[Samba] Samba does not work with new AD groups

Parker, Michael Michael.Parker at AcuityBrands.com
Thu Feb 16 15:48:35 GMT 2006

Thank you for your suggestions.  I did all below and no luck, but I
found the answer.  My mapping files are located in /var/cache/samba.  I
discovered if I deleted the dir and created an empty dir of the same
name, it all worked.


-----Original Message-----
From: samba-bounces+michael.parker=lithonia.com at lists.samba.org
[mailto:samba-bounces+michael.parker=lithonia.com at lists.samba.org] On
Behalf Of Don Meyer
Sent: Thursday, February 16, 2006 10:37 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba does not work with new AD groups

At 08:25 AM 2/15/2006, Parker, Michael wrote:
>I've configured a system to authenticate with an AD 2k3 domain (all
>domain controllers have SP1) using winbind.  I have joined the server
>the domain as well. I created some shares to work with AD groups.
>Here's a quick snippet of a share from my smb.conf file:
>         comment = test share for winbind testing
>         path = /u01/test
>         write list = @ll_main/rhmps
>The problem I have is if I tell the write list command to use an
>existing AD group which I am already a member of, I can write to the
>share.  If on the other hand, I create a new AD group, add my user
>account to the group, then tell the write list to use the new group, I
>cannot write to the share.  I have rebooted my test workstations, tried
>writing to the share from multiple XP (SP2), workstations logged
>and rebooted my smb server.  Nothing seems to help and I'm not seeing
>anything in any logs to explain the problem.
>My samba server is a redat 3.0 box with update 5.  The samba version is

A couple of things to check:

1) Is your new group "available" for use on your RHEL3 box?  That is, 
can you find it in your group listings:  "wbinfo -g" or "getent group"?

2) Look at the group's entry in the output from the command "getent 
group" -- are the group members what you expect from your AD?

3) Does your [test] resource have a "valid users =" line?   (Without, 
default is anyone can connect...)   If so, does the membership 
specified on this line include the users in your "write list =" 
line?    (Doesn't have to specify the same group as your "write 
list=" line, but users specified here should also have access granted 
via inclusion in the set specified on your "valid users=" line.)

         valid users = "@Domain Users"
         write list = "@Subset_of_users"

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin,

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list