[Samba] Non primary group permissions not working

Colin Fowler cfowler at scss.tcd.ie
Fri Nov 4 08:58:25 MDT 2011

Hi, I'm having a major problem here. We are running Samba 3.5.11 on 
Debian Squeeze. Authentication is via ADS

When I create a directory with group rwx access I cannot access that 
directory through Windows or smbclient unless that group is my primary 
group. If I'm a member of the group (but it's not my primary), I can't 
access it.

If I ssh to the server it works AOK

Here's me and my groups on the samba server

cfowler at staffpgstore:~$ id -Gn
staff sss scssadmin scssunixadmin BUILTIN\users

Here's my testcase.

$ ls -ld testcase/
drwxrwx--- 2 wwwowner scssadmin 4096 Nov  4 09:28 testcase/

I can easily access this directory as a user on the sever. This makes 
sense as I'm in the scssadmin group.

Here's what happens when I try to get in via smbclient from a Linux 

$ smbclient //staffpgstore/cfowler -U itserv/cfowler
Enter itserv/cfowler's password:
Domain=[ITSERV] OS=[Unix] Server=[Samba 3.5.11]
smb: \> cd testcase
smb: \testcase\> dir
NT_STATUS_ACCESS_DENIED listing \testcase\*

         64507 blocks of size 33553920. 50979 blocks available

Atemmpting to access the directory in Windows gives me "Windows cannot 
access....." "You do not have permission...."

Here's my smb.conf

     workgroup = ITSERV
     realm = ITSERV.SCSS.TCD.IE
     security = ADS
     password server = zeus.itserv.scss.tcd.ie
     log level = 3 passdb:10 auth:10 winbind:10 vfs:10 idmap:10 acls:10
     log file = /var/log/samba/samba.log.%m
     unix extensions = No
     idmap uid = 900 - 999
     idmap gid = 900 - 999
     winbind cache time = 5
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind offline logon = Yes
     idmap alloc config: range = 1000-4000000000
     idmap config ITSERV: range = 1000-4000000000
     idmap config ITSERV: schema_mode = rfc2307
     idmap config ITSERV: backend = ad
     admin users = administrator
     wide links = Yes

     comment = Home directories (%h)
     read only = No
     create mask = 0700
     inherit acls = Yes
     browseable = No

ANY help at all would be much appreciated. I'm pulling my hair out here!

More information about the samba mailing list