[Samba] Debugging a groups permission problem

Jeremy Allison jra at samba.org
Tue Mar 22 12:18:40 MDT 2011

On Tue, Mar 22, 2011 at 08:27:05AM -0400, John Mulligan wrote:
> Hello samba list,
> [Apologies if you've seen this message before. I'm not sure if the original 
> got eaten by a filter somewhere along the line.]
> I've run into a rather strange problem at one of our deployments, and
> after trying a few ideas myself are turning to you to see if you have
> any suggestions for my next step.
> The problem: We're currently running samba 3.5.6 as a file server joined
> to an active directory. We set up acls that say group "foo" has r/w access
> to a directory. A user "userA" attempts to access that folder and fails
> even though the active directory server shows he is in that group.
> I've gone through the samba system checking the output of wbinfo
> and the getent, groups and id command; they all show that "userA" is
> in the supplementary "foo" group. I also turned up the logging and
> verified that the results of the "supplementary groups" in the log
> show the GID of the "foo" group when "userA" connects.
> Can you suggest to me what else I should be looking at? We've re-run this
> test by stripping out all acls (nt and posix) and just using permissions.
> Unless this particular user is the owner or the primary group the
> user can not access this directory.
> It feels as if the supplementary group is being "ignored" for this case,
> but I don't know why and I have run out of ideas. Searching google does not
> seem to turn up anything relevant at this point, either. I would greatly
> appreciate any help investigating what is going on with this system.

Set debug level 10 using smbcontrol for the smbd connected to
the specific client - then search the log for ACCESS_DENIED


More information about the samba mailing list