LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-21-2009, 09:44 AM   #1
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Rep: Reputation: 0
Secondary group member can't write on samba share if they have full permission


Hi All,

Few days ago I have implemented Samba-LDAP PDC. and also a file server. File server join with PDC. Everything is working fine. I make two group in in PDC, and create some user .

In file server I make a share folder. Then I am setting acl for both groupsand give rwx permission on share folder. When I am browsing share folder on Windows client Only Primary groups user have rwx permission on this and secondary group users only get read(r--) permission, although they have full permission(rwx) on this share folder.

When try to wite on share folder as a secondary group member I get following error--

[root@flsrv ~]# smbclient //192.168.2.27/test -U jen
Password:
Domain=[PDCNOIDA] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
smb: \>
smb: \> dir
. D 0 Fri May 22 00:03:11 2009
.. D 0 Thu May 21 21:52:10 2009
sd D 0 Fri May 22 00:03:11 2009
smb: \> mkdir sdf
NT_STATUS_ACCESS_DENIED making remote directory \sdf


When I am checking log then I get following error--

[root@flsrv ~]# tailf /var/log/samba/smbd.log
[2009/05/22 01:30:06, 0] printing/print_cups.c:cups_connect(69)
Unable to connect to CUPS server localhost:631 - Connection refused
[2009/05/22 01:30:08, 1] smbd/service.c:make_connection_snum(1033)
flsrv (192.168.2.27) connect to service test initially as user PDCNOIDA\jen (uid=10001, gid=10006) (pid 3136)
[2009/05/22 01:31:26, 1] smbd/service.c:close_cnum(1230)
flsrv (192.168.2.27) closed connection to service test
[2009/05/22 01:31:38, 1] smbd/service.c:make_connection_snum(1033)
flsrv (192.168.2.27) connect to service test initially as user PDCNOIDA\jen (uid=10001, gid=10006) (pid 3139)
[2009/05/22 01:33:07, 1] smbd/service.c:close_cnum(1230)
flsrv (192.168.2.27) closed connection to service test


And also get error on Windows Client

Access is denied..(Unable to create folder)


Please help me to get rid of this Problem.



Thanks,
Krishna Kant
 
Old 05-22-2009, 03:59 AM   #2
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
How are you granting/restricting access to a share ( direct acl on folder on server or via smb.com)? post your smb.conf
Also bear in mind that acl are read (owner,group,others) and group means primary group. If you want to grant control permissions to other user/groups, you use extended acls or posix acls;
eg; using setfacl:
Quote:
# file: sdf
# owner: admin
# group: prim_grp
user::rwx
group::rwx
group:secondary_grp:rwx
mask::rwx
other::r--

Last edited by chitambira; 05-22-2009 at 09:33 AM.
 
Old 05-22-2009, 08:35 AM   #3
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Original Poster
Rep: Reputation: 0
Secondary group member can't write on share folder

Hi Benny,

Thanks for your support. I am using acl for granting/restricting access to share. My problem is still now.

Here is my Smb.conf file-

[global]
workgroup = PDCN
netbios name = flsrv
server string = File Server
security = DOMAIN
password server = 192.168.2.28
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
max log size = 100
keepalive = 30
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 IPTOS_LOWDELAY
os level = 32
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 192.168.2.28
ldap passwd sync = Yes
remote announce = 192.168.2.255
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind cache time = 4000
winbind enum users = Yes
winbind enum groups = Yes
inherit acls = Yes

[test]
path = /test
admin users = PDCN\root
read only = No
store dos attributes = Yes
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle


I make a two group--
1- stat
2- cad

also create two user jack & joe

smbldap-useradd -a -m -P -g stat jack
smbldap-useradd -a -m -P joe
smbldap-usermod -G cad joe

Jack primary group is stat. He can do everything(rwx) on share folder.
Joe secondary group is cat. He have no permission on share folder .

I have use this command to set acl on share folder..
setfacl -m g:PDCN\\stat:rwx -R /test
setfacl -d -m g:PDCN\\stat:rwx /test

setfacl -m g:PDCN\\cat:rwx -R /test
setfacl -d -m g:PDCN\\cad:rwx /test


Thanks,

Krishna Kant
 
Old 05-22-2009, 09:44 AM   #4
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
control access using smb.conf

Quote:
[test]
path = /test
admin users = root
write list = @stat @cad # these 2 grps will have write perms to the test share
store dos attributes = Yes
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle
 
Old 05-22-2009, 10:47 AM   #5
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Original Poster
Rep: Reputation: 0
Secondary group member can't write on share folder

Hi Benny,

I try it. but its not working.

Thanks,
Krishna Kant
 
Old 05-25-2009, 06:25 AM   #6
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
# ls -al /test

also how does you [test] share section look like now? (post the config)
whats the error msg u are getting when u try to access test share now?
 
Old 05-25-2009, 10:36 AM   #7
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Original Poster
Rep: Reputation: 0
secondary group member can't write on samba share if they have full permission

# smbclient //192.168.2.27/test -U jen
Password:
Domain=[PDCN] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

0 blocks of size 0. 511 blocks available
smb: \> mkdir jk
NT_STATUS_NETWORK_ACCESS_DENIED making remote directory \jk
smb: \>


Thanks,
Krishna Kant

Last edited by krishnakant; 05-26-2009 at 04:28 AM.
 
Old 05-26-2009, 02:22 AM   #8
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
you are mixing up things here:

which server are you using?
Quote:
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
whats this?? where are you doing this on? my commamnd and the command that you ran are very different, you failed to copy??
Quote:
smb: \>
this doesnt look like a linux shell prompt, what are you doing really?? where does the share reside?? my command was supposed to run on the linux samba server shell prompt not in smbclient. I wanted tto see the permissions of that share.
who do you log on as on the windows client?? also you have changed the users and groups from the original that you posted with, so I can no longer give correct references. Please maintain consistence in your test scenario. you now have Jen, who is jen? please maintain groups stat, cad and users joe and jack, also maintain a share test, then we can easily follow whats going on.

Last edited by chitambira; 05-26-2009 at 06:51 AM.
 
Old 05-26-2009, 04:51 AM   #9
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Original Poster
Rep: Reputation: 0
Secondary group member can't write on samba share if they have full permission

Actually I have a PDC(openldap + samba) and a samba file server.
File server join with PDC. Users and groups are exist on PDC not
file server.

I have set group based acl on share folder(share folder is exist on samba file server).Share folder permission is 770(rwxrwx---). I mentioned samba
file server smb.conf above.


I am using smbclient command to access share folder on samba file server.


Thanks
 
Old 05-26-2009, 06:53 AM   #10
krishnakant
LQ Newbie
 
Registered: May 2009
Location: Chennai
Distribution: CentOS, RHEL and fedora
Posts: 22

Original Poster
Rep: Reputation: 0
Smile Secondary group member can't write on samba share if they have full permission

Hi Benny,

My problem is resolve now. my problem in /etc/nsswitch.conf file.

Thanks for your support.

Thanks,
Krishna Kant
 
Old 05-26-2009, 07:01 AM   #11
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
Good to hear

Last edited by chitambira; 05-26-2009 at 07:02 AM.
 
Old 06-23-2009, 03:29 PM   #12
delima_lima
LQ Newbie
 
Registered: Jun 2009
Posts: 1

Rep: Reputation: 0
Hi

Can you post your file for us?

I have the same problem. Tks!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing permission on a folder so group users can Read and Write maginotjr Linux - Server 7 03-27-2009 03:22 PM
Samba domain member server (DMS) group permissions in network with a Samba PDC srosa Linux - Networking 0 05-01-2006 05:55 PM
Samba Share Write permission Issues Colossus610 Linux - Software 4 08-12-2004 05:20 PM
Creating Samba Share on Secondary Hardrive subversivesoul Linux - Software 1 05-28-2004 09:20 PM
vfat partition - write permission for users group digitized_funk Linux - Newbie 8 03-19-2003 07:30 AM


All times are GMT -5. The time now is 02:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration