[Samba] Users cannot rename, delete files on AD-member Samba server

[Jeremy Allison]

On Fri, Apr 10, 2009 at 11:46:53AM -0400, Goldschrafe, Jeffrey wrote:
> Hi there!
> 
> I'm having some strange permissions issues with one of my systems that's
> on an Active Directory domain.
> 
> Here's the basic background:
> 
>  - System is joined to AD domain. Users authenticate fine via Kerberos,
> and are authorized via an AD user group. They can browse the share,
> create files, etc. without incident. "valid users" lets them in.
>  - User information for the system (nsswitch) comes out of LDAP. The
> LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up
> and Samba can resolve each user's UID/GID and secondary groups without a
> problem.
>  - The share is semantically owned by a single Unix group.
>  - That security group is mapped in "net groupmap" to a Unix group. I'm
> not entirely sure if this is actually necessary.
>  - Share has "force create mode = 0664" and "force directory mode =
> 0775" to ensure that files are writable by the group by default.
> 
> When a user connects to the share using a Windows client (XP or Vista),
> they are unable to rename folders, and unable to rename or delete files.
> They are able to delete folders, as long as the folders do not contain
> any files. This means that when using Explorer to create a file or
> folder, it can be created with the default name (e.g. "New Folder" or
> "New Text Document.txt") but any attempt to assign a
> semantically-meaningful name will fail with an "access denied" error.
> This applies to renaming existing files as well, of course.
> 
> When the same user connects from a Mac or Linux client, through Finder,
> Dolphin or smbclient, the same exact operations work. The user can
> rename and delete just fine as long as it isn't from Windows.

We need to see level 10 logs of what is going on here before we
can determine the problem. What version of Samba are you using ?

Jeremy.