[Samba] Problems with group assignments

Daniel Müller mueller at tropenklinik.de
Mon May 23 00:51:30 MDT 2011

What about your ADS? You are authenticate against your ADS?!
Why don't use winbind?

Good Luck

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von F. David del Campo Hill
Gesendet: Freitag, 20. Mai 2011 14:44
An: samba at lists.samba.org
Betreff: [Samba] Problems with group assignments

Dear All,

	We are trying to transfer a SaMBa installation from an old server to
a newer more up-to-date one. The original server was sharing files to
Windows XP systems in Active Directory (Windows Server 2003 R2 version), but
as we move to Windows 7 and Active Directory (Windows Server 2008 R2
version) we need to upgrade the service.

	The old server was part of a NIS domain, with the "valid users",
"write list", etc entries in its smb.conf referring to the NIS groups using
the "@" sign (which the documentation says it means "is interpreted as an
NIS netgroup first (if your system supports NIS), and then as a UNIX group
if the name was not found in the NIS netgroup database"; see
http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html#INVALIDUSERS). It
all worked fine as it picked users' group membership from NIS.

	The new server is a Solaris 10 box running SaMBa 3.5.5, and we are
having problems with it picking up the group memberships. The old server's
smb.conf was transplanted to the new server (with a few path changes), and
the new server was successfully added to our Active Directory domain. As the
new server is NOT a member of NIS, we made a copy of all the
smb.conf-relevant groups to its local /etc/group and added all the users to
the /etc/passwd file. With these changes we can access the shares using the
AD usernames and passwords as long as they are not access-limited by "valid
users", so the integration of the server into AD is working. But if we add a
"valid users = @group" line to the share in smb.conf, it will completely
refuse access to all users, even the ones belonging to the group. Leaving
the share accessible to all, but adding a "write list = @group" line to
smb.conf, will allow access, but no one will be able to write to it, even
the members of the group. If we chan
 ge the "write list" and "valid users" lines to list the usernames directly
instead of through a group membership, it works. To avoid even attempting to
talk to NIS, we changed the "@" signs for "+", but it still kept refusing to
recognize group memberships (NIS or local UNIX ones). So it seems our new
SaMBa is having problems recognizing group memberships.

	What am I doing wrong? Have SUN/Oracle done something to stop SaMBa
accessing its local UNIX groups?

	Thank you for your help.


		David del Campo

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list