[Samba] samba authenticates only against the primary group of auser?

Andrew Masterson Andrew.Masterson at nuvistaenergy.com
Fri Feb 18 09:41:58 MST 2011

Or it means that samba is correctly applying restrictive security -
"invalid users" supersedes "valid users".


-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Athanasios Silis
Sent: Tuesday, February 15, 2011 5:03 AM
To: samba at lists.samba.org
Subject: [Samba] samba authenticates only against the primary group of

Hello everyone!

I seem to be have a bit of a problem setting up a few network folders
for a
my office on a Qnap storage device running Samba -v3.5.2. So I ask:

when the 'write list' of a share contains ONLY groups, and a user tries
log on to that share, then samba authenticates against the primary group
only of that user only??

Here is the example that fails:

-the user is 'isak'

-the group of interest is 'iso_ops'. This user belongs these groups:
everyone, engineers, iso_ops (this is the order I get when I run the
'groups' from a shell)

-The shared folder in question is 'iso'. this folder has the following
permissions: no individual user permissions have been set (every tickbox
blank). group 'everyone' is denied access. group 'iso_ops' has

the relevant smb.conf part is this:

comment = ISO files
path = /share/MD0_DATA/iso
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users = "guest",@"everyone"
read list =
write list = @"iso_ops",@"administrators"
valid users = "root",@"iso_ops",@"administrators"
inherit permissions = yes

So normally, I would expect that user 'isak', is allowed read/write
to 'iso' folder, because he is member of the 'iso_ops' group.
However, now I try to log on to the share as 'isak' but I never get past
login prompt..

If I move @everyone to the 'valid users' then I can log on AND I can
to the network share, since @iso_ops can write to the share (even though
@everyone can't).. So - correct me if I'm wrong - but it seems that
are authenticated only against their primary group!

This is most upsetting since on the machine I am running samba on, I
have the command usermod is order to change the primary groups of my
(in fact even though I have ssh access, the system is optimised to be
from its web interface - and I can't set the primary group from there

But that doesn't seem like a rational behaviour of samba altogether -
usermod would merely tackle some of the problems that can arise. Let me

-there are a few engineering related shared folders that the @engineers
group can authenticate against
-there is this one 'iso' folder that @iso_ops can authenticate against.
-Dearest user isak is an engineer (thus in the engineers group), but is
responsible for keeping the ISO9001 files for the office -imagine how
of an important person!
-by authenticating against only the primary group, isak can only access
engineering folders, or the iso folder depending of which one is his
group - BUT NOT BOTH!

this is a non welcoming behaviour that can only be tackled by allowing
@everyone to have read access to the shares - unwelcomed too.

So finally is there a way to make samba try and authenticate a user
ALL of his groups (and not just the primary one)?

Thank you very much for your help
Thanassis Silis
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list