[Samba] AD and samba secondary group problems
Arif Ali
arifali1 at gmail.com
Wed Apr 27 12:32:43 MDT 2011
Hi list,
I have gone through several mailing list archives, googled, tested
several options, but we cannot figure out how we fix our problem.
NIS provides the uid and gid in Linux
AD provides the passwords
storage is provided by GPFS via samba to windows users
OS: RedHat 5.5 x86_64
Samba: 3.4.2 and/or 3.5.2
We are able to mount the home directories without any problems, we can
read/write/rename/delete. The uid, and the gid have no problems writing
to their respective areas, as per the permissions in Linux.
The problem we have is that any permissions that users have wrt
secondary groups are not being carried forward to the windows machines,
and not recognised. we have tried to test this with a user whose primary
group allows to go to sambatest, as defined below, but if another user
has the same group but as a secondary group, this person cannot
read/write/mount the share.
My smb.conf is below, (with replaced/<snipped> sensitive information)
regards,
Arif
workgroup = DOMAIN
password server = <snip> <snip>
realm = domain.co.uk
security = ads
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
winbind seperator = +
#--authconfig--end-line--
netbios name = csfs
idmap backend = tdb2
encrypt passwords = true
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/smbpasswd
clustering = yes
interfaces = <snip>/22
dns proxy = no
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY IPTOS_LOWDELAY
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
winbind enum groups = Yes
winbind refresh tickets = true
winbind nested groups = yes
winbind nss info = template rfc2307
; passdb backend = tdbsam
idmap uid = 1000000-5000000
idmap gid = 1000000-5000000
idmap config DOMAIN:default = yes
idmap config DOMAIN:range = 500-100000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
include = /etc/samba/loglevel.%m
writeable = yes
msdfs root = yes
[homes]
comment = Staff Home Directories
path = /users/%u
valid users = %S
create mask = 0750
vfs objects = gpfs fileid
fileid:mapping = fsname
gpfs:sharemodes = No
# nfs4: mode = special
# nfs4: chown = yes
# nfs4: acedup = merge
[support]
read only = no
comment = Support area
path = /<snip>/support
valid users = <snip> <snip> <snip> <snip> <snip>
create mode = 0664
vfs objects = gpfs fileid
fileid:mapping = fsname
gpfs:sharemodes = No
[sambatest]
read only = no
writeable = yes
comment = Testing Samba
path = /<snip>/sambatest
create mask = 0750
vfs objects = gpfs fileid
fileid:mapping = fsname
gpfs:sharemodes = No
More information about the samba
mailing list