[Samba] Domain Users Group Effective Permissions on Workstation files after upgrade from 3.0.4 to 3.0.11

Roger Crom crom at ccccorp.com
Tue Feb 15 23:00:28 GMT 2005


I have had a running 3.0.4 server running for quite some time with no 
problem.

I built a new server with Fedora core 3 & ending up with SAMBA 3.0.11 
running.

Workstation running windows xp pro with sp2 applied

Things are generally ok, but I am finding that group permissions at the 
workstation are not being carried to the user, specifically for Domain 
Users.  Domain Admins appear to be progating properly

users/group authentication is through NIS with local smbpasswd file

Group is the primary group for user

NO LDAP involved

file permissions on the samba server appear to be working just fine

The only problem is effective permissions at the directory level on the 
local workstation

Example:

directory has permssions assigned of full control to "Domain Users"
A user tammy is in unix group CCC which is mapped to "Domain Users"
net groupmap list :

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-892218768-3045639999-384985677-512) -> systems
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Print Operators (S-1-5-21-892218768-3045639999-384985677-550) -> CCC
Domain Users (S-1-5-21-892218768-3045639999-384985677-513) -> CCC
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-892218768-3045639999-384985677-514) -> nobody
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> CCC


when we check effective permissions at the xp workstation user is not 
being assigned the permissions associated with "Domain Users"

smb.conf file follows:
print from testparm -s
[global]
         workgroup = CCCDISTRICT
         server string = Freelog
         interfaces = 172.16.1.16/24
         update encrypted = Yes
         null passwords = Yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *password* %n\n *password* %n\n *
         unix password sync = Yes
         log level = 9
         log file = /var/log/samba/log.%m
         max log size = 500
         name resolve order = host wins bcast
         socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY 
SO_RCVBUF=8192 SO_SNDBUF=8192
         logon script = scripts\%U.bat
         logon path =
         logon drive = g:
         logon home = \\%L\%U
         domain logons = Yes
         os level = 255
         preferred master = Yes
         domain master = Yes
         wins proxy = Yes
         wins support = Yes
         ldap ssl = no
         invalid users = bin, daemon, adm, sync, shutdown, halt, mail, news
         admin users = crom
         hosts allow = 172.16.1.0/24, 127.0.0.1[homes]
         comment = Home Directory
         path = /shares/users/%u
         force group = users
         read only = No
         create mask = 0700
         directory mask = 0700
         default case = upper
         browseable = No
         hosts deny = all
         profile acls = Yes
         preserve case = No
         short preserve case = No

[Software]
         comment = Software
         path = /shares/software
         valid users = @CCC
         write list = @CCC
         force group = CCC
         read only = No
         create mask = 0770
         directory mask = 0770
         default case = upper

[netlogon]
         comment = Network Logon Service
         path = /shares/netlogon
         browseable = No
         locking = No
         share modes = No

[profile]
         path = /shares/profile
         read only = No
         create mask = 0600
         directory mask = 0700
         csc policy = disable

[accounting]
         comment = Printer in Steve White's Office
         path = /tmp
         printer admin = @CCC
         printable = Yes

More printer shares below



Any questions help would be greatly appreciated





-- 
Roger A. Crom
Director of Systems
Custom Computing Corporation
(402) 341-2197


More information about the samba mailing list