[Freeipa-users] IPA, samba, and secondary groups
Kelvin Edmison
kelvin at kindsight.net
Wed Feb 29 18:49:27 UTC 2012
On 12-02-29 1:40 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:
> On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote:
>> Hi all,
>>
>> I am running into an issue where users cannot access a samba volume if
>> their only access is via a secondary group. For example, if testuser's
>> primary group is ipausers, and secondary groups include testgroup, and the
>> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser
>> cannot read or write to the samba mount. If the testuser is change so that
>> its primary group is testgroup, then testuser can access the volume.
>>
>> In this case, samba is running on a separate CentOS 5 server, configured to
>> access IPA via LDAP. It is a requirement that I support
>> userid/password-based access to the samba server, as I cannot roll all my
>> users onto kerberos right away.
>>
>> Doe anyone have any insight as to what is going on and how it can be fixed?
>
>
> First step would be to make sure that the system is properly looking up
> the user's secondary groups.
>
> Try 'id testuser' and see if 'testgroup' is listed in the output. If
> it's not, I'll bet you have either a configuration issue or a bug in
> SSSD somewhere.
>
> Also, what version of SSSD are you running? FreeIPA pretty much needs
> 1.5.x or later nowadays for full feature support.
'id testuser' returns gid=ipausers and groups=ipausers,testgroup.
SSSD RPM is sssd-1.5.1-37.el5
I'm no samba expert so it's quite possible I may have botched setup in that
arena.
More information about the Freeipa-users
mailing list