[Pkg-samba-maint] Bug#520309: 'force group' still broken in 3.3.2

Wed Mar 18 18:40:47 UTC 2009

Package: samba
Version: 2:3.3.2-1
Severity: normal

Hi,

I have a samba pdc that uses an ldapsam backend. Everything seems to work,
with the expection of the following share:

[store]
        path = /store
        hide unreadable = yes
        csc policy = disable
        force group = +Power Users
        inherit acls = true
        volume = STORE
        create mask = 0666
        directory mask = 0777

When I connect to this share from either smbclient or Windows on a domain
workstation, the connection is denied and samba logs "make_connection:
connection to store denied due to security descriptor." If I comment out
"force group", connections succeed.

The users I tested with were members of "power users", but I also tested
with just "force group = username" (the name of the actual user), which
should have had no effect for that user as his primary gid was already his
own usergroup. But the connection was denied even so.

The [global] section of my smb.conf reads as follows:

[global]
        dos charset = CP852   
        display charset = UTF-8
        workgroup = KORN 
        netbios name = PDC
        server string = PDC
        auth methods = guest sam
        update encrypted = Yes
        obey pam restrictions = Yes
        passdb backend = ldapsam:ldap://192.168.0.99/
        pam password change = Yes
        passwd chat debug = Yes
        log level = 1
        debug class = yes
        debug prefix timestamp = yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        min protocol = LANMAN1
        announce version = 9.9
        name resolve order = lmhosts host wins bcast
        time server = Yes
        deadtime = 1440
        max smbd processes = 30
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        hostname lookups = Yes
        add machine script = /usr/local/sbin/add-machine "%u"
        logon script = %u.cmd
        logon path = 
        logon drive = N:  
        logon home = \\%L\%u\profile
        domain logons = Yes
        os level = 255
        preferred master = Yes  
        domain master = Yes
        ldap admin dn = cn=admin,dc=intra
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap user suffix = ou=People
        ldap suffix = dc=intra,dc=guy
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        ldapsam:trusted = yes
        ldapsam:editposix = yes
        admin users = root, Administrator
        hosts allow = 192.168.0.0/24, 127.0.0.0/8
        profile acls = Yes
        use sendfile = Yes
        hide dot files = No
        map archive = No   
        algorithmic rid base = 100000
        unix password sync = yes
        client ntlmv2 auth = yes
        acl group control = yes 
        force unknown acl user = yes
        smb ports = 445 139
        min receivefile size = 32k
        disable netbios = no
        reset on zero vc = yes
        ea support = yes
        map acl inherit = yes
        server signing = auto
        printcap name = cups 
        printing = cups
        cups options = "raw"
        mangle prefix = 3   
        hide special files = yes
        map read only = permissions
        wins support = yes
        preload = guy
        utmp = yes   
        delete readonly = yes
        dos filemode = yes   

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28.5-vs2.3.0.36.7
Locale: LANG=C, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- 
                 Andras Korn <korn at chardonnay.math.bme.hu>
                 <http://chardonnay.math.bme.hu/~korn/>	QOTD:
                             He who laughs, lasts.