of the 'iso_ops' group.
However, now I try to log on to the share as 'isak' but I never get past
the
login prompt..

If I move @everyone to the 'valid users' then I can log on AND I can
write
to the network share, since @iso_ops can write to the share (even though
@everyone can't).. So - correct me if I'm wrong - but it seems that
users
are authenticated only against their primary group!


This is most upsetting since on the machine I am running samba on, I don't
have the command usermod is order to change the primary groups of my user
(in fact even though I have ssh access, the system is optimised to be setup
from its web interface - and I can't set the primary group from there
either).

But that doesn't seem like a rational behaviour of samba altogether -
usermod would merely tackle some of the problems that can arise. Let me
explain:

-there are a few engineering related shared folders that the @engineers
group can authenticate against
-there is this one 'iso' folder that @iso_ops can authenticate against.
-Dearest user isak is an engineer (thus in the engineers group), but is also
responsible for keeping the ISO9001 files for the office -imagine how much
of an important person!
-by authenticating against only the primary group, isak can only access the
engineering folders, or the iso folder depending of which one is his primary
group - BUT NOT BOTH!

this is a non welcoming behaviour that can only be tackled by allowing
@everyone to have read access to the shares - unwelcomed too.

So finally is there a way to make samba try and authenticate a user against
ALL of his groups (and not just the primary one)?

Thank you very much for your help
Thanassis Silis
I

Or it means that samba is correctly applying restrictive security -
"invalid users" supersedes "valid users".

-=Andrew


-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Athanasios Silis
Sent: Tuesday, February 15, 2011 5:03 AM
To: samba at lists.samba.org
Subject: [Samba] samba authenticates only against the primary group of
auser?

Hello everyone!

I seem to be have a bit of a problem setting up a few network folders
for a
my office on a Qnap storage device running Samba -v3.5.2. So I ask:

when the 'write list' of a share contains ONLY groups, and a user tries
to
log on to that share, then samba authenticates against the primary group
only of that user only??

Here is the example that fails:

-the user is 'isak'

-the group of interest is 'iso_ops'. This user belongs these groups:
everyone, engineers, iso_ops (this is the order I get when I run the
command
'groups' from a shell)

-The shared folder in question is 'iso'. this folder has the following
permissions: no individual user permissions have been set (every tickbox
is
blank). group 'everyone' is denied access. group 'iso_ops' has
read/write
access.

the relevant smb.conf part is this:

[iso]
comment = ISO files
path = /share/MD0_DATA/iso
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users = "guest",@"everyone"
read list write list = @"iso_ops",@"administrators"
valid users = "root",@"iso_ops",@"administrators"
inherit permissions = yes


So normally, I would expect that user 'isak', is allowed read/write
access
to 'iso' folder, because he is member of the 'iso_ops' group.
However, now I try to log on to the share as 'isak' but I never get past
the
login prompt..

If I move @everyone to the 'valid users' then I can log on AND I can
write
to the network share, since @iso_ops can write to the share (even though
@everyone can't).. So - correct me if I'm wrong - but it seems that
users
are authenticated only against their primary group!


This is most upsetting since on the machine I am running samba on, I
don't
have the command usermod is order to change the primary groups of my
user
(in fact even though I have ssh access, the system is optimised to be
setup
from its web interface - and I can't set the primary group from there
either).

But that doesn't seem like a rational behaviour of samba altogether -
usermod would merely tackle some of the problems that can arise. Let me
explain:

-there are a few engineering related shared folders that the @engineers
group can authenticate against
-there is this one 'iso' folder that @iso_ops can authenticate against.
-Dearest user isak is an engineer (thus in the engineers group), but is
also
responsible for keeping the ISO9001 files for the office -imagine how
much
of an important person!
-by authenticating against only the primary group, isak can only access
the
engineering folders, or the iso folder depending of which one is his
primary
group - BUT NOT BOTH!

this is a non welcoming behaviour that can only be tackled by allowing
@everyone to have read access to the shares - unwelcomed too.

So finally is there a way to make samba try and authenticate a user
against
ALL of his groups (and not just the primary one)?

Thank you very much for your help
Thanassis Silis
I
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba