[Samba] Non primary group permissions not working
Colin Fowler
cfowler at scss.tcd.ie
Fri Nov 4 08:58:25 MDT 2011
Hi, I'm having a major problem here. We are running Samba 3.5.11 on
Debian Squeeze. Authentication is via ADS
When I create a directory with group rwx access I cannot access that
directory through Windows or smbclient unless that group is my primary
group. If I'm a member of the group (but it's not my primary), I can't
access it.
If I ssh to the server it works AOK
Here's me and my groups on the samba server
cfowler at staffpgstore:~$ id -Gn
staff sss scssadmin scssunixadmin BUILTIN\users
Here's my testcase.
$ ls -ld testcase/
drwxrwx--- 2 wwwowner scssadmin 4096 Nov 4 09:28 testcase/
I can easily access this directory as a user on the sever. This makes
sense as I'm in the scssadmin group.
Here's what happens when I try to get in via smbclient from a Linux
workstation
$ smbclient //staffpgstore/cfowler -U itserv/cfowler
Enter itserv/cfowler's password:
Domain=[ITSERV] OS=[Unix] Server=[Samba 3.5.11]
smb: \> cd testcase
smb: \testcase\> dir
NT_STATUS_ACCESS_DENIED listing \testcase\*
64507 blocks of size 33553920. 50979 blocks available
Atemmpting to access the directory in Windows gives me "Windows cannot
access....." "You do not have permission...."
Here's my smb.conf
[global]
workgroup = ITSERV
realm = ITSERV.SCSS.TCD.IE
security = ADS
password server = zeus.itserv.scss.tcd.ie
log level = 3 passdb:10 auth:10 winbind:10 vfs:10 idmap:10 acls:10
log file = /var/log/samba/samba.log.%m
unix extensions = No
idmap uid = 900 - 999
idmap gid = 900 - 999
winbind cache time = 5
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap alloc config: range = 1000-4000000000
idmap config ITSERV: range = 1000-4000000000
idmap config ITSERV: schema_mode = rfc2307
idmap config ITSERV: backend = ad
admin users = administrator
wide links = Yes
[homes]
comment = Home directories (%h)
read only = No
create mask = 0700
inherit acls = Yes
browseable = No
ANY help at all would be much appreciated. I'm pulling my hair out here!
More information about the samba
mailing list