[Pkg-samba-maint] DO NOT REPLY [Bug 6230] 'force group' still broken in 3.3.2

samba-bugs at samba.org samba-bugs at samba.org
Sun Aug 30 10:50:05 UTC 2009


------- Comment #34 from korn-bugzilla.samba.org at elan.rulez.org  2009-08-30 05:50 CST -------
(In reply to comment #33)
> (In reply to comment #31)
> > (In reply to comment #28)
> > 
> > I'm either missing something or disagreeing with you, I don't know which. :) To
> > me, the intuitive behaviour would be for Samba to join all Unix groups the
> > connecting user is a member of, regardless of whether they have
> > sambaGroupMappings; as I understood it so far, sambaGroupMappings are only
> > there for the benefit of Windows. If a group has no mapping, then Windows can't
> > see it (meaning that Samba doesn't advertise it in any way).
> > 
> > Why is it necessary for all groups, even the ones only used on the Unix side,
> > to have sambaGroupMappings? If a group that has no such mapping owns a file,
> > that ownership needn't be reported to Windows at all (as it's not necessary
> > that a file be owned by a user as well as a group in Winland). It can be
> > omitted from ACLs reported to Windows too. I can't currently think of a
> > scenario that would make it necessary to insist on all Unix groups to have
> > sambaGroupMappings.
> > 
> > In any case, I'd consider the misleading error message to be a bug; at least a
> > warning to the effect of "Group 'foo' doesn't have a sambaGroupMapping,
> > ignoring it" should, I think, be logged.
> > 
> > Andras
> > 
> UNIX groups that have no members who are both UNIX and Samba/Windows users do
> not need to be mapped to Windows groups.  However, all UNIX groups of which
> Windows users are members require a Windows group mapping.

I understand that this is how things are, but not why, given the above. Windows
just needn't know about the groups that have no windows mappings; they could
still be used on the Unix side.

> Given that there are usually not many UNIX groups, why not map all of them so
> that you will not get caught out at a later time.  Volker's advice is good
> advice.

I can certainly map all of them, which works around this limitation. That this
is necessary surprises me though, for the reasons outlined above.

Also, I think it might actually be useful to hide some Unix groups from

For example, suppose I have a Unix directory, a subdirectory of a share, owned
by group "foo", with posix ACLs like d:g:foo:rwx,g:foo:rwx. Also suppose some
of my users (the Unix users their Windows accounts are mapped to) are members
of group foo. If Samba worked the way I had assumed it did, then group foo
wouldn't be visible to any Windows based access control manipulation tools;
thus, the ability of group foo to read and write this directory couldn't be
removed by Windows users even by accident, resulting in a sort of mandatory
access control. There may be other means to this end, but this is
straightforward in the sense that no magic at all is involved on the Unix side
and no fancy Samba configuration is needed.


Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

More information about the Pkg-samba-maint mailing list