[Freeipa-users] IPA, samba, and secondary groups
Stephen Gallagher
sgallagh at redhat.com
Wed Feb 29 19:13:04 UTC 2012
On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote:
>
>
> On 12-02-29 1:40 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:
>
> > On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote:
> >> Hi all,
> >>
> >> I am running into an issue where users cannot access a samba volume if
> >> their only access is via a secondary group. For example, if testuser's
> >> primary group is ipausers, and secondary groups include testgroup, and the
> >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser
> >> cannot read or write to the samba mount. If the testuser is change so that
> >> its primary group is testgroup, then testuser can access the volume.
> >>
> >> In this case, samba is running on a separate CentOS 5 server, configured to
> >> access IPA via LDAP. It is a requirement that I support
> >> userid/password-based access to the samba server, as I cannot roll all my
> >> users onto kerberos right away.
> >>
> >> Doe anyone have any insight as to what is going on and how it can be fixed?
> >
> >
> > First step would be to make sure that the system is properly looking up
> > the user's secondary groups.
> >
> > Try 'id testuser' and see if 'testgroup' is listed in the output. If
> > it's not, I'll bet you have either a configuration issue or a bug in
> > SSSD somewhere.
> >
> > Also, what version of SSSD are you running? FreeIPA pretty much needs
> > 1.5.x or later nowadays for full feature support.
>
> 'id testuser' returns gid=ipausers and groups=ipausers,testgroup.
>
> SSSD RPM is sssd-1.5.1-37.el5
>
> I'm no samba expert so it's quite possible I may have botched setup in that
> arena.
One more question: was the user added to "testgroup" after logging in?
Does logging out and logging back in resolve the problem? In Linux,
users are only assigned their groups at login time. They don't ever
change memberships until a new session.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120229/163417b4/attachment.sig>
More information about the Freeipa-users
mailing list