So this is a strange one, at least to me and my colleagues.

User jhannon cannot change group ownership of a file, mkdir or create files under directories owned by group 3Analysis. jhannon is a member of both the original and target group. If I do something similar with another user, the permissions work just fine. Any ideas?

----------------------------------------------------------------------
This is from a RHEL4 Desktop disti. (I have tried 5 different systems)
----------------------------------------------------------------------
[jhannon@elvis testdir]$ ls -l
total 0
-rwxrwx--- 1 jhannon jhannon 0 Mar 26 16:12 zdontestfile
[jhannon@elvis testdir]$ groups
jhannon bnac TIU administrative CRU MAU SDU DBMU bluesky AdminU SysAdmins TRM TwikiAuthors fMRI PML ProjCoords 3Analysis Genzyme doppler
[jhannon@elvis testdir]$ chgrp 3Analysis zdontestfile
chgrp: changing group of `zdontestfile': Operation not permitted
[jhannon@elvis testdir]$ ll
total 0
-rwxrwx--- 1 jhannon jhannon 0 Mar 26 16:12 zdontestfile
[jhannon@elvis testdir]$ chgrp TIU zdontestfile
[jhannon@elvis testdir]$ ll
total 0
-rwxrwx--- 1 jhannon TIU 0 Mar 26 16:12 zdontestfile
[jhannon@elvis testdir]$ chgrp 3Analysis zdontestfile
chgrp: changing group of `zdontestfile': Operation not permitted
[jhannon@elvis testdir]$
----------------------------------------------------------------------

----------------------------------------------------------------------
If I try to do this from a new RHEL5 Desktop, the chgrp works.
----------------------------------------------------------------------
[jhannon@trillian testdir]$ ll
total 0
-rwxrwx--- 1 jhannon TIU 0 Mar 26 16:12 zdontestfile
[jhannon@trillian testdir]$ groups
jhannon bnac TIU administrative CRU MAU SDU DBMU bluesky AdminU SysAdmins TRM TwikiAuthors fMRI PML ProjCoords 3Analysis Genzyme doppler
[jhannon@trillian testdir]$ chgrp 3Analysis zdontestfile
[jhannon@trillian testdir]$ ls -l
total 0
-rwxrwx--- 1 jhannon 3Analysis 0 Mar 26 16:12 zdontestfile
----------------------------------------------------------------------

Any help is appreciated....

you know this dose sound like it is a HOMEWORK Question .
check the groups that "jhannon" belongs to
or make a new user account for jhannon
or , temporally 777 the folder so jhannon can use it .

John VV, Thanks for the reply. If it sounds like a homework question, that's probably because I used to write quiz questions for my college. Apparantly some of that has spilled over into my professional life as well. heh.

As you can see, jhannon is in the necessary groups in order to make this work. That is the odd part. In particular the issues seems to be with the 3Analysis group (but only if used with jhannon on RHEL4 systems).

[jhannon@elvis testdir]$ groups
jhannon bnac TIU administrative CRU MAU SDU DBMU bluesky AdminU SysAdmins TRM TwikiAuthors fMRI PML ProjCoords 3Analysis Genzyme doppler

On further investigation, the groups Genzyme and doppler do the same thing with jhannon.

On your second point, how would creating a new user help when I need her primary account to be jhannon (permissions and audit purposes as this is a healthcare research lab).

As for the third, again, I cannot just 777 the directory as it needs to be locked down for permissions and audit purposes.


The strange part of this issue is that it only seems to affect 1 user in 3 of her 19 groups. I cannot get this issue to replicate with anyone else.

Unfortunately, this isn't as easy as throwing a few simple things at a wall and hoping one of them sticks. I've been through that for the past 2 days now.

Thanks again for the reply...

777 would NOT be a good idea for that .

as i recall rhel 4 dose not use SE but 5 does ( if you are using it )
if SE is set to enforcing that might be a place to look .Some of the "terminals" ( boxes) might be blocking things while other ones might not .

unfortunately this is a bit beyond my skills .
you might want to pm one of the community managers and ask if they can point you to someone with a bunch of experience in this area .

have you talked with your Red Hat tech rep .

I don' have experience with SELinux either but I believe if it is blocking something there should be an entry in the logs (or at least it can be configured to do so), so you might want to check there. Unless/until you can rule it out I would think that would be worth checking into. I certainly can't think of anything else (other than a bug) that could cause such strange behavior.

SELinux is available on RHEL 4 as the following link shows:

http://www.redhat.com/docs/manuals/e...selinux-guide/

Have you looked at possible acls?

getfacl <filename>

also check for default acl on dir

getfacl <dir>

the getfacl on the directory looks just like if I use ll, just in a different format. All of the permissions are correct as far as I can tell.

Does anyone know why I'd be able to do the work on RHEL5 but not RHEL4?


Thanks to all for replying..

Don

An update....

After many hours of searching the net and some accidental realizations, I have discovered that there is a 16 group id limit when using NFS and AUTH_SYS. Apparently there are some work arounds, and I'm investigating them now. Anybody else interested in this issue can check out what I have found at:

http://www.insectnation.org/articles...6-group-limit/
http://nfsworld.blogspot.com/2005/03...imitation.html

I am still trying to figure out why this worked on RHEL5 and not on RHEL4, but I'm sure it has something to do with the authentication modes used by each.

Much thanks to responses I did get. It at least let me know that I wasn't the only one lost with this issue.