I am expecting unexpected behavior when changing group ownership on Linux shared directory. For example I create directory with default (force group, directory mask) Linux rights. Next as Linux root I change group ownership to another group, where user is not a member of. From Linux point of view, user is not allowed to write to that directory, but via Samba share from W2K he still can write there. When I restart smbd, then this ownership change is reflected. Unfortunatelly I cannot make restart each time, when group ownership changes. For authentication I am using smbpasswd. I am running 3.0.7 instead of 3.0.14a due to https://bugzilla.samba.org/show_bug.cgi?id=2751 But probably this is not a bug, but regular behavior. If so, the question is, how to force Samba to reflect those group ownership changes? I can imagine some king of smbcontrol <message-type>... If any other kind of information/simulation will be needed, please let me know. Tomas Polak There is smb.conf: #======================= Global Settings ======================= [global] # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d unix charset = iso8859-2 dos charset = CP852 netbios name = cartman workgroup = JAGA encrypt passwords = true passdb backend = smbpasswd guest domain master = yes local master = yes preferred master = yes os level = 255 security = user domain logons = yes logon path = \\%L\profiles\%u\%m logon home = \\%L\%u\win_profile\%m logon drive = J: #disabled to test Accounting time change time server = no remote announce = wins2.jaga.sk remote browse sync = wins2.jaga.sk #domain admin group = root add user script = /usr/sbin/useradd -d /dev/null -g 50 -s /bin/false %u add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %m\$ log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 10000 syslog = 0 log level = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 obey pam restrictions = yes #printers specific global settings load printers = yes printing = cups printcap name = cups printer admin = root, tomas, martinm #name resolving options wins support = yes #security options #hosts allow = 10.0.0.0/24 EXCEPT 10.1.1.210/0 10.50.0.0/16 10.51.0.0/16 10.52.0.0/16 #hosts deny = ALL unix password sync = yes #passwd program = /usr/bin/passwd %u #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *success* passwd chat debug = true min password length = 0 #======================= Share Definitions ======================= [netlogon] path=/usr/local/samba/netlogon writable = no browseable = no share modes = no guest ok = yes [profiles] path = /home/samba-ntprof browseable = no writable = yes create mask = 0700 directory mask = 0700 [homes] comment = Home Directories browseable = no writable = yes guest ok = no create mask = 0775 directory mask = 0775 force group = staff #this hide marks UNIX dot files with DOS hidden flag hide dot files = yes #this veto hiddes UNIX dot files, but leaves . as current directory veto files = /.?*/ map archive = no recycle:keeptree = true recycle:touch = true recycle:versions = true recycle:exclude = *.tmp *.temp *.ldb ~$* vfs object = recycle delete readonly = yes #automatically share all CUPS defined printers [printers] comment = All printers path = /var/spool/samba browseable = no public = yes guest ok = yes writable = no printable = yes #used for sharing printer drivers automatically used by clients when installing shared printer [print$] comment = Printer Drivers Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes write list = tomas,root
use force group = +somegroup (See the " + " sign)
Hello Carsten, thank you for the suggestion, but +staff makes our shared Access database read- only, even the database file is owned by staff group and of course have group write rights. I will test this behavior more deeply to at least discover, if +staff will solve my "group membership changes" problem. But this must be done when users are not active so I will need more time before I respond there.
the access check is only done on open. If the user has an open file, then he can continue to write to that file until the file descriptor is closed. This is posix semantics. If I misunderstood your question, feel free to reopen.
Hello Jerry, thank you for your comment. I understand this Posix sematics, but I hope this is not my case. Users does not have opened files from directories where I am changing group ownership. Maybe they may have opened such directory as directory listing in Windows Explorer. I don't know, if in such case is applicable your explanation. Regardless of that I still need to find solution or workaround. Also must be mentioned that due to https://bugzilla.samba.org/show_bug.cgi? id=2751 we are locked on version 3.0.7
What we need to see is a debug level 10 log of a user getting access when you think he/she shouldn't. That will tell us what groups are in the user token. Jeremy.
(In reply to comment #0) > I am expecting unexpected behavior when changing group ownership on Linux > shared directory. In my case the problem is that mapping of users into groups get unsynchronized when an user is inserted, removed etc. into a group (i.e., /etc/group is modified) and samba is running: this way samba doesn't know that of the group situation being changed and applies wrong access permissions. To get a pratical example of what happens, see http://tinyurl.com/8ae27. So, as Tomas asks, the question is "how to force Samba to reflect those group ownership changes?", or more widely, how to force Samba to reflect changes in /etc/group without restarting it? TIA, larss
closing. I was never convinced of a bug. If you still think one still exists, please retest against 3.0.21a and reopen if necessary. Thanks.