Avatar of RegProctor
RegProctor
Flag for United States of America asked on

Samba alternative group share problem

Hello,

I have a user, "reg"  which is a member of "users" but also a member of the groups "svn", "web-dev" and a couple of other groups.

When logged on as this user on my server I can get to a directory called ".svn" but not when using the same user through a samba share.

Below are the details of my setup  and what happens when when I list from the samba share vs. on the server as the same user and the samba config files. Both the client and the server are Linux computers, OS = openSUSE 11.0 (client) & 11.2 (server). The uid of "reg" is the same on the server and client.

The share in question is "[data]" which you can see from the smb.conf file is a very simple config.

The share is mounted on the client with a normal cifs mount.

As you can see from line 48 below that from the client I get a "permission denied" which is not the case from the server (line 67).

Client cifs-mount version is 3.4.5
Server samba version is 3.4.2


Any help appreciated.


SAMBA CONFIG. FILES:

- SMB.CONF
[global]
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = No
        domain master = No
        passdb backend = smbpasswd
        security = user
        username map = /etc/samba/smbusers
        wins support = No
        workgroup = Multiverse
        create mask = 0774
        directory mask = 0774
        netbios name = Neutrino
        hide dot files = no
	encrypt passwords = yes

[netlogon]

[data]
        inherit acls = No
        path = /data
        read only = No

- SMBUSERS
root = administrator
;nobody = guest pcguest smbguest
reg = reg


FROM SAMBA SHARE AS USER reg:

reg@quark> l
total 36
drwxrwsr-x   6 reg   1001     0 2010-02-18 23:11 ./
drwxr-xr-x   9 reg users   4096 2010-02-18 18:22 ../
-rwxrwxr--   1 reg   1001   169 2010-02-18 23:11 .buildpath*
drwxrwsrwx   7 reg   1001     0 2010-02-19 16:49 files/
drwxrwsr-x 193 reg   1001     0 2010-02-18 23:08 modules/
-rwxrwxr--   1 reg   1001   506 2010-02-18 23:11 .project*
-rw-r-Sr--   1 reg   1001 10876 2010-02-18 22:53 settings.php
-rwxrwxr--   1 reg   1001  9453 2010-02-18 22:45 settings.php.prev*
drwxrws---   6 115 tomcat     0 2010-02-18 23:08 .svn/
drwxrwsr-x  59 reg   1001     0 2010-02-19 18:04 themes/

reg@quark>  l .svn
ls: cannot open directory .svn: Permission denied

reg@quark>

FROM THE SERVER AS reg:

reg@neutrino> l
total 56
drwxrwsr-x   6 reg web-dev  4096 2010-02-18 23:11 ./
drwxr-sr-x   8 reg web-dev  4096 2010-02-18 18:19 ../
-rwxrwxr--   1 reg web-dev   169 2010-02-18 23:11 .buildpath*
drwxrwsrwx   7 reg web-dev  4096 2010-02-19 16:49 files/
drwxrwsr-x 193 reg web-dev  4096 2010-02-18 23:08 modules/
-rwxrwxr--   1 reg web-dev   506 2010-02-18 23:11 .project*
-rw-r-Sr--   1 reg web-dev 10876 2010-02-18 22:53 settings.php
-rwxrwxr--   1 reg web-dev  9453 2010-02-18 22:45 settings.php.prev*
drwxrws---   6 svn svn      4096 2010-02-18 23:08 .svn/
drwxrwsr-x  59 reg web-dev  4096 2010-02-19 18:04 themes/

reg@neutrino> l .svn
total 32
drwxrws--- 6 svn svn     4096 2010-02-18 23:08 ./
drwxrwsr-x 6 reg web-dev 4096 2010-02-18 23:11 ../
-rwxrwx--- 1 svn svn      296 2010-02-18 23:08 all-wcprops*
-rwxrwx--- 1 svn svn      572 2010-02-18 23:08 entries*
drwxrws--- 2 svn svn     4096 2010-02-18 22:45 prop-base/
drwxrws--- 2 svn svn     4096 2010-02-18 22:45 props/
drwxrws--- 2 svn svn     4096 2010-02-18 23:08 text-base/
drwxrws--- 5 svn svn     4096 2010-02-18 23:08 tmp/

reg@neutrino>

Open in new window

File Sharing SoftwareLinux NetworkingServer Hardware

Avatar of undefined
Last Comment
RegProctor

8/22/2022 - Mon
RegProctor

ASKER
If I change the group of .svn. to "web-dev" I still can't list it however if I change the group to "users", the main group for "reg" I can list the .svn directory. clearly it is just ignoring the additional groups and adding "force group = svn" in "global" and/or "data" seems to not help at all.
RegProctor

ASKER
I added the group "svn" to the client with and gave it the same gid as the server's svn group -- I didn't think it would make any difference but figured it was worth a shot, no change though.
Pieter Jordaan


Why are you using samba between two linux machines ?

If you create an nfs share on the server /etc/exports
and mount it from the client, unix permissions will apply.

mount -t nfs server:/share
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Pieter Jordaan

Daniel McAllister

Not to argue the point that NFS would be a better sharing solution, the issue will be the same, whether via NFS or Samba.... that, and the questioner asked how to fix what he has, not how to do what he wants better.

The issue is actually rather simple -- a classic case of user/group spaces NOT being shared or synchronized

When you login as reg on BOX1 and view the permissions of .svn, you see them as:
  drwxrws---   6 svn svn      4096 2010-02-18 23:08 .svn/

Which is to say, that the owner is UID 115 (which on that system's passwd file, belongs to the user svn), and the group is similarly svn (GID unknown from the information provided, but quite likely GID 115).

Now, you connect from BOX2 and view the permissions of .svn and you see them as:
  drwxrws---   6 115 tomcat     0 2010-02-18 23:08 .svn/

This is to say, that from the PERSPECTIVE OF THIS SYSTEM, svn is owned by UID 115 (which has no /etc/passwd entry at all), and has GID (potentially 115) that matches the group tomcat in the local /etc/group.


To see it more succinctly, try running the ls -ln command on .svn and see what you see... on EACH you should see the same:
  drwxrws---   6 115 115    0 2010-02-18 23:08 .svn/

(Granted, I've assumed here that the group svn on BOX1 has GID 115 -- but I think that a reasonable assumption!)

================

To put it simply, if you want the permissions to apply on BOX2, then the username/groupnames need to be the same (or at least the same for the users & groups desired) on BOX2.

So, to have .svn  appear on BOX2 to have the same permissions as on BOX1, you need to CREATE the user svn (with UID 115) in /etc/passwd, and CHANGE the group named tomcat to be the group named svn on BOX2 (if you need a group called tomcat, create one with a different GID - preferably the same as the one on BOX1).

In addition, if user reg is supposed to belong to "users", "svn", "web-dev" and a couple of other groups, he'll need to belong to those groups on BOTH systems....

Good Luck!

Dan
IT4SOHO
ASKER CERTIFIED SOLUTION
Daniel McAllister

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
RegProctor

ASKER
Dan, this was terrific, thanks! ...there is always something new to learn on Linux. I'll try this all out tonight or at the latest tomorrow and get back to you (I would do it now if I didn't have a deadline to deal with).

Thanks again.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
RegProctor

ASKER
BTW, I do share this with a Windows computer as well at times, hence samba.  I didn't mention it because I didn't think it was pertinent to the problem so you were spot on with your original statement.
RegProctor

ASKER
Worked like a charm.