[Samba] Can't access dirs with subgroups of a samba share

Matt Ingram mingram at cbnco.com
Wed Jan 9 18:52:38 GMT 2008

Hi all!

Here's the problem we have since patching Monday night.  Tuesday morning 
Samba wasn't running, but started fine, and everything seemed to be working.

Were currently running samba3.0.24-2.23 and I believe before the patch 
we were running samba3.0.22-13.30.

We have some samba shares where we have subgroups that only a select 
group of people of the parent group are allowed to access.  For example:

The parent folder will be accessible to groupa with 770 permissions.

In the folder we will have a subfolder accessible to groupb only, also 
with 770.  (members of groupb belong to groupa)

The smb.conf for the giving share looks like this

        path = /usr/local/share/groups/share
        valid users = @groupa
        admin users = @smbadmin
       force group = groupa
        create mask = 0770
        directory mask = 0770

And these settings always worked fine.  Groupb users would be able to 
access their subfolder with no problems.  Since the night the patch was 
installed, this no longer happens.  In windows the user is getting the 
error message "M:\subfolder is not accessible. Access is Denied".

I've been double and triple checking all the permission and group 
memberships (all handled locally on the server), etc and everything 
looks fine.  I've also been looking in the samba logs and not seeing 
relating to the error.

I would appreciate any help/advice!

Here's what the smb.conf GLOBAL looks like:

        workgroup = WORKGROUP
        netbios name = SERVER
        server string = SERVER
        encrypt passwords = Yes
        map to guest = Bad User
        passwd program = /usr/bin/passwd
        name resolve order = wins lmhosts host bcast
        log level = 2
        log file = /var/log/log.smbd
        time server = Yes
        deadtime = 10
        load printers = Yes
        os level = 34
        preferred master = Yes
        domain master = No
        local master = Yes
        wins support = No
        wins server =
        remote browse sync =
        kernel oplocks = No
        read only = No
        browseable = Yes
        printing = lprng
        use client driver = Yes
        create mask = 0660
        directory mask = 0770
        unix extensions = no
        follow symlinks = yes
        smb ports = 139

Matt Ingram
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited

