[Samba] AD and samba secondary group problems

Arif Ali arifali1 at gmail.com
Wed Apr 27 12:32:43 MDT 2011

Hi list,

I have gone through several mailing list archives, googled, tested 
several options, but we cannot figure out how we fix our problem.

NIS provides the uid and gid in Linux
AD provides the passwords
storage is provided by GPFS via samba to windows users

OS: RedHat 5.5 x86_64
Samba: 3.4.2 and/or 3.5.2

We are able to mount the home directories without any problems, we can 
read/write/rename/delete. The uid, and the gid have no problems writing 
to their respective areas, as per the permissions in Linux.

The problem we have is that any permissions that users have wrt 
secondary groups are not being carried forward to the windows machines, 
and not recognised. we have tried to test this with a user whose primary 
group allows to go to sambatest, as defined below, but if another user 
has the same group but as a secondary group, this person cannot 
read/write/mount the share.

My smb.conf is below, (with replaced/<snipped> sensitive information)


     workgroup = DOMAIN
     password server = <snip> <snip>
     realm = domain.co.uk
     security = ads
     template shell = /bin/bash
     winbind use default domain = yes
     winbind offline logon = false
     winbind seperator = +

     netbios name = csfs
     idmap backend = tdb2
     encrypt passwords = true
     username map = /etc/samba/smbusers
     smb passwd file = /etc/samba/smbpasswd
     clustering = yes
         interfaces = <snip>/22
     dns proxy = no
     log file = /var/log/samba/log.%m
     socket options = TCP_NODELAY IPTOS_LOWDELAY
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
     winbind enum groups = Yes
     winbind refresh tickets = true
     winbind nested groups = yes
     winbind nss info = template rfc2307
;    passdb backend = tdbsam
     idmap uid = 1000000-5000000
     idmap gid = 1000000-5000000
         idmap config DOMAIN:default = yes
         idmap config DOMAIN:range = 500-100000
         idmap config DOMAIN:backend = ad
         idmap config DOMAIN:schema_mode = rfc2307
     include = /etc/samba/loglevel.%m
     writeable = yes
         msdfs root = yes

     comment = Staff Home Directories
         path = /users/%u
         valid users = %S
     create mask = 0750
     vfs objects = gpfs fileid
     fileid:mapping = fsname
     gpfs:sharemodes = No
#    nfs4: mode = special
#    nfs4: chown = yes
#    nfs4: acedup = merge

     read only = no
     comment = Support area
     path = /<snip>/support
     valid users = <snip> <snip> <snip> <snip> <snip>
     create mode = 0664
     vfs objects = gpfs fileid
     fileid:mapping = fsname
     gpfs:sharemodes = No

     read only = no
     writeable = yes
     comment = Testing Samba
     path = /<snip>/sambatest
     create mask = 0750
     vfs objects = gpfs fileid
     fileid:mapping = fsname
     gpfs:sharemodes = No

More information about the samba mailing list