[Samba] Permission denied errors when accessing shares on second DC after upgrade to 3.0.23c

Marc Muehlfeld Marc.Muehlfeld at medizinische-genetik.de
Wed Nov 15 21:28:37 GMT 2006 

Hello,

since updating Samba from 3.0.22 to 3.0.23c I have trouble accessing
shares on my first DC from computers out of my second domain.

I have two DomainControllers (MUC, PASING). On both DC I have a
domaingroup "zyto" (mapped name is "Zytogenetik") with gid=202 and a user
muehlfeld with uid=1061. Passdb are different ldap subtrees. The SIDs of
the group and the user differs, because of the different Domain-SID. Both
domains trust each other.

I have a share "MetaSetup" on my DC of domain MUC. From any workstation on
MUC I can access it like before I updated to 3.0.23c, but from
workstations out of domain PASING, I get a "Permission denied" error.

The logfile now shows me at debug level 10:
chdir (/shares/MetaSystems/MetaSetup) failed

But im able to enter this directory, because my user is in group zyto:

# la -d /shares/MetaSystems/MetaSetup
drwxrws---  25 zytogenetik zyto 736 Nov  7 13:05
/shares/MetaSystems/MetaSetup

This is the section for this share:

[MetaSetup]
        path = /shares/MetaSystems/MetaSetup
        browseable = yes
        force create mode = 0660
        force directory mode = 2770
        guest ok = no
        #valid users = +"MUC\Zytogenetik" +"PASING\Zytogenetik"
        #invalid users =

When I enable "in/valid users", like it was before, i don`t get the
permission denied error, I get a request window for username and password.
If I logon there with PASING\muehlfeld, I can enter the share. But I need
the automatic mapping again, because the share is mapped in logonscript.

Yesterday I tried out some different settings (set sambaGroupType from 2
to 4) and changed valid users to "+Zytogenetik", and it worked after a
reload. Then I did a restart without changing anything else, and it quit
working again. I tried to reproduce this, and got the same after many
retries again. But happens very sporadically.


Best regards Marc


PS: I think winbind could be a better way to do, but I tried and was only
able to get users and groups from the other domain, not from the own, when
I run it on my DC. Is this planed for future releases?



-- 
Marc Muehlfeld
Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78
http://www.medizinische-genetik.de

More information about the samba mailing list