[Samba] Group authentication

Marcos Martins da Silva marcosm at netviaradio.com
Mon Oct 20 20:10:33 GMT 2003 

I have installed samba 3.0.0 on a RedHat 9.0 box. I have used the rpm binary i got from Canada mirror. The server is a dual Pentium II 400 IBM NetFinity 5000. Installation was easy. Testparm outputs:

[root at seth root]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[desenv]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = HUCFF
        server string = Servidor Samba
        security = DOMAIN
        password server = ROMULO
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = wins lmhosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        wins server = 10.12.10.15
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 10
        winbind use default domain = Yes
        hosts allow = 10., 127.

[desenv]
        comment = diretório de desenvolvimento
        path = /compart/desenv
        valid users = @Desenv
        write list = @Desenv
        read only = No
wbinfo -u and wbinfo -g gets users and groups from a Win2K domain controller (ROMULO) with no problem.

The "desenv" share is configured to permit access from group "Desenv", as we can see from testparm output. 
The /compart/desenv path is configured like this:
[root at seth compart]# ls -lia
total 12
  16403 drwxr-xr-x    3 root     root         4096 Out 17 18:57 .
      2 drwxr-xr-x   20 root     root         4096 Out 20 17:03 ..
  16404 drwxrwsr-x   23 marcosm  Desenv       4096 Out 18 14:34 desenv
"Desenv" is a global group from my win2K domain (HUCFF) and marcosm is a "Desenv" member. Since I could use chown to set Linux permissions to this group and this user, I assume winbind is working fine.
Samba can see marcosm is member of desenv and also that Desenv (ID:20035) is among marcosm's groups:
[root at seth compart]# getent group Desenv
Desenv:x:20035:santanna,marcosm,velasco,analucia,anabraga,anarangel,trindade,bet
h,evandro,gloria,gustavom,jcarlos,bortnyk,luzimar,mgsoares,cida,osmario,mbfranca
,leonardo,gmps
[root at seth compart]# wbinfo -r marcosm
20010
20035
20037
But I can not access the share from win2k neither from linux:
[root at seth compart]# smbclient //seth/desenv -U marcosm
Password:
tree connect failed: NT_STATUS_ACCESS_DENIED
But If I put the user "marcosm" in write list and valid users lines, like this
[desenv]
        comment = diretório de desenvolvimento
        path = /compart/desenv
        valid users = marcosm @Desenv
        write list = marcosm @Desenv
        read only = No
Everything works just fine as we can see:
[root at seth compart]# smbclient //seth/desenv -U marcosm
Password:
smb: \> ls
  .                                   D        0  Sat Oct 18 14:34:05 2003
  ..                                  D        0  Fri Oct 17 18:57:17 2003
  Diretoria                           D        0  Sat Oct 18 14:18:51 2003
  Evandro                             D        0  Sat Oct 18 14:21:46 2003
  Gloria                              D        0  Sat Oct 18 14:22:50 2003
  Gustavo                             D        0  Sat Oct 18 14:22:51 2003
  JCarlos                             D        0  Sat Oct 18 14:22:54 2003

                33001 blocks of size 1048576. 26191 blocks available

The problem looks like samba is not expanding @Desenv as an user list that contains marcosm.
Any clues? Thanks in advance.

More information about the samba mailing list