[Samba] Trouble with Winbind and domain group membership
mdavidson at mountwashington.org
Wed Aug 16 19:13:46 GMT 2006
Summary of problem: members of Active Directory groups cannot access Samba
shares that their group membership should allow.
I recently joined our Linux servers to our Windows 2003 domain using
Samba/Winbind. The research and implementation were time-consuming, but the
results made it all worthwhile. Unfortunately I am running into a problem
relating to group membership on the domain as it relates to share access.
I'll give a pared-down example of a share definition from smb.conf:
comment = Graphic design files
path = /srv/samba/graphics
valid users = @%D+Graphics
public = no
force group = %D+Graphics
(The winbind separator is +)
The idea is to allow only members of the domain group "Graphics" access to
the share and to force group ownership on files that are created through the
share to be "Graphics".
Here is some command output (The domain name is MWO):
wbinfo -g | grep Graphics
getent group | grep Graphics
wbinfo -G 10029
The first command tells me that Winbind know the group is there. The second
tells me that I'm a member of the group. The third tells me that the Unix
GID translates to an NT ID properly.
The problem happens when I attempt to connect to the share. It says "Access
is Denied". If I comment out the valid users parameter in smb.conf, I get
"The specified group does not exist" when connecting to the share. If I
comment out both the valid users and force group parameters, I can connect,
however this does not make good security.
To complicate matters, testparm says "'winbind separator = +' might cause
problems with group membership." In your experience, is this truly the
problem? I am hesitant to make a change to the [global] section unless I am
confident it will solve my problem.
Mount Washington Observatory
More information about the samba