On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: > Hi all, > > I am running into an issue where users cannot access a samba volume if > their only access is via a secondary group. For example, if testuser's > primary group is ipausers, and secondary groups include testgroup, and the > samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > cannot read or write to the samba mount. If the testuser is change so that > its primary group is testgroup, then testuser can access the volume. > > In this case, samba is running on a separate CentOS 5 server, configured to > access IPA via LDAP. It is a requirement that I support > userid/password-based access to the samba server, as I cannot roll all my > users onto kerberos right away. > > Doe anyone have any insight as to what is going on and how it can be fixed?
First step would be to make sure that the system is properly looking up the user's secondary groups. Try 'id testuser' and see if 'testgroup' is listed in the output. If it's not, I'll bet you have either a configuration issue or a bug in SSSD somewhere. Also, what version of SSSD are you running? FreeIPA pretty much needs 1.5.x or later nowadays for full feature support.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users