[Samba] share access only for users with primary group

[Roman Hudelist]

Hi!
 
I am having some serious problems getting winbind to recognize secondary
group memberships.  I have a samba server version samba-3.0.10-1 running
on SUSE 8.2. This is running on a 2x Xeon 2.4 Ghz Siemens-Fujitsu Server
with 2G Ram.  

cat /proc/version:  Linux version 2.4.20-64GB-SMP (root at SMP_X86.suse.de)
(gcc version 3.3 20030226 (prerelease) (SuSE Linux)) #1 SMP

I have joined the domain with: net join -U administrator 
I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u
and getent passwd shows all the domain users and wbinfo -g and getent
group shows all the domain groups.  ls -l shows the correct domain
user/group ownerships.  
 
We allow group-based access to the shares. Users of Group X may access a
share because Group X is mentioned in the "read list" or the "write
list" Tag in smb.conf.
Users can access shares owned by them or their PRIMARY domain group.
This works fine.  But when they try to access a share owned by a
secondary group that they belong to, it is access denied.  The only way
I can get a secondary group to access the share is by adding the user as
owner to all the files' acls of the share. Winbind then tells, that
permission is denied for the user.

smb.conf:
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL
        server string = Samba 3.0.10
        security = DOMAIN
        username map = /etc/samba/smbusers
        log level = 1
        dos charset = CP1252
        unix charset = ISO8859-15
        logon path=\\%L\Profiles\%U
        encrypt passwords = yes
        guest ok = No
        browsable = yes
 
the shares are configured like this:
[TESTSHARE]
path = /Shares/Testshare
write list =    @"DOMAIN\Domain-Admins"
read list =     @"DOMAIN\Domain-Users"
create mask = 6775
directory mask = 6775
 
Is there a known workaround? Any help/suggestions would be greatly
appreciated. thx in advance!

-rom