[Samba] samba & unix group permissions problems
in [Samba]
|
Prev: machine 127.0.0.1 rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED --SMBPASSWD ERROR
Next: samba & unix group permissions problems
From: Mariano Absatz on 4 Nov 2009 01:30 Hi, I'm having permissions problems connecting to a share when the gid of the directory shared is not the primary group of the user connecting to it. Maybe I faced it the wrong way, but I did read (and at least thought I understood) the 'File, directory and share access controls' section of the howto [0]. My users have either one or another 'primary group' (the one set in /etc/passwd or, in my case the gidNumber attribute of the LDAP entry)... this is based on whether the user had a previous account with the gidNumber set (because it was their unix gid), or the user was created with only a samba account and she won't have unix access (actually created using 'net rpc user add' from the samba server). Since I need to give access to certain shares to smaller groups of people, I created a few groups using: net rpc group add accountants net rpc group add interns and the like. Then added the users to these groups using: net rpc group addmem accountants mary net rpc group addmem accountants patricia net rpc group addmem interns katherine net rpc group addmem interns paul User and group entries in LDAP look OK. However, I have the directories to share with the following permissions: drwxrwx--- Administrator accountants /data/share/accounting drwxrwx--- Administartor interns /data/share/interns And the entries en smb.conf like these: [accounting] comment = Accounting files path = /data/share/accounting #force group = +accountants browseable = yes read only = no guest ok = no [interns] comment = Interns' files path = /data/share/interns #force group = +interns browseable = yes read only = no guest ok = no However, I can't connect to either share from any account but Administrator... If I change the directory modes to 0777 I am able to connect from any account, but this defeats the whole idea of the groups... I see this in the server log: [2009/10/29 12:24:25, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:24:27, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:24:27, 0] smbd/service.c:make_connection_snum(1077) '/data/share/interns' does not exist or permission denied when connecting to [pasantes] Error was Permission denied [2009/10/29 12:24:50, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:24:52, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:24:57, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:24:58, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:25:00, 0] smbd/service.c:make_connection_snum(1077) '/data/share/interns' does not exist or permission denied when connecting to [pasantes] Error was Permission denied [2009/10/29 12:25:03, 1] smbd/service.c:make_connection_snum(1115) cejil-d998e31c3 (10.14.172.194) connect to service netlogon initially as user mabsatz (uid=100000, gid=100000) (pid 26652) [2009/10/29 12:25:08, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:25:09, 0] groupdb/mapping.c:pdb_create_builtin_alias(802) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2009/10/29 12:25:11, 1] smbd/service.c:make_connection_snum(1115) cejil-d998e31c3 (10.14.172.194) connect to service h initially as user mabsatz (uid=100000, gid=100000) (pid 26652) [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed [2009/10/29 12:25:11, 0] smbd/service.c:set_current_service(191) chdir (/data/share/accounting) failed ---------------------- [0] http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html -- Mariano Absatz - "El Baby" el.baby(a)gmail.com www.clueless.com.ar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - Theory is when you know something but it doesn't work. - Practice is when something works but you don't know why. - Usually we combine theory and practice: Nothing works and we don't know why. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * TagZilla 0.066 * http://tagzilla.mozdev.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |