RESOLVED? [Samba] Shares Problem

Eric Hines eehines at
Sat Dec 3 18:20:12 GMT 2005


>I'm running SUSE Pro 9.3 with Samba 3.0.13, and I have LAN with 2 
>subnets.  The problem (or the symptom; I may actually have two problems) 
>is that I can't get into some of the shares from my Win2k box (one subnet) 
>or from my XP laptop (other subnet).  The directory structure is
>         /data
>         /data/accounts
>         /data/finsvcs
>and the shares are accounts and finsvcs.  /data is owned by root:root, 
>while the share directories are owned by mfwic:accounts and mfwic:finsvcs.
>Each user can get into his own /home/directory just fine, and I've 
>confirmed that the users are correctly entered in the passwd and smbpasswd 
>files (as also implied by being able to get into the /home 
>directories).  User access to the shares is granted via "valid 
>user=%G."  From the windows devices, it's possible to browse over to (or 
>to go via Network Neighborhood), and see, the shares, but entering is 
>denied--the Windows devices invite me to log in and then reject the 
>login.  Winbindd is running, and the windows devices are pointed to the 
>samba box for the WINS service.
>I've run the checklist from TOSHARG2, and the only items that _don't_ work are
>         smbclient //lserver0/accounts -U<user> (including mfwic).  That 
> gets me a tree connect failed: NT_STATUS_ACCESS_DENIED error.  However, 
> if I run smbclient //lserver0/accounts -Uroot with the root password, I 
> get into the shares.
>         I cannot ping by name the machines (PC and laptop) from lserver0, 
> the samba box, or lserver0 from the windows machine.  I can ping in both 
> directions by IP address.
>         nmblookup -B xxx '*' works when xxx=IP address, fails when 
> xxx=machine name.
>         net use x: \\lserver0\accounts fails with a bad password error 
> from my Win2k PC, and with a multiple connections not allowed error from 
> my XP laptop.
>Any advice would be greatly appreciated.
>Eric Hines

I got this to work, but I don't understand why, or what the implications 
are on the change I made.  Any advice would be greatly appreciated.

The change I made was to change valid users for the shares accounts and 
finsvcs to %U from %G.

The documentation says that %G is the _primary_ group of the user in 
question; the primary group of these users, from the way they were first 
entered into the system is 'users;' they were only after that _added_ to 
the groups owning the shares' directories.  Could this be part of problem, 
or is that a non-distinction?  Also, what am I doing to security by 
allowing the session user in and not mandating that that person be a member 
of the share-owning group?


Eric Hines

There is no nonsense so errant that it cannot be made the creed of the vast 
majority by adequate governmental action.
         --Bertrand Russell

More information about the samba mailing list