[Samba] S3 - Valid users option and AD/Ldap primary group

Olivier BILHAUT o.bilhaut at fondation-misericorde.fr
Tue Nov 20 03:05:51 MST 2012

Hi All,

We wonder about the possibility to use the primary group of a user as 
argument in the "valid users" option, in the share section of the 

I explain :

In an AD schema, you're primary group could be, for example, 530 (Domain 
Users), you're not "memberof" the "Domain users" group in the LDAP schema.

So winbind and/or NSS seems to have problems to retrieve the membership 
of a user when he belongs to the primary group.

We use samba 3.5.6 joined to a samba 4 rc5 AD, and we would like to use 
the primary group of the users as argument for the option "valid users". 
But the level 10 log give us :

Nov 19 12:37:06 localhost smbd[23716]: [2012/11/19 12:37:06.964523, 2] 
Nov 19 12:37:06 localhost smbd[23716]:  user 'DOMAIN/User' (from session 
setup) not permitted to access this share (TEST)
Nov 19 12:37:06 localhost smbd[23716]:  User DOMAIN/User not in 'valid 

For info :
When we use wbinfo -r User, it return primary group AND other group 
When we use "getent group", the primary group is shown but is empty.

Is it simply possible?


***	OB
***	Service Informatique

More information about the samba mailing list