[Samba] samba3.0.23d group permissions problem

Vladimir Orlic vorlic at ucsd.edu
Wed Jan 3 19:57:21 GMT 2007

I have installed samba 3.0.23d on FreeBSD 6.1. It is running with
"security = ads". Plan is to replace current server running Samba
3.0.14a on FreeBSD 5.3 in the Windows2003 domain. 

I have successfully joined the domain and can list users and groups (I
did notice that when I review Computer Properties under Operating
Systems tab it does not list Samba and the corresponding version like
before (Windows DC box, Active Directory Users and Computers)). 

The problem is that for some groups, permissions are not honored when
accessing share from Windows XP clients. If I ssh to the server
permissions work as expected and I can access those files. For example:

id testuser
uid=11111(testuser) gid=11195(systems) groups=11195(systems), 0(wheel),
10512(domain admins), 10513(domain users), 11137(cpo), 11191(physical),
11194(records), 11205(vpn users), 11666(fao), 12023(webpages), 10000,

pw group show wheel

pw group show records

drwsrwx---    4 root  avc         512 Nov 23  2004 AVC
drwsrwx---  155 root  analysis   5120 Dec 14 11:49 Analysis
drwsrwx---   45 root  capital    2048 Dec 27 13:59 Capital
drwxrwx---    5 root  community   512 Dec 27 13:59 Community
drwxrwx---   14 root  wheel       512 Jun  8  2006 Financial
drwxrwx---   35 root  physical   1024 Dec 27 13:59 Physical
drwsrwx---   10 root  cpo        1024 Dec 27 13:59 Planning
drwxrwx---   24 root  records    1024 Dec 27 13:59 Records
drwxrwx---   11 root  systems     512 Dec 29 10:45 Systems

If I try accessing Planning or Systems folder I have no problems. If I
try accessing Records or Financial folders I get "...Records is not
accessible. Access is denied" error even though I am member of both
wheel and records group. Advanced Security Settings tab on the windows
client displays proper access privileges. 

I can cd to both folders when I ssh in on the server using the testuser

If I use Windows DC to change testuser's primary group to records I can
get into Records folder. 

id testuser
uid=11111(testuser) gid=11194(records) groups=11194(records), 0(wheel),
10512(domain admins), 10513(domain users), 11137(cpo), 11191(physical),
11195(systems), 11205(vpn users), 11666(fao), 12023(webpages), 10000,

I've tried creating new account with membership only in records group,
but the access fails unless I set the primary group as records.

I've seen the post by Cameron Murdoch on Dec 06, so this might be
FreeBSD related issue. Any help would be greatly appreciated.

My smb.conf is as follows:
	workgroup = XXX
	realm = XXX.YYY.ZZZ
	security = ads
	encrypt passwords = yes
	log file = /var/log/samba/log.%m
	max log size = 50
	load printers = no

	socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

	allow trusted domains = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
	winbind enum groups = yes
	template shell = /usr/local/bin/bash
	winbind cache time = 3600
	winbind nested groups = yes
	winbind use default domain = yes

	syslog only = yes

#===Share Definitions ==============================
	browseable = yes
	writable = yes
	path = /usr/smbmnt/Files
	printable = no


Vladimir Orlic

More information about the samba mailing list