details on grous command
To have the secondary groups, I have to enter "id -a" logged as the user As root, It doesn't work. "id -a jdoe" just returns the primary group ----- Message d'origine ---- > De : Duncan Brannen <[EMAIL PROTECTED]> > À : [EMAIL PROTECTED] > Cc : [email protected] > Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s > Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or > Unix rights > > > Hi, > I have a similar problem, no ADS in my setup, just no > supplementary groups showing > up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working > with Samba 3.0.28 and groups nis in nsswitch.conf) > Solaris 10 SPARC > > Everything looks ok, getent, groups etc when logged in as root, > but if I su to the user > not getting any groups and type > > >groups > > I don't see any groups there bar the primary one. > > Are you seeing the same thing? IE if you're logged in as root and type > > groups jdoe > > You see all of jdoe's groups > > but if you su to jdoe and type > > groups > > You only see the primary group? > > Just a long shot but might push you in the right direction? > > > Cheers, > Duncan > > > [EMAIL PROTECTED] wrote: > > Hi experts > > > > I have a trouble in access rights > > > > I am running Samba > > 3.0.31 on Solaris 10 x86 64 bits as member server of an Active > > Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix > > I set rights to access a sub folder of a Samba share. On Solaris the user > > "toto" jdoe can write a new file. From Windows, the same user can't. > > Itlooks like OK when the primary group (grp1) of the user is the group > > that own the subtree but not when this owner group is a secondary group > > (grp2). > > It is OK If I set explicitly the user right from MS Windows > > I can't change the access rights to the group from MS Windows > > > > I suspect Unix ownership or ACL to be the root cause but I can't exclude a > Samba issue > > > > Thanks for help > > > > Here a long details on my config (sorry for the parts that take place and > > no > useful info, so just go to the valuable data) > > > > ************ An extract from my smb.conf ************ > > > > [global] > > ## part windows ## > > host msdfs = no > > netbios name = machines01 > > netbios aliases = 2store > > server string = 2store > > workgroup = MYDOMAIN > > realm = MYDOMAIN.LOCAL > > security = ADS > > use kerberos keytab = yes > > obey pam restrictions = Yes > > use spnego = yes > > client use spnego = yes > > password server = machinew01.MYDOMAIN.local > > machinew07.MYDOMAIN.local > > # unix extensions = no > > machine password timeout = 0 > > # logon path = \\machines01\profiles\%U > > template shell = /bin/bash > > hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, > 192.168.11.0/255.255.255.0 > > ## part samba engine ## > > max log size = 50000 > > log level = 10 > > syslog = 0 > > log file = /var/log/samba/%m > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > ## part ldap et idmap ## > > ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local" > > ldap idmap suffix = ou=idmap > > ldap ssl = no > > idmap backend = ldap:ldap://machinew01.MYDOMAIN.local > ldap:ldap://machinew07.MYDOMAIN.local > > #idmap backend = > > 0-20000 > > #idmap backend = ad > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > #idmap config MYDOMAIN:schema_mode = rfc2307 > > ## part winbind ## > > winbind nss info = rfc2307 > > winbind cache time = 5 > > winbind refresh tickets = Yes > > winbind use default domain = Yes > > winbind trusted domains only = Yes > > winbind nested groups = Yes > > winbind enum groups = Yes > > winbind enum users = Yes > > > > [data] > > comment = Samba data folder > > path = /samba/data > > read only = No > > create mask = 0740 > > directory mask = 0750 > > guest ok = Yes > > > > > > > > > > ************ Check the Unix name resolution ************ > > getent passwd jdoe > > jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh > > > > > > getent group grp2 > > grp2::10004:myadmin,jdoe,demo1,demo2,demo3 > > > > > > ************ I can check that Samba can resolve if the user is member of > > the > group ************ > > > > /usr/local/samba/bin/net ads user info jdoe > > grp2 > > grp1 > > > > > > /usr/local/samba/bin/wbinfo -G 10004 > > S-1-5-21-2269603188-533060101-51835291-1642 > > > > /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642 > > 10004 > > > > > > /usr/local/samba/bin/wbinfo -R 10004 > > winbind_lookup_rids failed > > Could not lookup RIDs 10004 > > > > > > > > ************ Review of the access rights ************ > > > > ls -al /samba/data/level1/level2/level3/level4 > > drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 . > > drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 .. > > drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general > > -rwxr-----+ 1 jdoe grp2 0 Aug 15 11:18 New Text Document from > Windows.txt > > -rwxrw---- 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt > > > > *** ACTION: I try on Unix to change the group owner of ".." by grp2 but > > that > remove all jdoe access from Windows > > > > > > ************ Test POSIX ACLs ************ > > getfacl -a /samba/data/level1/level2/level3/level4/ > > > > # file: /samba/data/level1/level2/level3/level4/ > > # owner: myadmin > > # group: grp2 > > user::rwx > > group::rwx #effective:rwx > > other:r-x > > > > > > getfacl -a /samba/data/level1/leve > > vel3 > > > > # file: /samba/data/level1/level2/level3 > > # owner: myadmin > > # group: grp1 > > user::rwx > > group::r-x #effective:r-x > > mask:r-x > > other:--- > > > > > > getfacl -a /samba/data/level1/level2 > > > > # file: /samba/data/level1/level2 > > # owner: myadmin > > # group: grp1 > > user::rwx > > group::r-x #effective:r-x > > other:r-x > > > > > > getfacl -a /samba/data/level1 > > > > # file: /samba/data/level1 > > # owner: root > > # group: root > > user::rwx > > group::r-x #effective:r-x > > mask:r-x > > other:r-x > > > > > > getfacl -a /samba/data > > > > # file: /samba/data > > # owner: myadmin > > # group: grp1 > > user::rwx > > user:user123:rwx #effective:rwx > > group::r-x #effective:r-x > > mask:rwx > > other:r-x > > > > > > > > ************ From MS Windows side ************ > > > > properties/security > > The group is in the "group and user names" list > > there is no check box in the Allow or deny clomn > > > > Advanced/permissions > > > > Type Name Permission Inherited from Apply to > > Allow smb_ins (MYDOMAIN/smb_ins) This folder only > > > > ****** ACTION: > > When I try to force the situation returns to the original state with no > > error > > checking allow inheritable and/or Replace permissions has no effect on nany > combination > > > > When I add the user with access right, it is OK > > > > > > > > > > ************ Some extract the Samba log level 10 ************ > > > > [2008/08/15 12:25:22, 10] smbd/statcache.c:stat_cache_lookup(248) > > stat_cache_lookup: lookup succeeded for name [jdoe] -> [jdoe] > > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(246) > > unix_convert begin: name = jdoe/ntuser.man, dirpath = jdoe, start = > ntuser.man > > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276) > > is_mangled ntuser.man ? > > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215) > > is_mangled_component ntuser.man (len 10) ? > > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276) > > is_mangled ntuser.man ? > > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled_component(215) > > is_mangled_component ntuser.man (len 10) ? > > [2008/08/15 12:25:22, 10] smbd/mangle_hash2.c:is_mangled(276) > > is_mangled ntuser.man ? > > [200 > > mangle_hash2.c:is_mangled_component(215) > > is_mangled_component ntuser.man (len 10) ? > > [2008/08/15 12:25:22, 5] smbd/filename.c:unix_convert(440) > > New file ntuser.man > > [2008/08/15 12:25:22, 3] smbd/dosmode.c:unix_mode(142) > > unix_mode(jdoe/ntuser.man) returning 0700 > > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1184) > > > > open_file_ntcreate: fname=jdoe/ntuser.man, dos_attrs=0x0 > > access_mask=0x1 share_access=0x7 create_disposition = 0x1 > > create_options=0x140 unix mode=0700 oplock_request=3 > > [2008/08/15 12:25:22, 5] smbd/open.c:open_file_ntcreate(1264) > > open_file_ntcreate: FILE_OPEN requested for file jdoe/ntuser.man and file > doesn't exist. > > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/nttrans.c(805) cmd=162 (SMBntcreateX) > NT_STATUS_OBJECT_NAME_NOT_FOUND > > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(484) > > [2008/08/15 12:25:22, 5] lib/util.c:show_msg(494) > > size=35 > > smb_com=0xa2 > > smb_rcls=52 > > smb_reh=0 > > smb_err=49152 > > smb_flg=136 > > smb_flg2=51201 > > smb_tid=3 > > smb_pid=588 > > smb_uid=101 > > smb_mid=1024 > > smt_wct=0 > > smb_bcc=0 > > > > > > > > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347) > > open_file_ntcreate: fname=jdoe/Application > Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1 > > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123) > > allocated file structure 1332, fnum = 5428 (5 used) > > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605) > > calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, > open_access_mask = 0x1 > > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67) > > fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, > flags = 00 mode = 0700, fd = 32. > > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545) > > get_windows_lock_count for file = 0 > > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559) > > delete_windows_lock_ref_count for file > > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454) > > freed files structure 5428 (4 used) > > [2008/08/15 12:25:22, 3] > > 6) > > error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) > NT_STATUS_FILE_IS_A_DIRECTORY > > > > > > [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347) > > open_file_ntcreate: fname=jdoe/Application > Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1 > > [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123) > > allocated file structure 1332, fnum = 5428 (5 used) > > [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605) > > calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, > open_access_mask = 0x1 > > [2008/08/15 12:25:22, 10] smbd/open.c:fd_open(67) > > fd_open: name jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, > flags = 00 mode = 0700, fd = 32. > > [2008/08/15 12:25:22, 10] locking/posix.c:get_windows_lock_ref_count(545) > > get_windows_lock_count for file = 0 > > [2008/08/15 12:25:22, 10] locking/posix.c:delete_windows_lock_ref_count(559) > > delete_windows_lock_ref_count for file > > [2008/08/15 12:25:22, 5] smbd/files.c:file_free(454) > > freed files structure 5428 (4 used) > > [2008/08/15 12:25:22, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/nttrans.c(779) cmd=162 (SMBntcreateX) > NT_STATUS_FILE_IS_A_DIRECTORY > > > > > > > _____________________________________________________________________________ > > Envoyez avec Yahoo! Mail. Une boite mail plus intelligente > http://mail.yahoo.fr > > > > > -- > The University of St Andrews is a charity registered in Scotland : No SC013532 _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
