[Samba] Permission Problem --Windows or UNIX?

Stephen Carville stephen at totalflood.com
Wed Aug 23 14:32:49 GMT 2006


Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Carville wrote:
> 
> 
>>I am using Samba 3.0.20a with winbindd on FC3 and all 
>>the shares except one are working.  I keep getting a
>>permison denied error for non-local users in certain
>>directories.
> 
> ...
> 
>>And I have mapping between Windows and UNIX groups (list trimmed):
>>
>># net groupmap list
>>Guests (S-1-5-32-546) -> nobody
>>Domain Guests (S-1-5-21-2679732778-2536521927-3344223750-1199) -> nobody
> 
> ....
> 
>>testparm shows:
>>
>>Server role: ROLE_DOMAIN_MEMBER
>>Press enter to see a dump of your service definitions
>>
>>[global]
>>        unix charset = LOCALE
>>        workgroup = TOTALFLOOD
>>        netbios name = FILE-CABINET
>>        server string = Main File Server
>>        security = DOMAIN
>>        wins server = 192.168.124.10
>>        idmap uid = 10000-100000000
>>        idmap gid = 10000-100000000
> 
> 
> Why are you using 'net groupmap' and winbindd ?

As far as I could tell from the documentation on samba.org, that is the 
corect way to use both local and windows accounts.  Give ownership of 
the directories to local accounts and groups. Use net groupmap to map 
the Windows groups name to UNIX groupnames.  Winbind provides the glue 
to hold it together.

Home directories are owned by the UNIX account if it's local and by the 
Win account as mapped by winbindd(?) otherwise

This seems to works for all but this one share.

> In any case, I think we have the 'valid users' and
> tokens stuff straightened out for systems with an smbpasswd
> file.  I'll be posting a patch shortly to being 3.0.23b
> up to what is proposed to be the 3.0.23c code tree.
> You might want to look at that.

I don't use smbpasswd.  I have an smbusers file that maps local account 
to the equivalent Win account.  For example my UNIX username is 
"stephen" but my Win name is "scarville" so I have the entry:

stephen = TOTALFLOOD\scarville

I have similar entries for each local accounts that will also use the 
samba services.  Based on RT'ing the FM this looked like the  right 
thing to do.

If I'm doing it wrong, then I'll happily switch to doing it right if 
someone can point me in that direction.

> 
> 
> cheers, jerry
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFE7FEsIR7qMdg1EfYRAnLoAKCZdm1eGGxTvozbWXyMdvash1e+sgCgkKUl
> xvvy8CSNjV892N79JHOi+sc=
> =9vfb
> -----END PGP SIGNATURE-----


-- 
Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
Nationwide Totalflood
6033 W. Century Blvd
Los Angeles, CA 90045
310-342-3602


More information about the samba mailing list