Re: [gpfsug-discuss] CIFS protocol access does not honor secondary groups

[Christof Schmitt]

The first guess here would be missing id mappings. The id mapping for
the user and the user's primary group is a hard requirement, without
them the user cannot even logon to the SMB server. Missing id mappings
for secondary groups are simply ignored.

 

A few things to check would be:

 

How are authentication and id mapping configured (mmuserauth)?

Which groups are affected? Is it possible to manually query id mappings for these?

If that does not point to the problem, i would suggest to recreate the
access problem while capturing a SMB and a winbind trace (through
mmprotocoltrace). Upload these traces together with a snap to a
support ticket and we use that as a starting point for debugging.

 

Regards,

 

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schm...@us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)

 

 

----- Original message -----
From: David Johnson <david_john...@brown.edu>
Sent by: gpfsug-discuss-boun...@spectrumscale.org
To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org>
Cc:
Subject: [EXTERNAL] [gpfsug-discuss] CIFS protocol access does not honor secondary groups
Date: Wed, Oct 2, 2019 10:02 AM
 

After converting from clustered CIFS to CES protocols, we’ve noticed that SMB
users can’t access files owned by groups that they are members of, unless that
group happens to be their primary group.  Have read the smb.conf man page,
and don’t see anything obvious that would control this…  What might we be missing?

Thanks,
 — ddj
Dave Johnson
Brown University CCV/CIS
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss 
 

 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss