Bug 5276 - samba winbind directory access denied
samba winbind directory access denied
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.25b
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
: 5259 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-22 01:40 UTC by RENOUF Lionel
Modified: 2008-02-25 15:15 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description RENOUF Lionel 2008-02-22 01:40:13 UTC
Redhat EL 5.1 , samba 3.0.25b-0.el5.4 (security = domain) , winbind 3.0.25b-0.el5.4
--------------------------------------------------------------------------------------
Two directories have exactly the same owner the same group the same mask (0770
drwxrwx---). 
ls -al /user2/corp/domain-users/testlrn
drwxrwx--- 2 root fr-tmn-esiri 4096 Feb 21 08:54 . 
ls -al /user1/sf1rennes/t91/corp/lrn
drwxrwx--- 2 root fr-tmn-esiri 512 Feb 21 10:46 . 
The directories are shared by samba with winbind. 
A windows user who belongs to the domain group "fr-tmn-esiri" can access to one
directory but not to the other (access denied).
We don't understand why.
The difference is one is on a local filesystem the other is on a nfs
filesystem (nfs server is solaris 9).
Thanks for your help.
Comment 1 Volker Lendecke 2008-02-25 02:39:08 UTC
Is it possible that the user in question is in more than 16 groups? If yes, then there's no way around this problem, NFS and in particular Solaris don't allow that many groups per user.

I'm closing this bug assuming that it is the case. Please re-open if the user is definitely in less than 16 groups.

Volker
Comment 2 RENOUF Lionel 2008-02-25 02:45:45 UTC
I'am not sure because the problem is the same if the NFS server is AIX 5.3
Comment 3 Volker Lendecke 2008-02-25 02:50:11 UTC
Again the question: In how many groups is the user?

Volker
Comment 4 RENOUF Lionel 2008-02-25 03:08:01 UTC
I do not know exactly because it is a large Windows domain with a lot of users and groups but certainly more than 16.
Comment 5 Volker Lendecke 2008-02-25 03:36:01 UTC
Well, then you're screwed. NFS does not allow that. And putting the files directly on Solaris wont help either, it does not allow it for NFS compatibility. Not sure about AIX, but I would doubt it allows as many groups as Linux does. (65536 by default)

Volker
Comment 6 RENOUF Lionel 2008-02-25 07:42:55 UTC
We have tested a new configuration:
a new windows user, a new windows group, the new user belongs only to one windows group (the new windows group).
Samba is running now on Solaris and the problem still exists :
Under a samba share, the windows user can't access to a directory if he is not the owner, even if the directory group is the group which he belongs and the unix access on this directory is "rwx".
Comment 7 Volker Lendecke 2008-02-25 07:49:52 UTC
Ok. But this time I would consider this not a Samba bug, 99.9% it is some kind of configuration problem. If this type of access would not work, then I think we would sooo badly be killed everywhere.

You might want to carry this to samba@samba.org.

Volker
Comment 8 RENOUF Lionel 2008-02-25 08:08:56 UTC
Exactly the same configuration works on Linux Redhat EL5 and don't on Solaris, so may be a Solaris bug, but Sun Microsystems don't support winbind, i understand why ...
Comment 9 Volker Lendecke 2008-02-25 15:15:16 UTC
*** Bug 5259 has been marked as a duplicate of this bug. ***