[Samba] Understanding NT Groups and UNIX Permissions with Samba Shares

Garringer, Mark MGarringer at APACMail.com
Tue Dec 23 16:44:29 GMT 2003

Hello, I am having some problems understanding a few concepts in Samba while
trying to use samba-common-3.0.0-14.3E, samba-client-3.0.0-14.3E and
samba-3.0.0-14.3E on RHE 3.0. 

Basically, I have security = domain. My system is running winbind, I've
added the winbind calls to nsswitch.conf. I can get my wbinfo -u and wbinfo
-g commands to show me what I want. That all seems happy.

I have a test share as follows:
  path = /var
  read only = yes
  valid users = "APAC+GL Tech Services"
  admin users = "APAC+Domain Admins"

and a second share:

  path = /var/SECRET
  read only = no
  valid users = "APAC+Pants"

The permissions on /var/SECRET are as follows:
[root at rhcr0005 var]# ls -ld SECRET/
drwxr-x---    2 root     Pants        4096 Dec 18 17:28 SECRET/

I am, of course, a member of both groups GL Tech Services and Pants. When I
browse to the /var share, I can descend into the SECRET folder. When I
browse to the /hidden share, I get Network access is denied. In the samba
log for my machine, I get errors like:

[2003/12/23 10:40:38, 0] smbd/service.c:set_current_service(56)
  chdir (/var/SECRET) failed
[2003/12/23 10:40:38, 0] smbd/service.c:set_current_service(56)
  chdir (/var/SECRET) failed

I guess, from the best of my understanding, that when I connect to nmbd it
doesn't know about all my group memberships? If I chmod the /var/SECRET
directory back to 755 however, everything works fine.

I know my way around UNIX level permissions and groups just fine, but I
guess I am missing something here.


Mark Garringer
Manager, Systems Administration
"Whatever it takes."
APAC Customer Services

More information about the samba mailing list