[Samba] samba authenticates only against the primary group of a user?

Athanasios Silis athanasios.silis at gmail.com
Tue Feb 15 05:02:43 MST 2011

Hello everyone!

I seem to be have a bit of a problem setting up a few network folders for a
my office on a Qnap storage device running Samba -v3.5.2. So I ask:

when the 'write list' of a share contains ONLY groups, and a user tries to
log on to that share, then samba authenticates against the primary group
only of that user only??

Here is the example that fails:

-the user is 'isak'

-the group of interest is 'iso_ops'. This user belongs these groups:
everyone, engineers, iso_ops (this is the order I get when I run the command
'groups' from a shell)

-The shared folder in question is 'iso'. this folder has the following
permissions: no individual user permissions have been set (every tickbox is
blank). group 'everyone' is denied access. group 'iso_ops' has read/write

the relevant smb.conf part is this:

comment = ISO files
path = /share/MD0_DATA/iso
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users = "guest",@"everyone"
read list =
write list = @"iso_ops",@"administrators"
valid users = "root",@"iso_ops",@"administrators"
inherit permissions = yes

So normally, I would expect that user 'isak', is allowed read/write access
to 'iso' folder, because he is member of the 'iso_ops' group.
However, now I try to log on to the share as 'isak' but I never get past the
login prompt..

If I move @everyone to the 'valid users' then I can log on AND I can write
to the network share, since @iso_ops can write to the share (even though
@everyone can't).. So - correct me if I'm wrong - but it seems that users
are authenticated only against their primary group!

This is most upsetting since on the machine I am running samba on, I don't
have the command usermod is order to change the primary groups of my user
(in fact even though I have ssh access, the system is optimised to be setup
from its web interface - and I can't set the primary group from there

But that doesn't seem like a rational behaviour of samba altogether -
usermod would merely tackle some of the problems that can arise. Let me

-there are a few engineering related shared folders that the @engineers
group can authenticate against
-there is this one 'iso' folder that @iso_ops can authenticate against.
-Dearest user isak is an engineer (thus in the engineers group), but is also
responsible for keeping the ISO9001 files for the office -imagine how much
of an important person!
-by authenticating against only the primary group, isak can only access the
engineering folders, or the iso folder depending of which one is his primary
group - BUT NOT BOTH!

this is a non welcoming behaviour that can only be tackled by allowing
@everyone to have read access to the shares - unwelcomed too.

So finally is there a way to make samba try and authenticate a user against
ALL of his groups (and not just the primary one)?

Thank you very much for your help
Thanassis Silis

More information about the samba mailing list