[Samba] Understanding NT Groups and UNIX Permissions with Samba Shares

John H Terpstra jht at samba.org
Tue Dec 23 16:58:41 GMT 2003 

Mark,

Did you edit /etc/nsswitch.conf so that your have the following:

Original:

passwd: compat
shadow: compat
group: compat


Edited:

passwd: compat winbind
shadow: compat winbind
group:  compat winbind


If you have, then try:

	getent passwd
	getend group

If all is working correctly you should see a listing of your Domain users
and groups.

- John T.


On Tue, 23 Dec 2003, Garringer, Mark wrote:

> Hello, I am having some problems understanding a few concepts in Samba while
> trying to use samba-common-3.0.0-14.3E, samba-client-3.0.0-14.3E and
> samba-3.0.0-14.3E on RHE 3.0.
>
> Basically, I have security = domain. My system is running winbind, I've
> added the winbind calls to nsswitch.conf. I can get my wbinfo -u and wbinfo
> -g commands to show me what I want. That all seems happy.
>
> I have a test share as follows:
> [var]
>   path = /var
>   read only = yes
>   valid users = "APAC+GL Tech Services"
>   admin users = "APAC+Domain Admins"
>
> and a second share:
>
> [hidden]
>   path = /var/SECRET
>   read only = no
>   valid users = "APAC+Pants"
>
> The permissions on /var/SECRET are as follows:
> [root at rhcr0005 var]# ls -ld SECRET/
> drwxr-x---    2 root     Pants        4096 Dec 18 17:28 SECRET/
>
> I am, of course, a member of both groups GL Tech Services and Pants. When I
> browse to the /var share, I can descend into the SECRET folder. When I
> browse to the /hidden share, I get Network access is denied. In the samba
> log for my machine, I get errors like:
>
> [2003/12/23 10:40:38, 0] smbd/service.c:set_current_service(56)
>   chdir (/var/SECRET) failed
> [2003/12/23 10:40:38, 0] smbd/service.c:set_current_service(56)
>   chdir (/var/SECRET) failed
>
> I guess, from the best of my understanding, that when I connect to nmbd it
> doesn't know about all my group memberships? If I chmod the /var/SECRET
> directory back to 755 however, everything works fine.
>
> I know my way around UNIX level permissions and groups just fine, but I
> guess I am missing something here.
>
> Thanks!
>
> Mark Garringer
> Manager, Systems Administration
> "Whatever it takes."
> APAC Customer Services
> (319)896-2289
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list