[Samba] AD auth + local unix groups: access denied?

Albrecht Dreß albrecht.dress at lios-tech.com
Tue Apr 5 09:47:34 GMT 2005


I have an access problem related to local unix groups on a FC2 box 
running the samba-3.0.10-1.fc2 rpms.

The goal is to have a read-only share with sub-folders accessible only 
by one user. All users lised in a local unix group "admin" shall have 
access to all folders. The samba box uses an external active directory 
machine for authentication. Winbind is running on the machine.

The sub-folders in the share are owned by the respective AD users, and 
the group is fixed (using the setgid bit) to the local "admin" group. 
The "admin" group is listed in the local /etc/group file, and respective 
AD users are listed there. The listing of the archive folder looks like

[root at machine root]# ls -l /opt/share/Archiv/
total 0
dr-xr-s---  2 DOMAIN_user1 admin 128 Apr  4 14:08 User1
dr-xr-s---  2 DOMAIN_user2 admin 154 Apr  1 16:14 User2

(The archive is filled by a virtual cups printer based upon the user 
name of the request, so having everything ro is wanted here).

The situation is now as follows:

- clicking in the win explorer on any subfolder which should be accessed 
via the "admin" group access rights returns a "permission denied" error. 
Right-clicking on the folders and showing the security settings in Win 
correctly shows the ownership and unix group name;
- log in on the FC2 box via ssh, using the AD user name provided via 
winbind (e.g. "DOMAIN_user1"): users listed in the "admin" group can 
access all subfolders with unix commands like "ls" as expected;
- "getent group admin" correctly lists the valid admin users;
- running "groups" as user in the "admin" group lists inter alia "admin".

The relevant (?) winbind and share setup in smb.conf looks as follows 
(note: all users are member in the AD "DOMAIN_USERS" group):

winbind separator = _
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes

     comment = Read-Only document archive
     path = /opt/share/Archiv
     browsable = yes
     guest ok = no
     writable = no
     valid users = @DOMAIN_USER
     admin users =

Any idea what causes the "permission denied" error and how I can fix it? 
How could I get more debug information about the cause?

Thanks in advance,

LIOS Technology GmbH
Dr. Albrecht Dreß
Project Engineering / Software Design
Schanzenstrasse 6 - 20
D-51063 Köln

Phone +49 221 676 2742
Fax   +49 221 676 2069

More information about the samba mailing list