# Group membership question



## jwdevel (Aug 7, 2013)

I'm not sure if this is a general UNIX permissions question or a Samba question, but figured I'd ask:

I have a Samba print share set up, with a "print command" specified that just cats the file to /dev/ulpt0. This share is accessed by the guest Samba account, which I have set to be the 'smbguest' username.

I can manually run the print command as root, and the file prints. I can manually run the print command as 'smbguest' (through sudo) and the file prints. However, when run the command through Smba itself (by printing over the network from another machine), I get:

```
cannot create /dev/ulpt0: Permission denied
```
This is the same message I would get if I don't have write permissions to the device.

The device itself has the following permissions:

```
$ ls -l /dev/ulpt*
crw-rw----  1 root  print    0, 142 Aug  5 22:31 /dev/ulpt0
```

The 'smbguest' account is in the 'print' group, as evidenced below:


```
$ groups smbguest
smbguest smbguestgroup print
```

so it should be able to write to ulpt0. In fact, it can, when the command is run through `sudo -u smbguest ...`.

However, when the Samba 'print command' itself is run, the group membership *only* includes the 'smbguest' group. I altered the print command to write a log message including the output of `groups`, and it writes merely 'smbguest', rather than the above three groups.

Is there a general explanation for this, or is this just some weird Samba idiosyncrasy? I would expect, since Samba is running the command as the user 'smbguest', that it would have full group membership, but all my evidence points to that not being the case.

Or maybe there is something more fundamental I'm missing?

(Note: I have seen this post, but so far have not been able to get things working through similar means: http://askubuntu.com/questions/251536/samba-guest-account-not-in-group)

Any help would be appreciated, thanks.
-John


----------



## ta0kira (Aug 7, 2013)

Group membership is a userland concept, and not all userland programs respect it. A root process can arbitrarily set its UID, GID, and groups, but the standard user-authentication programs (e.g. login, sshd, su, and sudo) consult with the user and group infrastructures to determine what groups go along with a particular UID. Samba has always had problems with the Unix user/group system. In your config you should be able to set additional groups.

It's also possible that Samba didn't see a regular file named /dev/ulpt0 and tried to create it rather than opening it. Do you have Samba set to hide device files? (It's been a while since I used Samba, but I'm pretty sure that's something it can do.)

Kevin Barry


----------



## jwdevel (Aug 10, 2013)

ta0kira said:
			
		

> ... In your config you should be able to set additional groups.



I'm not quite sure what you're referring to, here. I know about the 'force group' setting (which doesn't seem to do anything for me), I guess I should read the docs some more...



			
				ta0kira said:
			
		

> It's also possible that Samba didn't see a regular file named /dev/ulpt0 and tried to create it rather than opening it. Do you have Samba set to hide device files? (It's been a while since I used Samba, but I'm pretty sure that's something it can do.)



If I change the device permissions to be either "all-writable", or change the group owner to be "smbguest", then the print works as expected. So the device does seem visible to Samba, there's just some permissions issue. Maybe a bug?

Thanks for your feedback.
-John


----------

