<div dir="ltr">Hey Peter, Thanks for your response. <blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> Adam, Betty, Charlie, might be easier to read, or even user1, user2, group1, group2. </blockquote> You know, I was actually going to do this (my A and B were Alice and Bill) but then I somehow talked myself out of it. Never again! <blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> Set group id when reading the directory? What does the plus mean? ACL is involved? "man chmod" for as start, but I don't think it will tell you enough. "man attr" might help. </blockquote> It looks like ACLs are enabled, but they don't seem to be doing much. Here's the output from getfacl: <div style="margin-left:40px">$ getfacl /directory getfacl: Removing leading '/' from absolute path names # file: directory # owner: root # group: groupname # flags: -s- user::rwx group::rwx group:groupname:rwx mask::rwx other::--- </div><div style="margin-left:40px"></div> <blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> There is a Gnome application called "Eiciel" for manipulating ACL's and extended user attributes, but I have not used it. </blockquote> Thanks for the tip, but I'm pretty happy using the command line tools. The server is hosted remotely and I find RDP and the like to be a little clunky. Cheers, Itamar </div><div class="gmail_extra"> <div class="gmail_quote">On Sat, Jul 18, 2015 at 3:41 AM, blind Pete <<a href="mailto:0123peter@gmail.com" target="_blank">0123peter@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Itamar Gal wrote: > Hey Ubuntu users, > > Some quick background about me. I'm a junior sysadmin in a firm whose IT > department has no senior sysadmins, and I'm relatively new to the job. > I've inherited an environment from a previous administrator who was much > better at his job than I am, but who didn't leave much in the way of > documentation. > > Recently we've been experiencing a seemingly bizarre issue where it seems > that there is a user (on an Ubuntu 12.04.4 server) who is unable to access > a shared directory, even though that user belongs to the group which owns > the directory. Here is an example session: > > $ whoami > username Adam, Betty, Charlie, might be easier to read, or even user1, user2, group1, group2. > $ cd /shared_directory > bash: cd: /shared_directory: Permission denied > > ls /directory > ls: cannot open directory /shared_directory: Permission denied > > $ ls -ld /shared_directory > drwxrws---+ 116 root groupname 4096 Jun 11 11:35 /shared_directory Set group id when reading the directory? What does the plus mean? ACL is involved? "man chmod" for as start, but I don't think it will tell you enough. "man attr" might help. There is a Gnome application called "Eiciel" for manipulating ACL's and extended user attributes, but I have not used it. > $ getent group groupname > groupname:*:username:otheruser > > sudo adduser username groupname > The user `username' is already a member of `groupname' > > I posted this question on ServerFault here: > > <a href="http://serverfault.com/questions/705988/group-permissions-on-directory-being-ignored-for-user" rel="noreferrer" target="_blank">http://serverfault.com/questions/705988/group-permissions-on-directory-being-ignored-for-user</a> > <div class="HOEnZb"><div class="h5">> but I haven't gotten any responses. > > A few remarks are probably in order. We are using LDAP-based > authentication which inherits from a global LDAP server run outside of our > department. We have a script which imports user data from the global LDAP > server to our own LDAP server. > > This permissions issue has happened a handful of times so far. Each time I > was able to fix the problem by manually removing the user account form our > LDAP server and then reimporting the account from the global server > (although I have no idea why this had any effect, as I couldn't see any > differences in the relevant LDAP entries). But now I've run into a case > where doing this didn't resolve the problem, so I probably have to figure > what's actually going on. > > If anyone can shed any light on this I would be forever indebted to you, > as I am completely baffled by this. > > Cheers, > Itamar </div></div>-- blind Pete Sig goes here... -- ubuntu-users mailing list <a href="mailto:ubuntu-users@lists.ubuntu.com">ubuntu-users@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-users" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-users</a> </blockquote></div> </div>