What about unix extensions? enabled or disabled? Unix extensions seem to bypass force group statements...
On Fri, Apr 10, 2009 at 10:26 AM, Jeremy Allison <[email protected]> wrote: > On Fri, Apr 10, 2009 at 11:46:53AM -0400, Goldschrafe, Jeffrey wrote: >> Hi there! >> >> I'm having some strange permissions issues with one of my systems that's >> on an Active Directory domain. >> >> Here's the basic background: >> >> - System is joined to AD domain. Users authenticate fine via Kerberos, >> and are authorized via an AD user group. They can browse the share, >> create files, etc. without incident. "valid users" lets them in. >> - User information for the system (nsswitch) comes out of LDAP. The >> LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up >> and Samba can resolve each user's UID/GID and secondary groups without a >> problem. >> - The share is semantically owned by a single Unix group. >> - That security group is mapped in "net groupmap" to a Unix group. I'm >> not entirely sure if this is actually necessary. >> - Share has "force create mode = 0664" and "force directory mode = >> 0775" to ensure that files are writable by the group by default. >> >> When a user connects to the share using a Windows client (XP or Vista), >> they are unable to rename folders, and unable to rename or delete files. >> They are able to delete folders, as long as the folders do not contain >> any files. This means that when using Explorer to create a file or >> folder, it can be created with the default name (e.g. "New Folder" or >> "New Text Document.txt") but any attempt to assign a >> semantically-meaningful name will fail with an "access denied" error. >> This applies to renaming existing files as well, of course. >> >> When the same user connects from a Mac or Linux client, through Finder, >> Dolphin or smbclient, the same exact operations work. The user can >> rename and delete just fine as long as it isn't from Windows. > > We need to see level 10 logs of what is going on here before we > can determine the problem. What version of Samba are you using ? > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
