Red Hat Bugzilla – Bug 128683
Samba 3.0.4-6.3E breaks "Valid users" share definition access control method
Last modified: 2007-11-30 17:07:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Description of problem:
The recently released samba errata packages (3.0.4-6.3E) seem to break
group based share definition access control.
We have a share that is configured as follows:
comment = Unix/Windows Transfer
path = /mnt/misfiles/linux/transfer
public = yes
writeable = yes
guest ok = no
nt acl support = yes
oplocks = no
level2 oplocks = no
force create mode = 0775
force directory mode = 2775
force group = +transfer
valid users = @transfer
The "transfer" group is a standard unix group that has as members
several standard NIS users and several winbind mapped users. With the
samba-3.0.2-6.3E packages this has the effect of allowing access to
the share only to those who are members of the group.
After upgrading to samba-3.0.4-6.3E no users are allowed access this
share, even local unix users that are members of the group (so this is
not a winbind problem). We do have other "open" shares on the server
that continue to work fine allowing both local and winbind users access.
Based on available documentation I believe that the 3.0.2-6.3E
behaviour was correct (I'm pretty confident it behaved this way in the
previous samba 3.0.0-14 as well, we have used this config for quite a
while now). For now we have reverted to the previous version.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a share using a group in the "Valid Users=" option for
access control to a share
2. Attempt access the share with a user account who is a member of the
Actual Results: Access is denied. No password combination that we
have found will allow access to the share.
Expected Results: Access to the share should be allowed for users who
are members of the group.
I've checked this against the stock Samba distribution and it appears
to be a change in bahaviour between 3.0.2 and 3.0.3. Since I can
reproduce it with stock code I will probably file a bug with the
Samba team as well.
One noted difference in the log files, most of the users in the
"transfer" group are winbind mapped users and we use the "winbind use
default domain" option. With 3.0.2 it would check their name against
the group as "testuser" but with 3.0.3+ it checks it as
"DOMAIN\testuser" which is certainly a major behaviour change,
however, adding the users to the group with this combined name still
doesn't solve the problem however.
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.