[Samba] Problem With Groups in Samba 3.0.23 ?

Michael Casale mcasale at knoa.com
Fri Nov 17 18:05:08 GMT 2006 

Hi all,

 

 

 

I just upgraded a test copy of my samba server from version 3.0.10E to
the latest, 3.0.23D - the RPM available for Red Hat AS4 on the samba.org
site. There was no samba-common, just samba, samba-client and
samba-winbind RPMs. I installed all three successfully. I backed up my
configs before hand and replaces / adapted them afterwards. I
successfully added this server to the domain after upgrade with the net
ads join command.

 

 

 

The problem: Group emulation is not working. I can access shares where
my account is specifically listed in the  "valid users" settings in the
smb.conf file for the share (NYC-14\mcasale), but not if my group is
listed (NYC-14\Staff or NYC-14\Domain Admins).

 

 

 

Wbinfo -g shows all the groups, and wbinfo -u shows all users. But for
some reason on this test server, and on the live server, these commands
show the group or user names but the domain is never appended to the
beginning. The live, un-updated server always has had this output yet
works fine, though. Just thought I should mention this.

 

 

 

Klist shows tickets fine. I re-added this server to the domain after I
upgraded it.

 

 

 

Getent passwd and getent group works fine.

 

 

 

So, when I navigate to the server in Windows XP in network Neighborhood,
I can see all the shares. When I click on a share where I am
specifically listed under "valid users" it opens fine. When I click on a
share where my group is specifically listed in "valid users" it prompts
me for a username and password, which it never accepts, no matter how I
put it in.

 

 

 

I checked the log under /var/log/samba/mymachinename.log and it logs no
errors. I'm suprised.

 

 

 

Here is my smb.conf file:

 

 

 

[global]

 

 

 

# workgroup = NT-Domain-Name or Workgroup-Name

 

   workgroup = NYC-14

 

   netbios name = MAN

 

# MC Below 3 lines added to test Win2003 AD connection as per Red Hat
Docs Recommendations.

 

client schannel = no

 

client use spnego = yes 

 

server signing = auto

 

# server string is the equivalent of the NT Description field

 

   server string = TEST SAMBA SERVER 

 

   printcap name = /etc/printcap

 

   load printers = no

 

 

 

cups options = raw

 

 

 

log file = /var/log/samba/%m.log

 

   max log size = 50

 

 

 

# Security mode. Most people will want user level security. See

 

# security_level.txt for details.

 

   security = ads

 

   realm = nyc-14.knoa.com

 

# Use password server option only with security = server

 

   password server = 192.168.14.240 192.168.14.243 

 

 

 

# Most people will find that this option gives better performance.

 

# See speed.txt and the manual pages for details

 

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

 

 

 

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

 

#     Note: Samba can be either a WINS Server, or a WINS Client, but NOT

both

 

   wins server = 192.168.14.239

 

 

 

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

 

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,

 

# this has been changed in version 1.9.18 to no.

 

   dns proxy = no 

 

 

 

# Case Preservation can be handy - system default is _no_

 

# NOTE: These can be set on a per share basis

 

;  preserve case = no

 

;  short preserve case = no

 

# Default case is normally upper case for all DOS files

 

;  default case = lower

 

# Be very careful with case sensitivity - it can break things!

 

;  case sensitive = no

 

 

 

   idmap uid = 10000-20000

 

   idmap gid = 10000-20000

 

   winbind separator = \

 

   winbind enum users = yes

 

   winbind enum groups = yes

 

   template shell = /bin/false

 

   winbind use default domain = yes

 

 

 

#============================ Share Definitions
==============================

 

# backup depository

 

[backup]

 

  comment = Backup Repository

 

  force create mode = 0777

 

  force directory mode = 6777

 

  path = /share1

 

  browseable = no

 

  writable = yes

 

  valid users = NYC-14\mcasale, NYC-14\administrator, NYC-14\sys_bak,
NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain Admins"

 

 

 

 

 

# bulk data storage for Development

 

[bulk]

 

  browsable = no

 

  force create mode = 0777

 

  force directory mode = 6777

 

#  path = /mnt/data/bulk

 

  path = /share2

 

  writable = yes

 

  guest ok = yes

 

 

 

# clients data

 

[Clients]

 

  browsable = yes

 

  comment = Clients of Knoa Software

 

  inherit permissions = yes

 

#  path = /mnt/data/clients

 

  path = /share3

 

  valid users = NYC-14\Staff, NYC-14\Extranet, NYC-14\administrator,
"NYC-14\Domain Admins"

 

  writable = yes

 

 

 

# Engineering signing keys

 

[CSPDID]

 

  browseable = no

 

  # access to this share is controled via valid users list 

 

  force create mode = 0777

 

  force directory mode = 6777

 

#  path = /mnt/data/cspdid

 

  path = /share4

 

  valid users = NYC-14\Administrator, "NYC-14\Domain Admins"

 

  writable = yes

 

 

 

# file share for all company departments

 

[Company]

 

   comment = Departamental File Share

 

   browseable = yes

 

   inherit permissions = yes

 

#   force create mode = 0777

 

#   force directory mode = 6777

 

#   path = /mnt/data/company

 

   path = /share5

 

   valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\tester,
NYC-14\Administrator, "NYC-14\Domain Admins"

 

   writable = yes

 

   inherit permissions = yes

 

 

 

# image depository

 

[image]

 

   comment = Disk Image Repository

 

 #  path = /mnt/data/image

 

   path = /share6

 

   browseable = yes 

 

   write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain
Admins"

 

 

 

# intranet site files for access by the Intranet server VMC

 

[intranet]

 

#  path = "/mnt/data/company/Web Development/Intranet"

 

  path = /share7 

 

  browsable = no

 

  guest ok = yes

 

#  valid users = NYC-14\sys_web, NYC-14\vmc$

 

 

 

# server root - for backup only

 

[home]

 

#   path = /mnt/data

 

   path = /share8

 

   valid users = NYC-14\Services, root, NYC-14\Administrator,
"NYC-14\Domain Admins" NYC-14\mcasale

 

   browseable = no

 

 

 

# software library

 

[Software]

 

  comment = Software Library

 

#  path = /mnt/data/software

 

  path = /share9

 

  valid users = NYC-14\Staff, NYC-14\Administrator

 

  write list = NYC-14\Administrator, "NYC-14\Domain Admins",
NYC-14\mcasale

 

 

 

[Operations]

 

  comment = Operations Share 

 

#  path = /mnt/data/operations

 

  path = /share10

 

  valid users = NYC-14\Operations, NYC-14\Administrator

 

  write list = NYC-14\Operations, NYC-14\Administrator, "NYC-14\Domain
Admins", NYC-14\mcasale

 

 

 

[VSS]

 

  browseable = no

 

  comment = Visual Source Safe

 

  create mask = 0666

 

  directory mask = 0777

 

#  path = /mnt/data/vss

 

  path = /share11

 

  valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
"NYC-14\Domain Admins"

 

  writable = yes

 

 

 

# Users - public files of staff members

 

[Users]

 

   comment = Personal File Repositories

 

#   create mask = 0666

 

#   directory mask = 0777

 

#   path = /mnt/data/profiles/public

 

   path = /share12

 

   valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain
Admins"

 

   writable = yes

 

   browseable = yes

 

#   inherit permissions = yes

 

 

 

# user profiles

 

[%U]

 

 #  path = /mnt/data/profiles/%U

 

   path = /share13/%U

 

   create mask = 0666

 

   directory mask = 0777

 

   valid users = NYC-14\%U, "NYC-14\Domain Admins"

 

   writable = yes

 

   browseable = no

 

   inherit permissions = yes

 

 

Michael Casale

Systems Administrator / IT Manager

Knoa Software

mcasale at knoa.com <mailto:mcasale at knoa.com> 

Ph.  (212) 807-9608 ext. 6000

Fax  (212) 675-6121

More information about the samba mailing list