[Samba] problem with secondary groups and OpenLDAP or Multiple ou's

[Jeff Hafer]

I am trying to implement the following structure in OpenLDAP
for a backend to Samba 3:

                                    / ou=People
                  /ou=Internal-----<- ou=Groups
dc=btd,dc=com ---<                  \ ou=Computers
                  \ou=External

I have been able to authenticate users but they are only able to
access shares based on their primary group. I am wondering if Samba
is having trouble with the multiple ou's necessary to reach Groups
and People with secondary groups???

Here's my smb.conf file: (Only included a single share)

[global]
    add group script = /usr/sbin/groupadd '%g'
    add machine script = /usr/sbin/useradd -g machines -c "Samba 
Machine" -d  /dev/null -s /bin/false '%u'
    add share command = /usr/local/bin/addshare
    add user script = /usr/sbin/useradd -g samba -c "Samba User" -d 
/home/users/'%u' -m -s /bin/false '%u' -g allusers
    add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G '%u' 
|/bin/sed 's/ /,/g'`,'%g' '%u'
    addprinter command = /usr/bin/addprinterf
    admin users = root, Administrator, domadm
    auth methods = winbind, guest, sam
    client lanman auth = no
    client ntlmv2 auth = yes    
    client plaintext auth = no
    dns proxy = no
    domain logons = yes
    domain master = yes
    encrypt passwords = yes
    idmap gid = 10000-20000
    idmap uid = 10000-20000    
    ldap admin dn = cn=Manager,dc=btd,dc=com
    ldap filter = (&(uid=%u)(objectClass=sambaSamAccount))
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap passwd sync = yes    
    ldap ssl = no
    ldap suffix = dc=btd,dc=com    
    ldap user suffix = ou=People
    load printers = yes    
    log file = /var/lib/samba/%m.log    
    log level = 10
    logon drive = u:    
    logon home = \\N%\home\users\%U
    logon path = \\N%\home\users\%U\profile
    logon script = everyone.bat        
    max log size = 50    
    netbios name = btdvfile1    
    nt acl support = yes
    ntlm auth = yes    
    obey pam restrictions = yes
    os level = 40
    passdb backend = ldapsam:ldap://btdvinfr1
    passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
    path = /var/spool/samba
    preferred master = yes
        printcap name = cups    
    printer = purchlaser    
    printing = cups    
    profile acls = yes    
    security = user
    server string = Linux Samba Server btdvfile1
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192    
    template homedir = /home/users/%D/%U
    time server = yes
    unix charset =
    unix password sync = no
    username level = 5
    username map = /etc/samba/smbusers
    wins partners = 10.100.100.2
    wins support = no
    wins proxy = no
    wins server = 10.100.100.2
    workgroup = BTD    
    writeable = yes
        create mask = 0777
        directory mask = 6777
    force create mode = 0777
    force directory mode = 6777
    inherit permissions = yes
    
[home]
    comment = Home Folders
    path = /home
    read only = No

[homes]
    comment = Home Folders
    path = /home
    read only = No

[netlogon]
    comment = Net Logon Share
    path = /usr/local/samba/netlogon
    browsable = Yes
    admin users = @admins
    read list = @allusers
    write list = @admins
    
############################################################
###   Shared Folders                                     ###
############################################################
[accountingfiles]
    comment = Accounting Department
    path = /home/depts/accountingfiles
    browseable = yes
          recycle:repository = recycle
    recycle:keeptree = yes
    vfs objects = vscan-sophos recycle
    vscan-sophos: config-file = /etc/samba/vscan-sophos.conf
    admin users = @admins @accounting
    valid users = @admins @accounting
    write list = @admins @accounting