[Freeipa-users] IPA, samba, and secondary groups

Kelvin Edmison kelvin at kindsight.net
Wed Feb 29 19:20:39 UTC 2012 



On 12-02-29 2:13 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:

> On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote:
>> 
>> 
>> On 12-02-29 1:40 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:
>> 
>>> On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote:
>>>> Hi all,
>>>> 
>>>>  I am running into an issue where users cannot access a samba volume if
>>>> their only access is via a secondary group.  For example, if testuser's
>>>> primary group is ipausers, and secondary groups include testgroup, and the
>>>> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser
>>>> cannot read or write to the samba mount.  If the testuser is change so that
>>>> its primary group is testgroup, then testuser can access the volume.
>>>> 
>>>> In this case, samba is running on a separate CentOS 5 server, configured to
>>>> access IPA via LDAP.  It is a requirement that I support
>>>> userid/password-based access to the samba server, as I cannot roll all my
>>>> users onto kerberos right away.
>>>> 
>>>> Doe anyone have any insight as to what is going on and how it can be fixed?
>>> 
>>> 
>>> First step would be to make sure that the system is properly looking up
>>> the user's secondary groups.
>>> 
>>> Try 'id testuser' and see if 'testgroup' is listed in the output. If
>>> it's not, I'll bet you have either a configuration issue or a bug in
>>> SSSD somewhere.
>>> 
>>> Also, what version of SSSD are you running? FreeIPA pretty much needs
>>> 1.5.x or later nowadays for full feature support.
>> 
>> 'id testuser' returns gid=ipausers and groups=ipausers,testgroup.
>> 
>> SSSD RPM is sssd-1.5.1-37.el5
>> 
>> I'm no samba expert so it's quite possible I may have botched setup in that
>> arena.
> 
> 
> One more question: was the user added to "testgroup" after logging in?
> Does logging out and logging back in resolve the problem? In Linux,
> users are only assigned their groups at login time. They don't ever
> change memberships until a new session.

Unfortunately, it does not resolve the problem. I have even gone to the
extent of ensuring that testuser was logged out, and then shutting down
sssd, clearing its cache, and restarting it.

Should I expect that secondary groups would work in this samba/ipa
configuration?

More information about the Freeipa-users mailing list