[Samba] Version 3.0.33-3.29.el5_5 + Winbind: UNIX group as valid users

Alberto Zigoni alberto.zigoni at gmail.com
Sat Sep 11 06:29:00 MDT 2010 

I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools.

Authentication works flawlessly, with automatic home directory creation.

What I want to achieve now is using local UNIX groups to controll access to shared folders.

smb.conf global section:

workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
; template homedir = /home/%D/%U
winbind use default domain = true
winbind offline logon = true


The share:

[finance]
comment = Storage condiviso per gruppo finance
path = /repositories/shared/finance
public = no
writable = yes
browseable = yes
valid users = +finance
;valid users = COGITANS\alberto
;force group = finance

'finance' is a local UNIX group where I added user 'COGITANS\alberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed).
If I specify user COGITANS\alberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error.

But if I use +finance, access is denied:

[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANS\alberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANS\alberto' (from session setup) not permitted to access this share (finance)
[2010/09/11 14:12:37, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2010/09/11 14:12:37, 5] lib/util.c:show_msg(506)
[2010/09/11 14:12:37, 5] lib/util.c:show_msg(516)

getent group:

finance:x:501:COGITANS\alberto

It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership).

My /etc/nsswitch.conf:

passwd: files winbind
shadow: files winbind
group: files winbind

Grants and ownership on the '/repositories/shared/finance' folder are

root:domain users with permissions 775

Any hints would be greatly appreciated.

Thanks in advance

Alberto

More information about the samba mailing list