[Samba] Problem With Groups in Samba 3.0.23 ?

Michael Casale mcasale at knoa.com
Fri Nov 17 18:05:08 GMT 2006

Hi all,




I just upgraded a test copy of my samba server from version 3.0.10E to
the latest, 3.0.23D - the RPM available for Red Hat AS4 on the samba.org
site. There was no samba-common, just samba, samba-client and
samba-winbind RPMs. I installed all three successfully. I backed up my
configs before hand and replaces / adapted them afterwards. I
successfully added this server to the domain after upgrade with the net
ads join command.




The problem: Group emulation is not working. I can access shares where
my account is specifically listed in the  "valid users" settings in the
smb.conf file for the share (NYC-14\mcasale), but not if my group is
listed (NYC-14\Staff or NYC-14\Domain Admins).




Wbinfo -g shows all the groups, and wbinfo -u shows all users. But for
some reason on this test server, and on the live server, these commands
show the group or user names but the domain is never appended to the
beginning. The live, un-updated server always has had this output yet
works fine, though. Just thought I should mention this.




Klist shows tickets fine. I re-added this server to the domain after I
upgraded it.




Getent passwd and getent group works fine.




So, when I navigate to the server in Windows XP in network Neighborhood,
I can see all the shares. When I click on a share where I am
specifically listed under "valid users" it opens fine. When I click on a
share where my group is specifically listed in "valid users" it prompts
me for a username and password, which it never accepts, no matter how I
put it in.




I checked the log under /var/log/samba/mymachinename.log and it logs no
errors. I'm suprised.




Here is my smb.conf file:








# workgroup = NT-Domain-Name or Workgroup-Name


   workgroup = NYC-14


   netbios name = MAN


# MC Below 3 lines added to test Win2003 AD connection as per Red Hat
Docs Recommendations.


client schannel = no


client use spnego = yes 


server signing = auto


# server string is the equivalent of the NT Description field


   server string = TEST SAMBA SERVER 


   printcap name = /etc/printcap


   load printers = no




cups options = raw




log file = /var/log/samba/%m.log


   max log size = 50




# Security mode. Most people will want user level security. See


# security_level.txt for details.


   security = ads


   realm = nyc-14.knoa.com


# Use password server option only with security = server


   password server = 




# Most people will find that this option gives better performance.


# See speed.txt and the manual pages for details


   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192




# WINS Server - Tells the NMBD components of Samba to be a WINS Client


#     Note: Samba can be either a WINS Server, or a WINS Client, but NOT



   wins server =




# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names


# via DNS nslookups. The built-in default for versions 1.9.17 is yes,


# this has been changed in version 1.9.18 to no.


   dns proxy = no 




# Case Preservation can be handy - system default is _no_


# NOTE: These can be set on a per share basis


;  preserve case = no


;  short preserve case = no


# Default case is normally upper case for all DOS files


;  default case = lower


# Be very careful with case sensitivity - it can break things!


;  case sensitive = no




   idmap uid = 10000-20000


   idmap gid = 10000-20000


   winbind separator = \


   winbind enum users = yes


   winbind enum groups = yes


   template shell = /bin/false


   winbind use default domain = yes




#============================ Share Definitions


# backup depository




  comment = Backup Repository


  force create mode = 0777


  force directory mode = 6777


  path = /share1


  browseable = no


  writable = yes


  valid users = NYC-14\mcasale, NYC-14\administrator, NYC-14\sys_bak,
NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain Admins"






# bulk data storage for Development




  browsable = no


  force create mode = 0777


  force directory mode = 6777


#  path = /mnt/data/bulk


  path = /share2


  writable = yes


  guest ok = yes




# clients data




  browsable = yes


  comment = Clients of Knoa Software


  inherit permissions = yes


#  path = /mnt/data/clients


  path = /share3


  valid users = NYC-14\Staff, NYC-14\Extranet, NYC-14\administrator,
"NYC-14\Domain Admins"


  writable = yes




# Engineering signing keys




  browseable = no


  # access to this share is controled via valid users list 


  force create mode = 0777


  force directory mode = 6777


#  path = /mnt/data/cspdid


  path = /share4


  valid users = NYC-14\Administrator, "NYC-14\Domain Admins"


  writable = yes




# file share for all company departments




   comment = Departamental File Share


   browseable = yes


   inherit permissions = yes


#   force create mode = 0777


#   force directory mode = 6777


#   path = /mnt/data/company


   path = /share5


   valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\tester,
NYC-14\Administrator, "NYC-14\Domain Admins"


   writable = yes


   inherit permissions = yes




# image depository




   comment = Disk Image Repository


 #  path = /mnt/data/image


   path = /share6


   browseable = yes 


   write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain




# intranet site files for access by the Intranet server VMC




#  path = "/mnt/data/company/Web Development/Intranet"


  path = /share7 


  browsable = no


  guest ok = yes


#  valid users = NYC-14\sys_web, NYC-14\vmc$




# server root - for backup only




#   path = /mnt/data


   path = /share8


   valid users = NYC-14\Services, root, NYC-14\Administrator,
"NYC-14\Domain Admins" NYC-14\mcasale


   browseable = no




# software library




  comment = Software Library


#  path = /mnt/data/software


  path = /share9


  valid users = NYC-14\Staff, NYC-14\Administrator


  write list = NYC-14\Administrator, "NYC-14\Domain Admins",






  comment = Operations Share 


#  path = /mnt/data/operations


  path = /share10


  valid users = NYC-14\Operations, NYC-14\Administrator


  write list = NYC-14\Operations, NYC-14\Administrator, "NYC-14\Domain
Admins", NYC-14\mcasale






  browseable = no


  comment = Visual Source Safe


  create mask = 0666


  directory mask = 0777


#  path = /mnt/data/vss


  path = /share11


  valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
"NYC-14\Domain Admins"


  writable = yes




# Users - public files of staff members




   comment = Personal File Repositories


#   create mask = 0666


#   directory mask = 0777


#   path = /mnt/data/profiles/public


   path = /share12


   valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain


   writable = yes


   browseable = yes


#   inherit permissions = yes




# user profiles




 #  path = /mnt/data/profiles/%U


   path = /share13/%U


   create mask = 0666


   directory mask = 0777


   valid users = NYC-14\%U, "NYC-14\Domain Admins"


   writable = yes


   browseable = no


   inherit permissions = yes



Michael Casale

Systems Administrator / IT Manager

Knoa Software

mcasale at knoa.com <mailto:mcasale at knoa.com> 

Ph.  (212) 807-9608 ext. 6000

Fax  (212) 675-6121


More information about the samba mailing list