[Samba] Group Permission issue via winbindd?

Doug Sampson dougs at dawnsign.com
Fri Jul 14 23:26:00 GMT 2006


Users are having trouble accessing Samba shares via winbindd in a NT domain.
If the 'valid users' parameter for a share contained the user name for
example as follows:

   valid users = DSP-John 

Then John who is a member of the DSP domain can access the share. If John is
a member of a domain group called DSP-production, and the 'valid users'
parameter is as follows:

   valid users = DSP-production

He cannot access the share. I have tried this parameter with and without the
'@' sign to no avail.

This occurred after upgrading to 3.0.23 from 3.0.22 on a FreeBSD 6.1 server.
This also occurs on another FreeBSD 5.4 server. Both are role server members
bouncing user authentications off WinNT PDC/BDCs.

I fixed the old nss_winbind.so library issue which got rid of some errors
but I still am faced with the issue of group authentication. 'wbinfo -u' and
'wbinfo -g' reports information correctly. 'id DSP-John' appears to provide
domain user information for that user including group membership.

/var/log/messages reports the following error:
Jul 14 15:57:00 aries winbindd[2705]: [2006/07/14 15:57:00, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2356)
Jul 14 15:57:00 aries winbindd[2705]:   cli_rpc_pipe_open_ntlmssp_internal:
cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

There is some information related to handling groups in the Release Notes
for Samba 3.0.23. Am I being affected by that?

~Doug


More information about the samba mailing list