[Samba] Trouble with Winbind and domain group membership

Michael Davidson mdavidson at mountwashington.org
Wed Aug 16 19:13:46 GMT 2006 

Summary of problem: members of Active Directory groups cannot access Samba
shares that their group membership should allow.

 

I recently joined our Linux servers to our Windows 2003 domain using
Samba/Winbind.  The research and implementation were time-consuming, but the
results made it all worthwhile.  Unfortunately I am running into a problem
relating to group membership on the domain as it relates to share access.
I'll give a pared-down example of a share definition from smb.conf:

 

[graphics]

        comment = Graphic design files

        path = /srv/samba/graphics

        valid users = @%D+Graphics

        public = no

        force group = %D+Graphics

 

(The winbind separator is +)

 

The idea is to allow only members of the domain group "Graphics" access to
the share and to force group ownership on files that are created through the
share to be "Graphics".  

 

Here is some command output (The domain name is MWO):

wbinfo -g | grep Graphics

MWO+Graphics

 

getent group | grep Graphics

MWO+Graphics:x:10029:MWO+mdavidson

 

wbinfo -G 10029

S-1-5-21-1830939736-2914305965-1243072980-1232

 

The first command tells me that Winbind know the group is there.  The second
tells me that I'm a member of the group.  The third tells me that the Unix
GID translates to an NT ID properly.

 

The problem happens when I attempt to connect to the share.  It says "Access
is Denied".  If I comment out the valid users parameter in smb.conf, I get
"The specified group does not exist" when connecting to the share.  If I
comment out both the valid users and force group parameters, I can connect,
however this does not make good security.

 

To complicate matters, testparm says "'winbind separator = +' might cause
problems with group membership."  In your experience, is this truly the
problem?  I am hesitant to make a change to the [global] section unless I am
confident it will solve my problem.

 

Thank you, 

Michael Davidson

Mount Washington Observatory

 

www.mountwashington.org

More information about the samba mailing list