[gpfsug-discuss] CIFS protocol access does not honor secondary groups

[Simon Thompson]

This works for us, so it's something that should work. It's probably related to the way your authentication is setup, we used to use custom from before IBM supporting AD+LDAP and we had to add entries for the group SID in the LDAP server also, but since moving to "supported" way of doing this, we don't think we need this anymore.. You might want to do some digging with the wbinfo command and see if groups/SIDs resolve both ways, but I'd suggest opening a PMR on this.

You could also check what file-permissions look like with mmgetacl. In the past we've seen some funkiness where creator/owner isn't on/inherited, so if the user owns the file/directory but the permission is to the group rather than directly the user, they can create new files but then not read them afterwards (though other users in the group can). I forget the exact details as we worked a standard inheritable ACL that works for us __

Simon

On 02/10/2019, 18:02, "gpfsug-discuss-bounces at spectrumscale.org on behalf of David Johnson" <gpfsug-discuss-bounces at spectrumscale.org on behalf of david_johnson at brown.edu> wrote:

    After converting from clustered CIFS to CES protocols, we’ve noticed that SMB
    users can’t access files owned by groups that they are members of, unless that 
    group happens to be their primary group.  Have read the smb.conf man page,
    and don’t see anything obvious that would control this…  What might we be missing?
    
    Thanks,
     — ddj
    Dave Johnson 
    Brown University CCV/CIS
    _______________________________________________
    gpfsug-discuss mailing list
    gpfsug-discuss at spectrumscale.org
    http://gpfsug.org/mailman/listinfo/gpfsug-discuss