[Samba] problem with force group parameter

Thu Nov 5 07:28:54 MST 2009

Hello!

I tryed to configure Debian Linux file server as Windows 2003 domain 
member using samba with security = ADS mode and stucked with such problem:

File server (fs) succesfully joined my domain with correct user and 
group mapping (i'm using idmap rid). Users from domain have their unix 
accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have 
local unix user: 'DOMAIN\andrey':

fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) 
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы 
домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)

as you can see, user have uid=11118, primary group 
gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in 
english) and few supplementary groups.
Now i want to make a share restricted to use by users from one of 
supplementary groups, i.e. 11395(DOMAIN\сотрудники).
I created a directory:

fs:~# ls -l /home/sambashare/ | grep officepub
drwxrwx---   2 DOMAIN\admin    DOMAIN\сотрудники             4096 Окт 26 
20:28 officepub

and checked that i can access it localy via ssh:

fs:~# su DOMAIN\\andrey
DOMAIN\andrey at fs:/root$ cd /home/sambashare/officepub/
DOMAIN\andrey at fs:/home/sambashare/officepub$ touch file
DOMAIN\andrey at fs:/home/sambashare/officepub$ rm file

Next i added share definition in smb.conf with my group in 'force group' 
parameter:
...
[officepub]
        comment = Office Public Share
        path = /home/sambashare/officepub
        force group = +DOMAIN\сотрудники
        read only = No
        browseable = No

restarted samba, tried to access it via smbclient and got following error:

fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 61680 blocks available
smb: \>

But in the same time i have similar working share with restriction by 
_primary_ group:

fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) 
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы 
домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)
fs:~# ls -l /home/sambashare/ | grep pub
drwxrwx---   2 DOMAIN\admin    DOMAIN\пользователи домена    4096 Ноя  4 
00:00 pub
fs:~# su DOMAIN\\andrey
DOMAIN\andrey at fs:/root$ cd /home/sambashare/pub/
DOMAIN\andrey at fs:/home/sambashare/pub$ touch file
DOMAIN\andrey at fs:/home/sambashare/pub$ exit
exit
fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
  .                                   D        0  Thu Nov  5 17:02:01 2009
  ..                                  D        0  Wed Jun  3 18:22:47 2009
  file                                         0  Thu Nov  5 17:02:01 2009

                64000 blocks of size 8192. 28337 blocks available
smb: \>

So i've decided that problem is in the not working (or 
misundertandeted?) 'force group' parameter.

What did i do wrong and how to fix this?

Some technical information:

Distro used: Debian Lenny, kernel  2.6.26-2-amd64
Samba version: 3.2.5-4lenny6
Domain Controller: Windows Server 2003 R2 Enterprise Edition
smb.conf: http://pastebin.ca/1658364
Log file: http://pastebin.ca/1658368

P.S. Sorry for my english :-)

-- 
Andrey Zykov

e-mail: andrey at dce.ifmo.ru
jabber: zblk at jabber.org.