Nathan VanHoudnos vanhoudn at uiuc.edu
Wed Dec 12 20:21:43 GMT 2007


I'm running Samba Version 3.0.25c on Solaris 10 8/07 on X86 hardware.
It's successfully joined to AD. 

But, and there always is a but, if :
 * A user is a member of SomeGroup
 * and the share alllows SomeGroup to access it
 * and SomeGroup is NOT what the user has set as their Primary Group in
Active Directory 
 * Samba will recognize that the user can access the share
 * but, vfs_ChDir will fail  

Consider a user, "vanhoudn", whose primary group is "WSG Staff". 
If the share config is set to:
   path = "/export/arrakis"
   comment = "Arraken Test share"
   writeable = yes     
   valid users = @"UIUC+domain users"
   vfs objects = zfsacl
   nfs4: mode = special

The logs will spit out: 
[2007/12/12 10:09:17, 10] smbd/share_access.c:(232)
  user_ok_token: share arrakis is ok for unix user UIUC+vanhoudn
[2007/12/12 10:09:17, 10] smbd/share_access.c:(274)
  is_share_read_only_for_user: share arrakis is read-write for unix user

Which is good. And, we can see that samba is correctly finding all of
the groups that this user is a member of... 

[2007/12/12 10:09:17, 5] auth/auth_util.c:(474)
  UNIX token of user 10000
  Primary group is 10031 and contains 58 supplementary groups
  Group[  0]: 10007
  Group[  1]: 10008

But, the access to the share will fail. The logs throw out this:

[2007/12/12 10:09:17, 5] smbd/uid.c:(273)
  change_to_user uid=(0,10000) gid=(0,10031)
[2007/12/12 10:09:17, 4] smbd/vfs.c:(665)
  vfs_ChDir to /export/arrakis
[2007/12/12 10:09:17, 4] smbd/vfs.c:(665)
  vfs_ChDir to /export/arrakis
[2007/12/12 10:09:17, 0] smbd/service.c:(184)
  chdir (/export/arrakis) failed
[2007/12/12 10:09:17, 3] smbd/error.c:(106)
  error packet at smbd/process.c(991) cmd=50 (SMBtrans2)

And I don't think it's because of filesystem permissions. ls gives: 
  drwxrwx---   2 root     UIUC+domain users       8 Dec  4 14:12 arrakis

The last log entry remains the same if the "vfs objects = zfsacl" and
"nfs4: mode = special" lines are there or not. 

Any help would be greatly appreciated. 


Nathan VanHoudnos

