Hi All,

Few days ago I have implemented Samba-LDAP PDC. and also a file server. File server join with PDC. Everything is working fine. I make two group in in PDC, and create some user .

In file server I make a share folder. Then I am setting acl for both groupsand give rwx permission on share folder. When I am browsing share folder on Windows client Only Primary groups user have rwx permission on this and secondary group users only get read(r--) permission, although they have full permission(rwx) on this share folder.

When try to wite on share folder as a secondary group member I get following error--

[root@flsrv ~]# smbclient //192.168.2.27/test -U jen
Password:
Domain=[PDCNOIDA] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
smb: \>
smb: \> dir
. D 0 Fri May 22 00:03:11 2009
.. D 0 Thu May 21 21:52:10 2009
sd D 0 Fri May 22 00:03:11 2009
smb: \> mkdir sdf
NT_STATUS_ACCESS_DENIED making remote directory \sdf


When I am checking log then I get following error--

[root@flsrv ~]# tailf /var/log/samba/smbd.log
[2009/05/22 01:30:06, 0] printing/print_cups.c:cups_connect(69)
Unable to connect to CUPS server localhost:631 - Connection refused
[2009/05/22 01:30:08, 1] smbd/service.c:make_connection_snum(1033)
flsrv (192.168.2.27) connect to service test initially as user PDCNOIDA\jen (uid=10001, gid=10006) (pid 3136)
[2009/05/22 01:31:26, 1] smbd/service.c:close_cnum(1230)
flsrv (192.168.2.27) closed connection to service test
[2009/05/22 01:31:38, 1] smbd/service.c:make_connection_snum(1033)
flsrv (192.168.2.27) connect to service test initially as user PDCNOIDA\jen (uid=10001, gid=10006) (pid 3139)
[2009/05/22 01:33:07, 1] smbd/service.c:close_cnum(1230)
flsrv (192.168.2.27) closed connection to service test


And also get error on Windows Client

Access is denied..(Unable to create folder)


Please help me to get rid of this Problem.



Thanks,
Krishna Kant

How are you granting/restricting access to a share ( direct acl on folder on server or via smb.com)? post your smb.conf
Also bear in mind that acl are read (owner,group,others) and group means primary group. If you want to grant control permissions to other user/groups, you use extended acls or posix acls;
eg; using setfacl:

Hi Benny,

Thanks for your support. I am using acl for granting/restricting access to share. My problem is still now.

Here is my Smb.conf file-

[global]
workgroup = PDCN
netbios name = flsrv
server string = File Server
security = DOMAIN
password server = 192.168.2.28
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
max log size = 100
keepalive = 30
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 IPTOS_LOWDELAY
os level = 32
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 192.168.2.28
ldap passwd sync = Yes
remote announce = 192.168.2.255
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind cache time = 4000
winbind enum users = Yes
winbind enum groups = Yes
inherit acls = Yes

[test]
path = /test
admin users = PDCN\root
read only = No
store dos attributes = Yes
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle


I make a two group--
1- stat
2- cad

also create two user jack & joe

smbldap-useradd -a -m -P -g stat jack
smbldap-useradd -a -m -P joe
smbldap-usermod -G cad joe

Jack primary group is stat. He can do everything(rwx) on share folder.
Joe secondary group is cat. He have no permission on share folder .

I have use this command to set acl on share folder..
setfacl -m g:PDCN\\stat:rwx -R /test
setfacl -d -m g:PDCN\\stat:rwx /test

setfacl -m g:PDCN\\cat:rwx -R /test
setfacl -d -m g:PDCN\\cad:rwx /test


Thanks,

Krishna Kant

control access using smb.conf

Hi Benny,

I try it. but its not working.

Thanks,
Krishna Kant

# ls -al /test

also how does you [test] share section look like now? (post the config)
whats the error msg u are getting when u try to access test share now?

# smbclient //192.168.2.27/test -U jen
Password:
Domain=[PDCN] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

0 blocks of size 0. 511 blocks available
smb: \> mkdir jk
NT_STATUS_NETWORK_ACCESS_DENIED making remote directory \jk
smb: \>


Thanks,
Krishna Kant

you are mixing up things here:

which server are you using?
whats this?? where are you doing this on? my commamnd and the command that you ran are very different, you failed to copy??
this doesnt look like a linux shell prompt, what are you doing really?? where does the share reside?? my command was supposed to run on the linux samba server shell prompt not in smbclient. I wanted tto see the permissions of that share.
who do you log on as on the windows client?? also you have changed the users and groups from the original that you posted with, so I can no longer give correct references. Please maintain consistence in your test scenario. you now have Jen, who is jen? please maintain groups stat, cad and users joe and jack, also maintain a share test, then we can easily follow whats going on.

Actually I have a PDC(openldap + samba) and a samba file server.
File server join with PDC. Users and groups are exist on PDC not
file server.

I have set group based acl on share folder(share folder is exist on samba file server).Share folder permission is 770(rwxrwx---). I mentioned samba
file server smb.conf above.


I am using smbclient command to access share folder on samba file server.


Thanks

Hi Benny,

My problem is resolve now. my problem in /etc/nsswitch.conf file.

Thanks for your support.

Thanks,
Krishna Kant

Good to hear

Can you post your file for us?

I have the same problem. Tks!!!