[Samba] Active directory groups and shares.

Gavin Davenport gavdav at gavdav.demon.co.uk
Sun Oct 12 09:01:12 GMT 2003

Hi there

I don't think I completely understand how to configure the shares to honour
and use domain groups - I don't think it is at the moment.

I don't know how to get samba to show me the domain information being used
to work out share permissions. In this case, my userid is in the Domain
Admins group and I want write access to the software share.

smbstatus appears to be showing me login credentials that look like the unix
id/group on the host. I also have a local (unix) machine account (&
group)using the same login name, which it appears to be using:
[root at potato /root]# smbstatus
Processing section "[homes]"
Processing section "[Software]"

Samba version 3.0.1pre1
PID     Username      Group         Machine
 2136   gavdav        gavdav    (

Service      pid     machine       Connected at
gavdav        2136     Sun Oct 12 09:45:41 2003
Locked files:
Pid    DenyMode   Access      R/W        Oplock           Name
2136   DENY_WRITE 0x2019f     RDWR       EXCLUSIVE+BATCH
/home/gavdav/pstfile.pst   Sun Oct 12 09:46:30 2003

smbstatus is listing (I think) my unix account. Why doesn't it say my
primary group is 'Domain Admins' ??

What have I forgotten ?

Also, how does samba decide whether to write logfiles as
$logdir/log.ip.add.re.ss or as $logdir/log.hostname ?

Gavin Davenport

My smb.conf
# Global parameters
        workgroup = MYDOMAIN
        realm = MYNETWORK.ISP.CO.UK
        server string = Linux Samba Server
        security = ADS
        password server = bashful
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 100
        smb ports = 445
        announce as = NT Workstation
        name resolve order = host bcast
        wins server =
        client signing = Yes
        server signing = Yes
        client use spnego = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
#       winbind separator = +
        winbind cache time = 2
#       winbind use default domain = Yes
        comment = Redhat 7.1 Samba
        hosts allow = 127., 10.0.0.

        comment = Home Directories
        read only = No
        browseable = No

        comment = Software Library
        path = /mnt/largeprimary/software
        valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
        Admin users = @MYNETWORK.ISP.CO.UK\"Domain Admins"

I was working from these hints :)

In order to make it work, I had to take out the lines "winbind use default
domain = yes", and "winbind seperator = +" and then fully specify the domain
group in my share definition as such:

path = /svr/shared
valid users = @TESTSYS\shared   (or @TESTSYS\"Domain Users" if there are
spaces in the group)
writeable = yes
browseable = yes
force group = TESTSYS\shared

I think this could be a bug that it does not accept only "valid users =
shared" while "winbind use default domain = yes".  It appears that samba is
not correctly matching the group the domain controllers group.

The + is not a good seperator because if you read about the "valid users"
directive, it uses a + to specify a unix group.

Hope this helps someone!

More information about the samba mailing list