Bug 2805 - Linux group ownership changes are not reflected
Summary: Linux group ownership changes are not reflected
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.7
Hardware: x86 Windows 2000
: P1 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-17 02:28 UTC by Tomas Polak (dead mail address)
Modified: 2006-01-13 11:36 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomas Polak (dead mail address) 2005-06-17 02:28:05 UTC
I am expecting unexpected behavior when changing group ownership on Linux 
shared directory. For example I create directory with default (force group, 
directory mask) Linux rights. Next as Linux root I change group ownership to 
another group, where user is not a member of. From Linux point of view, user is 
not allowed to write to that directory, but via Samba share from W2K he still 
can write there.
When I restart smbd, then this ownership change is reflected. Unfortunatelly I 
cannot make restart each time, when group ownership changes.

For authentication I am using smbpasswd.

I am running 3.0.7 instead of 3.0.14a due to 
https://bugzilla.samba.org/show_bug.cgi?id=2751

But probably this is not a bug, but regular behavior. If so, the question is, 
how to force Samba to reflect those group ownership changes? I can imagine some 
king of smbcontrol <message-type>...

If any other kind of information/simulation will be needed, please let me know.
Tomas Polak

There is smb.conf:
#======================= Global Settings =======================

[global]

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d

   unix charset = iso8859-2
   dos charset = CP852

netbios name = cartman
workgroup = JAGA
encrypt passwords = true
   passdb backend = smbpasswd guest

domain master = yes
local master = yes
preferred master = yes
os level = 255

security = user
domain logons = yes

logon path = \\%L\profiles\%u\%m
logon home = \\%L\%u\win_profile\%m

logon drive = J:

#disabled to test Accounting time change
time server = no

remote announce = wins2.jaga.sk
remote browse sync = wins2.jaga.sk

#domain admin group = root 

add user script = /usr/sbin/useradd -d /dev/null -g 50 -s /bin/false %u
add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %m\$

log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 10000

   syslog = 0
   log level = 0

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   obey pam restrictions = yes

#printers specific global settings
load printers = yes
printing = cups
printcap name = cups
printer admin = root, tomas, martinm    

#name resolving options
wins support = yes

#security options
#hosts allow = 10.0.0.0/24 EXCEPT 10.1.1.210/0 10.50.0.0/16 10.51.0.0/16 
10.52.0.0/16
#hosts deny = ALL
unix password sync = yes
#passwd program = /usr/bin/passwd %u
#passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *success*
   passwd chat debug = true

min password length = 0





#======================= Share Definitions =======================

[netlogon]
 path=/usr/local/samba/netlogon
 writable = no
 browseable = no
 share modes = no
 guest ok = yes

[profiles]
  path = /home/samba-ntprof
  browseable = no
  writable = yes
  create mask = 0700
  directory mask = 0700

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   guest ok = no
   create mask = 0775
   directory mask = 0775
   force group = staff
   #this hide marks UNIX dot files with DOS hidden flag
   hide dot files = yes
   #this veto hiddes UNIX dot files, but leaves . as current directory
   veto files = /.?*/
   map archive = no

   recycle:keeptree = true
   recycle:touch = true
   recycle:versions = true
   recycle:exclude = *.tmp *.temp *.ldb ~$*
   vfs object = recycle

   delete readonly = yes

  
#automatically share all CUPS defined printers
[printers]
    comment = All printers
    path = /var/spool/samba
    browseable = no
    public = yes
    guest ok = yes
    writable = no
    printable = yes
    
#used for sharing printer drivers automatically used by clients when installing 
shared printer
[print$]
    comment = Printer Drivers Download Area
    path = /etc/samba/drivers
    browseable = yes
    guest ok = yes
    read only = yes
    write list = tomas,root
Comment 1 Carsten Menke 2005-06-29 18:18:57 UTC
use

force group = +somegroup

(See the " + " sign)
Comment 2 Tomas Polak (dead mail address) 2005-07-26 02:19:01 UTC
Hello Carsten,
thank you for the suggestion, but +staff makes our shared Access database read-
only, even the database file is owned by staff group and of course have group 
write rights.
I will test this behavior more deeply to at least discover, if +staff will 
solve my "group membership changes" problem. But this must be done when users 
are not active so I will need more time before I respond there.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-09-29 08:01:26 UTC
the access check is only done on open.  If the user has an 
open file, then he can continue to write to that file until 
the file descriptor is closed.  This is posix semantics.
If I misunderstood your question, feel free to reopen.
Comment 4 Tomas Polak (dead mail address) 2005-09-29 08:34:38 UTC
Hello Jerry,
thank you for your comment. I understand this Posix sematics, but I hope this 
is not my case. Users does not have opened files from directories where I am 
changing group ownership. Maybe they may have opened such directory as 
directory listing in Windows Explorer. I don't know, if in such case is 
applicable your explanation. Regardless of that I still need to find solution 
or workaround.
Also must be mentioned that due to https://bugzilla.samba.org/show_bug.cgi?
id=2751 we are locked on version 3.0.7
Comment 5 Jeremy Allison 2005-09-29 10:03:21 UTC
What we need to see is a debug level 10 log of a user getting access when you
think he/she shouldn't. That will tell us what groups are in the user token.
Jeremy.
Comment 6 larss 2005-11-10 06:23:31 UTC
(In reply to comment #0)
> I am expecting unexpected behavior when changing group ownership on Linux 
> shared directory. 

In my case the problem is that mapping of users into groups get unsynchronized 
when an user is inserted, removed etc. into a group (i.e., /etc/group is 
modified) and samba is running: this way samba doesn't know that of the group 
situation being changed and applies wrong access permissions. To get a pratical 
example of what happens, see http://tinyurl.com/8ae27.
So, as Tomas asks, the question is "how to force Samba to reflect those group 
ownership changes?", or more widely, how to force Samba to reflect changes 
in /etc/group without restarting it?

TIA, larss
Comment 7 Gerald (Jerry) Carter (dead mail address) 2006-01-13 11:36:51 UTC
closing.  I was never convinced of a bug.  If you still think 
one still exists, please retest against 3.0.21a and reopen 
if necessary.  Thanks.