[Samba] Domain MEmber Groups
Robert Steinmetz
rob at steinmetznet.com
Thu Jul 17 02:50:29 GMT 2008
We have two servers, one PDC and one Domain Member Server. I have been
having problems with the Domain Member Server since a recent upgrade to
Samba 3.0.28a on Ubuntu. Every time samba is restarted users lose access
to the shares on the Member Server.
It appears to be related to group mapping. Users on the Domain Member
(Louise) seem to be GID "users", not GID "samba" as expected and desired.
All of the shares are set to group samba and the PDC reports these mappings;
root at thelma:/home/rob# net groupmap list
System Operators (S-1-5-32-549) -> operator
Replicators (S-1-5-32-552) -> staff
Guests (S-1-5-32-546) -> nogroup
Domain Admins (S-1-5-21-4166445610-3302986456-3838465043-512) -> staff
Domain Guests (S-1-5-21-4166445610-3302986456-3838465043-514) -> nogroup
Power Users (S-1-5-32-547) -> atlanta
Print Operators (S-1-5-32-550) -> print
Administrators (S-1-5-32-544) -> staff
Account Operators (S-1-5-32-548) -> account
Domain Users (S-1-5-21-4166445610-3302986456-3838465043-513) -> samba
Backup Operators (S-1-5-32-551) -> backup
Users (S-1-5-32-545) -> samba
The PDC reports the correct users in the groups;
root at thelma:/home/rob# net rpc group members "Domain Users"
Password:
ATLANTA\arris
ATLANTA\administrator
ATLANTA\irving
ATLANTA\root
ATLANTA\rob
ATLANTA\debbie
ATLANTA\maria
ATLANTA\katie
The Member server can see the groups.
root at louise:/home/rob# wbinfo -g
BUILTIN\administrators
BUILTIN\users
ATLANTA\domain admins
ATLANTA\domain guests
ATLANTA\domain users
Most of the shares are in directory /files/Lucretia on the Member Server
Louise.
root at louise:/home/rob# ls -ld /files/Lucretia/*
drwxrwsr-x 72 rob samba 16088 2008-03-28 16:25 Office
drwxrwsr-x 67 rob samba 14456 1969-12-31 19:00 Office.orig
drwxrwsr-x 50 rob samba 3992 2008-07-16 17:01 Projects
drwxrwsr-x 6 rob samba 304 2008-06-23 11:33 Sigma
drwxrwsr-x 308 rob samba 19712 2008-07-16 22:09 Windows
This used to work and I'd like to figure out what is going on and fix it.
Here are the globals for the PDC, which seem to be working fine. Users
can access every thing there without a problem.
[global]
workgroup = ATLANTA
server string = %h mail passwd server (Samba, Ubuntu)
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
hostname lookups = Yes
logon path = \\THELMA\%U\.profiles
logon drive = U:
logon home = \\THELMA\%U
domain logons = Yes
domain master = Yes
preferred master = Yes
security = user
wins support = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
hide dot files = No
Here is the Globals section for the Member Server
[global]
workgroup = ATLANTA
server string = %h file server (Samba, Ubuntu)
security = domain
password server = *
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
wins proxy = yes
wins server = 192.168.1.24
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
name resolve order = wins bcast hosts
hosts allow = 192.168.1.0/255.255.255.0
Here is a typical share definition;
[Projects]
path = /files/Lucretia/Projects
username = Project Specific Data
force group = samba
read only = No
create mask = 0764
directory mask = 0775
[Office]
comment = General Office Data
path = /files/Lucretia/Office
force group = samba
read only = No
create mask = 0764
directory mask = 0775
If I comment out the "force group" then users can access the files at
the Unix "other" permissions which does not have write privileges.
--
Robert Steinmetz, AIA
Principal
Steinmetz & Associates
More information about the samba
mailing list