Linux File permissions problem

I need some assistance understanding and fixing some Linux permissions on files and folders.  I don't have the onsite expert available that I once did.  I have an Ubuntu box the hosts our Intranet, and it's integrated with our Active Directory.  The documentation my former network admin left me indicated the "intranetadmins" group is assigned the permissions to log in and manage the files, but when I add a new user to that AD group, they can only login, they can't change anything.  I have a specific share using Samba setup that allows them to get directly to the site files.

When I list files in the directory using "ls -l", I see something like the following:

drwxrwxr-x 2 Domain\AdminUser Domain\intranetadmins  4096 2011-02-04 06:02 videos
-rwxrwxr-x 1 Domain\AdminUser Domain\intranetadmins   260 2009-04-27 16:23 videos.css

I tried changing the permissions directly on these files and folders setting Domain\AdminUser as the user and Domain\intranetadmins (the group mentioned above) as the group.  These files and folders have permissions set to 775, but the users in the intranetadmin group can't make changes.

Now, I though this was setup using Likewise Open, at least that was the discussion the network admin and I had at the time.  But I can't find any files that I'd expect related to any Likewise installation (like lsassd.conf), yet I can and do log in with my AD account all the time.  What should I be looking at to determine where my problem is?

Environment: Ubuntu 8.1.0
LVL 11
Who is Participating?
arnoldConnect With a Mentor Commented:
A samba folder, check /var/log/messages for Selinux alerts when the users try to make changes.
You need to make sure that the UMASK set within the samba share is 002.
Double check that guest is not what the users accessing the share are seen as.
paulqnaConnect With a Mentor Commented:
Only the owner of the file or directory can change permissions.
and of course the superuser can do that (root).
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Based on the permissions, members of the Domain\intranetadmins can edit/modify the files.
run id Domain\\user and see whether it is seen as a member of the specified group
kbireckiAuthor Commented:
Thanks for the responses.  My account has Sudo user permissions and I log in with a domain account.  I can chown and chmod to my heart's content, but as I understand it (obviously missing something), with the permissions for the group specified on these files and folders (Domain\intranetadmins), I would have thought anyone in the group could also add, delete & modify these files and folders.

When I run "id Domain\\MyUserAccount" I see all the AD groups my domain account is a member of.
When I run "id Domain\\UserThatShouldHaveAccess" I see that they are a member of the group "Domain\intranetadmins" and the other AD groups they are in.  So it is puzzling that the group "Domain\intranetadmins" is assigned to the files and folders, yet they can't do anything in these folders.

Any suggestions of what I need to change to allow members of the group Domain\intranetadmins access to the files and folders?  Do I understand this correctly when I assign 775 (user-group-other) that 7 in positions 1 and 2 means the user and group should have full read-write access?
arnoldConnect With a Mentor Commented:
The modify and add I think is right, but the delete might not be the case.
The other issue you have to check is the path
to get to the underlying location.
The issue might be that the reason the user can not do a thing in these folders is because they do not have the rights to get there.
try changing directory one at a time as one of those users.
sudo su - domain\\user

cd /
cd /<next directory in the path to those files>
until you get a deny error or until you get to the destination.

Yes, 7 in the owner and group position grant the owner and group full writes.
The other issue deals with the user who make changes i.e. their umask which may when they create a file change the mode.
It might require using the Group SetUID on the directory
chmod 2775 directory to set the GroupSetuid
the umask of the user must be 002 to create files owner and group full access with other read and execute.
kbireckiAuthor Commented:
arnold, regarding the path, do the users have to have permissions all the way down the path if they are only getting into a particular subfolder via a Samba share?  This is how I have the users accessing the folder I want them to be able to add, modify and delete files in.  They have no access to anything else, including the parent folders of the folder (and subfolders) in question.  

If they do need access to the parent folders, how do I give them sufficient access while not screwing up permissions on other folders.  I want to limit them to the specific subfolder I've designated.

And regarding umask, it looks like this applies to the currently logged in user, is that correct?  How should I use that to apply read-write permissions to other users?
kbireckiAuthor Commented:
Sorry that I dropped the ball on this question.  After reading through all this, I think my issue is with the PAM module configuration because it seems to be a problem with user accounts.  I thought from some documentation we had that Likewise was in use on the Linux box, but it is not.  I'm still learning Linux.  I'm going to assign points and close this question until I can better figure out what my next step is.....and maybe a more appropriate question to the problem I'm having.
kbireckiAuthor Commented:
The problems snowballed as I got into this more.  Samba and the file permissions seem not to be directly the problem.  It seems there's a number of things on this server that are not standard, and since I didn't put the server together, I think I'm going to rebuild another from scratch trying to follow "best practices" and easier solutions.  Thanks for your help!
All Courses

From novice to tech pro — start learning today.