[Samba] Adding additional groups to a file.

[Wojciech Giel]

Hi,
I have installed and configured Samba as PDC with Heimdal kerberos and 
openLDAP as backend for both on debian lenny. But i stuck on groups.
I have created a file in my home directory mapped to my documents. I can 
change rwx permission on linux and windows and it works perfectly. but this 
file has as a group my default group. this file should be read by users from 
accounting and managers group too.  but when i want to add additional group 
in security tab i get access denied. What should I do to be able to add 
additional groups.
thanx,
Wojciech

my
smb.conf
	workgroup = EXAMPLE
	netbios name = cannibal
	server string = Linux PDC/KDC (Samba %v)
	realm = EXAMPLE.COM
	use kerberos keytab = yes
	use spnego = yes

        log file = /var/log/samba/%m.log
        max log size = 1000
        syslog = 1
        log level = 4
        utmp = Yes

        guest account = nobody
        map to guest = Never
        admin users = root addmachine vin @"Domain Admins"
        enable privileges = yes

	security = user
        encrypt passwords = true
        os level = 255
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes

	keepalive = 30
        time server = yes
        preserve case = yes
        short preserve case = yes
        case sensitive = no
        null passwords = no
        
	logon script = %U.bat
        logon path = \\cannibal\profiles$\%U\%a
        logon drive = G:
        logon home = \\cannibal\%U
        
	 bind interfaces only = yes
        interfaces = eth0, lo
        hosts allow = 10.10.10. 127.
        wins support = yes
        dns proxy = yes

	passdb backend = ldapsam:ldaps://cannibal.example.com/
        ldap admin dn = 
cn=ldapmaster/admin at EXAMPLE.COM,ou=KerberosPrincipals,dc=example,dc=com
        ldap suffix = dc=hogwarth,dc=edu
        ldap group suffix = ou=groups
        ldap user suffix = ou=KerberosPrincipals
        ldap machine suffix = ou=computers
        ldap idmap suffix = sambaDomainName=EXAMPLE
        ldap ssl = On
        ldap delete dn = Yes
        idmap backend = ldap:ldaps://cannibal.example.com/
        idmap uid = 10000-25000
        idmap gid = 10000-25000
	Pam password change = yes

	ldap passwd sync = yes
       unix password sync = no
	passwd program = /usr/sbin/smbldap-passwd -u %u

	passwd chat = *New*password* %n *Retype*new*password* %n
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
SO_SNDBUF=8192
	 add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add user script = /usr/sbin/smbldap-useradd -m -a "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script 
= /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        dos charset = cp852
        unix charset = iso8859-2
        display charset = LOCALE
        restrict anonymous = 0

[homes]
        comment = Home Directories
        valid users = %S
        browseable = no
        writable = yes
        admin users = %u
        write list = %u
        read list = %u
        create mask = 0644
        directory mask = 0755

[netlogon]
        path = /samba/netlogon
        writable = no
        browseable = no
        share modes = no
        admin users = @"Domain Admins"

[profiles]
	path = /samba/profiles	
	valid users = %U, ”@Domain Admins”
	writeable = yes
	inherit permissions = yes
	create mask = 0644
        directory mask = 0755