[gpfsug-discuss] CIFS protocol access does not honor secondary groups
Simon Thompson
S.J.Thompson at bham.ac.uk
Thu Oct 3 10:17:15 BST 2019
This works for us, so it's something that should work. It's probably related to the way your authentication is setup, we used to use custom from before IBM supporting AD+LDAP and we had to add entries for the group SID in the LDAP server also, but since moving to "supported" way of doing this, we don't think we need this anymore.. You might want to do some digging with the wbinfo command and see if groups/SIDs resolve both ways, but I'd suggest opening a PMR on this.
You could also check what file-permissions look like with mmgetacl. In the past we've seen some funkiness where creator/owner isn't on/inherited, so if the user owns the file/directory but the permission is to the group rather than directly the user, they can create new files but then not read them afterwards (though other users in the group can). I forget the exact details as we worked a standard inheritable ACL that works for us __
Simon
On 02/10/2019, 18:02, "gpfsug-discuss-bounces at spectrumscale.org on behalf of David Johnson" <gpfsug-discuss-bounces at spectrumscale.org on behalf of david_johnson at brown.edu> wrote:
After converting from clustered CIFS to CES protocols, we’ve noticed that SMB
users can’t access files owned by groups that they are members of, unless that
group happens to be their primary group. Have read the smb.conf man page,
and don’t see anything obvious that would control this… What might we be missing?
Thanks,
— ddj
Dave Johnson
Brown University CCV/CIS
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list