Unsolved
This post is more than 5 years old
15 Posts
0
640
February 23rd, 2010 05:00
multiprotocol aix group access problem
We are working in a multiprotocol environement AIX/AD2003. As we don't have a commun LDAP because UNIX is still working in NIS mode we have choosen to work with the ETC/passwd and etc/group file of the box to map aix and windows user.
We have create a unix mode filesystem and set an NFS export and CIFS export on the same directory.
Everything is doing fine in AIX but we have problem with CIFS access.
On that directory, the aix access in done with a group membership that is not the primary GID group. The windows user which is mapped with UID of the user doesn't get access via CIFS. It is working if we put AIX permissions with the primary users group. It is like the group file that we have set is not functionnal.
Any ideas. Thanks for help
Rainer_EMC
4 Operator
•
8.6K Posts
0
February 23rd, 2010 10:00
I assume you know that you can also use cifs.extacl=2 to show and change Unix perms from a Windows client
if you turn it on then you will see additional additional "fake" ACL's for the Unix u-g-o perms in Windows Explorer properties
Rainer
Rainer_EMC
4 Operator
•
8.6K Posts
0
February 23rd, 2010 10:00
Hi,
have you tried to set this param to 1 so that new files created through CIFS get the GID that you specified in your passwd file ?
cifs acl.useUnixGid
0 or 1 Default: 0
Sets the group identifier (GID) mapping for file system objects
created on a Windows client.
0 = Assign the GID of the Windows primary domain group to
which the user belongs.
1 = Assign the Windows user’s GID (as found in the GID field of
the .etc/passwd file, NIS database entry, or Active Directory)
or this one (if the Unix user that your Windows account is mapped to is a member of a Unix group that allows access):
cifs acl.extendExtraGid 0 or 1
Default: 0
Controls whether CIFS user credentials and NFS NT credentials
include information about the UNIX groups to which the user
belongs. This applies in a multiprotocol environment only.
0 = Base the user credential only on the Windows Security IDs
(SIDs) for the user and the Windows groups to which the user
belongs.
1 = Include in the user credential the SIDs that correspond to the
UNIX groups to which the user belongs.
multi-protocol access can be a bit tricky - esp. the distinction between user mapping and access
IMHO the best way is to get familiar with the (awkward IMHO) server_cifssupport syntax - it can tell you exactly how a user and its groups gets mapped, what access it should have from which protocol on which file
Rainer
P.S.: I assume you are using security mode NT and not Unix or Share
DARIUX
15 Posts
0
February 24th, 2010 04:00
Thank's for your help the option is on value 1.
I find my error in file etc/group is bat format of file.
regard's