[SAMBA] Only primary group being used for AD user?

Wayne Rasmussen wayne at mail.gomonarch.com
Thu Jan 6 22:57:24 GMT 2005

In my test AD adtest.com we have a user wjr who is a member of two groups:
Domain Users, xyzusers

We have two shares defined in the smb.conf file as follows:
	workgroup = adtestnetbios
	realm = adtest.com
	security = ADS
	encrypt passwords = yes
	log level = 10
	idmap uid = 10000-35000
	idmap gid = 10000-35000
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /u/%U
	template shell = /bin/csh
	winbind use default domain = yes
  comment = User's sharing documents here.
  public = no
  path = /u/public
  read only = No
  create mask = 0660
  directory mask = 0770
  browseable = Yes
  comment =  main work area
  path = /u
  public = no
  create mask = 0660
  read only = No
  directory mask = 0770
  browseable = Yes

The permissions on the two directories in the path are as follows:
drwxr-xr-x  14 root     root         512 Dec 12 15:17 u/
drwxrws---   2 stock    xyzusers     512 Dec  6 14:48 public/

A getent passwd for the user results in the following:
getent passwd |grep wjr
wjr:x:10023:10000:wayne j rasmussen:/u/wjr:/bin/csh

A getent group for the appropriate groups results in the following:
Domain Users:x:10000:
log.smbd shows that the xyzusers is not being seen/used by samba.
[2005/01/06 14:01:22, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10023
  Primary group is 10000 and contains 1 supplementary groups
  Group[  0]: 10000

The user wjr on a Window XP Pro box can browse to the server, access the /u
share, but gets  \\servername\public not accessible message.  Is this a bug?
It seems that samba can only use a single group for a given userid...

BTW.We are running Samba 3.0.9 on Solaris 9.

More information about the samba mailing list