[Samba] Samba does not work with new AD groups

Don Meyer dlmeyer at uiuc.edu
Thu Feb 16 15:36:50 GMT 2006


At 08:25 AM 2/15/2006, Parker, Michael wrote:
>I've configured a system to authenticate with an AD 2k3 domain (all
>domain controllers have SP1) using winbind.  I have joined the server to
>the domain as well. I created some shares to work with AD groups.
>Here's a quick snippet of a share from my smb.conf file:
>
>
>[test]
>         comment = test share for winbind testing
>         path = /u01/test
>         write list = @ll_main/rhmps
>
>
>The problem I have is if I tell the write list command to use an
>existing AD group which I am already a member of, I can write to the
>share.  If on the other hand, I create a new AD group, add my user
>account to the group, then tell the write list to use the new group, I
>cannot write to the share.  I have rebooted my test workstations, tried
>writing to the share from multiple XP (SP2), workstations logged out/in,
>and rebooted my smb server.  Nothing seems to help and I'm not seeing
>anything in any logs to explain the problem.
>
>My samba server is a redat 3.0 box with update 5.  The samba version is
>samba-3.0.9-1.3E.5

A couple of things to check:

1) Is your new group "available" for use on your RHEL3 box?  That is, 
can you find it in your group listings:  "wbinfo -g" or "getent group"?

2) Look at the group's entry in the output from the command "getent 
group" -- are the group members what you expect from your AD?

3) Does your [test] resource have a "valid users =" line?   (Without, 
default is anyone can connect...)   If so, does the membership 
specified on this line include the users in your "write list =" 
line?    (Doesn't have to specify the same group as your "write 
list=" line, but users specified here should also have access granted 
via inclusion in the set specified on your "valid users=" line.)

E.g.
         valid users = "@Domain Users"
         write list = "@Subset_of_users"




Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list