[Samba] Inconsistant AD group authentication

Ziller, James James.Ziller at qg.com
Thu Sep 16 13:14:13 GMT 2004

Greetings friends:

So heres the problem I've been fighting for the last month to no avail.
My samba server is joined to a mixed mode AD domain.  I want to set
permissions on shares based on AD groups, however only _some_ of the
group's members are allowed to access the share when I add their group
to "valid users".  As far as I can tell there are no differences between
the AD accounts of group members who can access the share and the
members who are denied access. If I add their usernames explicitly to
"valid users" then they can access the share. "getent group" returns my
group and shows all of my users as members.  I have ample uid's and
gid's reserved for winbind, (10,000-90,000) with only about 30,000 users
and under 1000 groups. I have tried using local,global and universal
groups - but it makes no difference.

Configurations tried that exhibit this problem.

Samba 3.0.4 - 3.0.7
Kerberos 1.2.7 - 1.3.5
Redhat 9

What I'm really looking for is for someone to point me in the right
direction or give me some kinda of clues to look for.  I do not have
much access to my company's AD domain so if the problem is suspected to
be on the windows side I will need to have specific things in mind to
ask one of our AD admins to check.  I have already posted all my
config's to this list previously, but if theres any information you want
please let me know.  I would really like to get a functioning samba
server out there so we can dump our windows file servers but right now
this is impossible! Any help is greatly appreciated!  


James Ziller
Systems Administrator

Quad/Graphics - Q/DS
West Allis, Wisconsin
james.ziller at qg.com

More information about the samba mailing list