[Samba] Domain MEmber Groups

Robert Steinmetz rob at steinmetznet.com
Thu Jul 17 02:50:29 GMT 2008

We have two servers, one PDC and one Domain Member Server. I have been 
having problems with the Domain Member Server since a recent upgrade to 
Samba 3.0.28a on Ubuntu. Every time samba is restarted users lose access 
to the shares on the Member Server.

It appears to be related to group mapping. Users on the Domain Member 
(Louise) seem to be GID "users", not GID "samba" as expected and desired.

All of the shares are set to group samba and the PDC reports these mappings;

root at thelma:/home/rob# net groupmap list
System Operators (S-1-5-32-549) -> operator
Replicators (S-1-5-32-552) -> staff
Guests (S-1-5-32-546) -> nogroup
Domain Admins (S-1-5-21-4166445610-3302986456-3838465043-512) -> staff
Domain Guests (S-1-5-21-4166445610-3302986456-3838465043-514) -> nogroup
Power Users (S-1-5-32-547) -> atlanta
Print Operators (S-1-5-32-550) -> print
Administrators (S-1-5-32-544) -> staff
Account Operators (S-1-5-32-548) -> account
Domain Users (S-1-5-21-4166445610-3302986456-3838465043-513) -> samba
Backup Operators (S-1-5-32-551) -> backup
Users (S-1-5-32-545) -> samba

The PDC reports the correct users in the groups;

root at thelma:/home/rob# net rpc group members "Domain Users"

The Member server can see the groups.

root at louise:/home/rob# wbinfo -g
ATLANTA\domain admins
ATLANTA\domain guests
ATLANTA\domain users

Most of the shares are in directory /files/Lucretia on the Member Server 

root at louise:/home/rob# ls -ld /files/Lucretia/*
drwxrwsr-x  72 rob samba 16088 2008-03-28 16:25 Office
drwxrwsr-x  67 rob samba 14456 1969-12-31 19:00 Office.orig
drwxrwsr-x  50 rob samba  3992 2008-07-16 17:01 Projects
drwxrwsr-x   6 rob samba   304 2008-06-23 11:33 Sigma
drwxrwsr-x 308 rob samba 19712 2008-07-16 22:09 Windows

This used to work and I'd like to figure out what is going on and fix it.

Here are the globals for the PDC, which seem to be working fine. Users 
can access every thing there without a problem.

        workgroup = ATLANTA
        server string = %h mail passwd server (Samba, Ubuntu)
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        time server = Yes
        hostname lookups = Yes
        logon path = \\THELMA\%U\.profiles
        logon drive = U:
        logon home = \\THELMA\%U
        domain logons = Yes
        domain master = Yes
        preferred master = Yes
        security = user
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        hide dot files = No

Here is the Globals section for the Member Server

        workgroup = ATLANTA
        server string = %h file server (Samba, Ubuntu)
        security = domain
        password server = *
        log level = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        wins proxy = yes
        wins server =
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        name resolve order = wins bcast hosts
        hosts allow =

Here is a typical share definition;

        path = /files/Lucretia/Projects
        username = Project Specific Data
        force group = samba
        read only = No
        create mask = 0764
        directory mask = 0775

        comment = General Office Data
        path = /files/Lucretia/Office
        force group = samba
        read only = No
        create mask = 0764
        directory mask = 0775

If I comment out the "force group" then users can access the files at 
the Unix "other" permissions which does not have write privileges.

Robert Steinmetz, AIA
Steinmetz & Associates

More information about the samba mailing list