[Samba] Samba and file system permissions (secondary/auxillary/non-primary groups)

list at mischievousmonkey.co.uk list at mischievousmonkey.co.uk
Tue Sep 2 20:59:14 GMT 2008

I have a problem with samba integrated with Active Directory (2003).
I wish to have one share containing different folders and I wish access to
these folders to be controlled at the file system level. So that if a
connecting user is in the group(s) specified at the filesystem level he or
she is permitted access to that folder according to the folders

I'm running Ubuntu 8.04.1, Likewise-open and Samba 3.0.28a .
I have successfully gotten to the point where by samba recognises the
groups at the share level but not at the folder level unless the users
primary group is set to the folder group.

Can anyone shed any light as to why this is so?
I really need to be able to set permissions via group by folder in order
to directly replace a windows file server.

Below are sanitised versions of my config files.

Thanks in advance for any help


   security = ads
   workgroup = MYDOMAIN

   idmap backend = lwopen
   idmap uid = 50 - 999999999
   idmap gid = 50 - 999999999

   server string = %h server (Samba, Ubuntu)
   wins server = server1.mydomain.local
   dns proxy = no
   interfaces = eth0
   bind interfaces only = true

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   passdb backend = tdbsam
   encrypt passwords = yes
   obey pam restrictions = yes
   invalid users = root
   unix password sync = no
   socket options = TCP_NODELAY
   domain master = no

   map acl inherit = yes

   veto files = /.DS_Store/._*/

   winbind use default domain = no

#======================= Share Definitions =======================

path = /srv/
comment = DEV
browseable = no

valid users = @MYDOMAIN\group
write list = @MYDOMAIN\group
writable = yes
create mask = 0775
directory mask = 0775

guest ok = no
inherit permissions = yes
nt acl support = yes

    workgroup = MYDOMAIN
    security = ads
    passdb backend = tdbsam
    disable netbios = yes
    idmap domains = default
    idmap config default:default = yes
    idmap config default:backend = lwopen
    idmap config default:readonly = yes
    idmap alloc backend = tdb
    idmap alloc config:range = 9000 - 9999
    idmap cache time = 3600
    idmap negative cache time = 300
    winbind cache time = 900
    winbind offline logon = yes
    winbind refresh tickets = yes
    winbind replacement character = ^
    winbind normalize names = yes
    winbind expand groups = 10
    winbind enum users = Yes
    winbind enum groups = Yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    machine password timeout = 2592000
    realm = MYDOMAIN.LOCAL
    use kerberos keytab = yes

    nt acl support = yes
    map acl inherit = yes
    veto files = /.DS_Store/._*/
    winbind nss info = sfu

More information about the samba mailing list