Bug 5276 - samba winbind directory access denied
Summary: samba winbind directory access denied
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.25b
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
: 5259 (view as bug list)
Depends on:
Reported: 2008-02-22 01:40 UTC by RENOUF Lionel (dead mail address)
Modified: 2008-02-25 15:15 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description RENOUF Lionel (dead mail address) 2008-02-22 01:40:13 UTC
Redhat EL 5.1 , samba 3.0.25b-0.el5.4 (security = domain) , winbind 3.0.25b-0.el5.4
Two directories have exactly the same owner the same group the same mask (0770
ls -al /user2/corp/domain-users/testlrn
drwxrwx--- 2 root fr-tmn-esiri 4096 Feb 21 08:54 . 
ls -al /user1/sf1rennes/t91/corp/lrn
drwxrwx--- 2 root fr-tmn-esiri 512 Feb 21 10:46 . 
The directories are shared by samba with winbind. 
A windows user who belongs to the domain group "fr-tmn-esiri" can access to one
directory but not to the other (access denied).
We don't understand why.
The difference is one is on a local filesystem the other is on a nfs
filesystem (nfs server is solaris 9).
Thanks for your help.
Comment 1 Volker Lendecke 2008-02-25 02:39:08 UTC
Is it possible that the user in question is in more than 16 groups? If yes, then there's no way around this problem, NFS and in particular Solaris don't allow that many groups per user.

I'm closing this bug assuming that it is the case. Please re-open if the user is definitely in less than 16 groups.

Comment 2 RENOUF Lionel (dead mail address) 2008-02-25 02:45:45 UTC
I'am not sure because the problem is the same if the NFS server is AIX 5.3
Comment 3 Volker Lendecke 2008-02-25 02:50:11 UTC
Again the question: In how many groups is the user?

Comment 4 RENOUF Lionel (dead mail address) 2008-02-25 03:08:01 UTC
I do not know exactly because it is a large Windows domain with a lot of users and groups but certainly more than 16.
Comment 5 Volker Lendecke 2008-02-25 03:36:01 UTC
Well, then you're screwed. NFS does not allow that. And putting the files directly on Solaris wont help either, it does not allow it for NFS compatibility. Not sure about AIX, but I would doubt it allows as many groups as Linux does. (65536 by default)

Comment 6 RENOUF Lionel (dead mail address) 2008-02-25 07:42:55 UTC
We have tested a new configuration:
a new windows user, a new windows group, the new user belongs only to one windows group (the new windows group).
Samba is running now on Solaris and the problem still exists :
Under a samba share, the windows user can't access to a directory if he is not the owner, even if the directory group is the group which he belongs and the unix access on this directory is "rwx".
Comment 7 Volker Lendecke 2008-02-25 07:49:52 UTC
Ok. But this time I would consider this not a Samba bug, 99.9% it is some kind of configuration problem. If this type of access would not work, then I think we would sooo badly be killed everywhere.

You might want to carry this to samba@samba.org.

Comment 8 RENOUF Lionel (dead mail address) 2008-02-25 08:08:56 UTC
Exactly the same configuration works on Linux Redhat EL5 and don't on Solaris, so may be a Solaris bug, but Sun Microsystems don't support winbind, i understand why ...
Comment 9 Volker Lendecke 2008-02-25 15:15:16 UTC
*** Bug 5259 has been marked as a duplicate of this bug. ***