[Samba] smb+winbind+Acl problem

PIGNOL, Christian christian_pignol at merck.com
Mon Jan 12 15:37:24 GMT 2004

Hello everyone,

I have a strange problem with my samba server ...

First, the situation :

I'm running a Samba 2.2.7a-8.9.0 (the latest fom redhat 9.0) compiled from
an "src.rpm" with modifications in the SPECS file (--with-winbind &
--with-acl-support) on a linux redhat 9.0 (Kernel 2.4.20-20.9.1 with Acl
patches ...). I have added my linux box into the windows domain (smbpasswd
-j DomainName ...) without any problem. The "wbinfo -u" command give me a
complete account list from the domain and from all the trusted domains ...

Well !

The problem :

I have defined a samba share named "france" based on the following path
"/www/france" and I have applied an ACL on this directory to restrict write
access to a specific Windows Domain Global Group named FRANCE. This group
only contain 4 accounts : PIGNOL PIGNOLTST USERA USERB

Please find bellow the ACL :
# file: france
# owner: france
# group: intranet

>From a windows workstation, I'm able to connect this Samba Share with a "NET
USE F: \\fruxts06\france" command without any problem.

It works fine for all accounts I use (In Read Only mode of course ...).

BUT, I'm only able to create / update / delete files on this share from
windows using the  "MyDomain\PIGNOL" account ! When I use another account
(member or not of the "MyDomain\FRANCE" group) I obtain an error window :
Unable to create the file 'mydocument.txt'
Access is denied.

BUT ... Locally on the linux system I have a "PIGNOL" account ... Ambiguous
situation !

So ... I have tried to rename my local linux account from PIGNOL to
PIGNOLADM (Stop Smb/Winbind - clear the "/var/cache/samba" directory - Start
Winbind/Smb) and to create a file from windows using the MyDomain\PIGNOL
account ... And ... It already works fine !

Gloups Gloups !

Please help.

Thanks a lot and regards

Christian PIGNOL 

My "smb.conf" -----------------------------------------------
# Global parameters
	workgroup = MyDomain
	netbios name = FRUXTS06
	netbios aliases = fruxts06
	server string = fruxts06 / RH 9 / Proto Intranet
	security = DOMAIN
	encrypt passwords = Yes
	obey pam restrictions = Yes
	password server = *
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retyp ... Etc ...
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 100
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd %u -g smbusers
	delete user script = /usr/sbin/userdel %u
	os level = 33
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	wins server =
	winbind uid = 10000-20000
	winbind gid = 10000-20000
	template shell = /bin/bash
	printing = lprng

	comment = fruxts06 - france
	path = /www/france
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	case sensitive = Yes
	dos filemode = Yes
	dos filetimes = Yes
	dos filetime resolution = Yes
	fake directory create times = Yes

Notice:  This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New
Jersey, USA 08889), and/or its affiliates (which may be known outside the
United States as Merck Frosst, Merck Sharp & Dohme or MSD) that may be
confidential, proprietary copyrighted and/or legally privileged, and is
intended solely for the use of the individual or entity named on this message.
If you are not the intended recipient, and have received this message in
error, please immediately return this by e-mail and then delete it.

More information about the samba mailing list