[Pkg-samba-maint] Bug#535910: Bug#535910: samba: Samba not checking /etc/group for secondary groups when determining filesystem access

Christian Perrier bubulle at debian.org
Wed Jul 22 21:31:37 UTC 2009 

Quoting Trev Peterson (trev at advanced-reality.com):
> Package: samba
> Version: 2:3.2.5-4lenny6
> Severity: important
> 
> When upgrading from Etch samba stopped checking secondary groups in /etc/group for filesystem 
> permissions when determining filesystem access.  We use winbind and authentication is working 
> correctly.  If the group onwership is changed to the primary group (from /etc/passwd), 
> the file is owned by the user or everyone has rights access is granted as per the unix 
> permissions.  Group and User enumeration is shown to be working (turning up debug and checking 
> the logs shows it enumerated to the UID and GID for that user from /etc/passwd).  getent 
> groups shows the normal (full) group listing as it should.

I finally tried to reproduce what I understand from the bug report but
I may be understanding wrongly.

I used the following share:

[share]
directory mask=0700
browseable=yes
comment=Public
read only=no
create mask=0770
public=yes
path=/var/tmp/samba-test
valid users = @bob

The "bob" group contains two users: bubulle and spongebob
For both these users, this is a secondary group.

root at mykerinos:/var/tmp/samba-test# id spongebob
uid=1002(spongebob) gid=1002(spongebob) groupes=1002(spongebob),1001(bikinibottom),1007(bob)


The /var/tmp/samba-test directory contains the following file:

root at mykerinos:/var/tmp/samba-test# ls -l testfile
-rw-rw---- 1 bubulle bob 0 avr 23 23:40 testfile

If I connect to this share as spongebob, I can grab "testfile":
bubulle at mykerinos:~/tmp> smbclient //localhost/share -U spongebob
Enter spongebob's password:
Domain=[DRIS] OS=[Unix] Server=[Samba 3.4.0]
smb: \> get testfile
getting file \testfile of size 0 as testfile (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)
smb: \> exit

I may be missing something, of course. Particularly, you mention that
users are authenticated by winbind, so that might influence things.

You mention that "getent groups shows the normal (full) group listing
as it should." However, what does "groups <foo>" output when user
"foo" is a domain user? Do you get all domain groups which foo is
member of?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20090722/e0807180/attachment.pgp>

More information about the Pkg-samba-maint mailing list