samba & unix group permissions problems

Hi,

I'm having permissions problems connecting to a share when the gid of
the directory shared is not the primary group of the user connecting to it.

Maybe I faced it the wrong way, but I did read (and at least thought I
understood) the 'File, directory and share access controls' section of
the howto [0].

My users have either one or another 'primary group' (the one set in
/etc/passwd or, in my case the gidNumber attribute of the LDAP entry)...
this is based on whether the user had a previous account with the
gidNumber set (because it was their unix gid), or the user was created
with only a samba account and she won't have unix access (actually
created using 'net rpc user add' from the samba server).

Since I need to give access to certain shares to smaller groups of
people, I created a few groups using:

net rpc group add accountants
net rpc group add interns

and the like.

Then added the users to these groups using:

net rpc group addmem accountants mary
net rpc group addmem accountants patricia
net rpc group addmem interns katherine
net rpc group addmem interns paul

User and group entries in LDAP look OK.

However, I have the directories to share with the following permissions:

drwxrwx--- Administrator accountants  /data/share/accounting
drwxrwx--- Administartor interns      /data/share/interns


And the entries en smb.conf like these:

[accounting]
    comment = Accounting files
    path = /data/share/accounting
    #force group = +accountants
    browseable = yes
    read only = no
    guest ok = no

[interns]
    comment = Interns' files
    path = /data/share/interns
    #force group = +interns
    browseable = yes
    read only = no
    guest ok = no


However, I can't connect to either share from any account but
Administrator...

If I change the directory modes to 0777 I am able to connect from any
account, but this defeats the whole idea of the groups...

I see this in the server log:

[2009/10/29 12:24:25,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:24:27,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:24:27,  0] smbd/service.c:make_connection_snum(1077)
  '/data/share/interns' does not exist or permission denied when connecting to [pasantes] Error was Permission denied
[2009/10/29 12:24:50,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:24:52,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:24:57,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:24:58,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:25:00,  0] smbd/service.c:make_connection_snum(1077)
  '/data/share/interns' does not exist or permission denied when connecting to [pasantes] Error was Permission denied
[2009/10/29 12:25:03,  1] smbd/service.c:make_connection_snum(1115)
  cejil-d998e31c3 (10.14.172.194) connect to service netlogon initially as user mabsatz (uid=100000, gid=100000) (pid 26652)
[2009/10/29 12:25:08,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:25:09,  0] groupdb/mapping.c:pdb_create_builtin_alias(802)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS)
[2009/10/29 12:25:11,  1] smbd/service.c:make_connection_snum(1115)
  cejil-d998e31c3 (10.14.172.194) connect to service h initially as user mabsatz (uid=100000, gid=100000) (pid 26652)
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed
[2009/10/29 12:25:11,  0] smbd/service.c:set_current_service(191)
  chdir (/data/share/accounting) failed

----------------------

[0]
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

--
Mariano Absatz - "El Baby"
el.baby@...
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Theory is when you know something but it doesn't work.
- Practice is when something works but you don't know why.
- Usually we combine theory and practice:
        Nothing works and we don't know why.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Paul te Bokkel escribió el 04/11/09 06:47:
> Sounds like your nsswitch.conf to me, perhaps in combination with your
> ID backend. Check the output of:
> getent passwd <accountname>
>
> It should list any LDAP account, with the groups you have added them to..
>
Well...

"getent passwd mary" yelds just the "passwd" entry, something like:

mary:*:100036:100000:Mary James:/home/DOMAIN/mary:/bin/bash

nothing further than the primary Mary's group (100000).

However "getent group accountatns" does include mary:

accountants:*:97019:mary,patricia

My nsswitch.conf looks like this:

########### nsswitch.conf ###############
passwd:         files ldap [NOTFOUND=return] db
group:          files ldap [NOTFOUND=return] db
shadow:         files ldap

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
########### nsswitch.conf ###############



and the ID backend parts of my smb.conf look like this:

################## smb.conf ##################
##################################################################################
# IDENTINTY MAPPING between windows and unix (SID <==> UID/GID)
# WINBIND
##################################################################################
# http://samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
##################################################################################

idmap backend = ldap:ldap://ldap0.i.domain.org

# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#IDMAPUID
idmap uid = 90000-99999
# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#IDMAPGID
idmap gid = 90000-99999

# ALL relevant UID/GID are stored in LDAP
# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#LDAPSAM:TRUSTED
ldapsam:trusted = yes
# Manage users directly on LDAP
# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#LDAPSAM:EDITPOSIX
ldapsam:editposix = yes

# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#IDMAPCONFIG
# http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#IDMAPBACKEND
idmap config DOMAIN:backend = ldap
idmap config DOMAIN:ldap_url = ldap://ldap0.i.domain.org
idmap config DOMAIN:ldap_user_dn = cn=admin,cn=config
idmap config DOMAIN:ldap_base_dn = ou=idmap,o=domain
idmap config DOMAIN:readonly = no
#idmap config DOMAIN:default = yes
#idmap config DOMAIN:range = 100000-500000
################## smb.conf ##################


I'm using samba 3.3.2 from the standard Ubuntu 9.04 packages
(3.3.2-1ubuntu3.2), except that I rebuilt the ubuntu winbind package
because the idmap ldap.so module is not included in it (see
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/397203).




--
Mariano Absatz - "El Baby"
el.baby@...
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Clarke's Third Law: Any sufficiently advanced technology is
indistinguishable from magic.
  Arthur C. Clarke, 1973
  English physicist & science fiction author (1917 - 2008)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Any hints, anyone?...

On Wed, Nov 4, 2009 at 08:47, Mariano Absatz <el.baby@...> wrote:


--
Mariano Absatz - El Baby
www.clueless.com.ar
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Dear mariano

   Why you not using 'force group' parameter . This will set group owner of
newly created folder correctly.

Thanks


On Sat, Nov 7, 2009 at 3:33 AM, Mariano Absatz <el.baby@...> wrote:



--
http://linuxinterviews.blogspot.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Sat, Nov 7, 2009 at 07:32, vishesh kumar <linuxtovishesh@...> wrote:
> Dear mariano
>
>    Why you not using 'force group' parameter . This will set group owner of
> newly created folder correctly.
That I tried to no avail... it didn't work either :-(

--
Mariano Absatz - El Baby
www.clueless.com.ar
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba