[Samba] member server and groups

Neil Price nprice at gibb.co.za
Thu Apr 4 07:42:06 MDT 2013

I have a samba 3 member server joined to a samba pdc using ldap. Join is OK.
Version is from debian wheezy: 3.6.6

With servers that are bdc's I have no problems with authentication, with 
the member server I cannot get group file permissions to work.
User file permissions work fine
Samba share user and group permissions work fine
getent group shows expected groups with correct gid, which is an 
improvement on the 3.5.4 that I tried before.
Only thing interesting the logs show is access denied.
BUT if I change the dir/file permission to domain users group THEN it 
So I think samba is only looking up the primary group. I know there was 
bug like this somewhere around 3.6.0

Is "net idmap secret alloc" no longer needed? It responds with "The only 
currently supported backend is LDAP". smbpasswd -w seemed to do all I 

Critical parts of my smb.conf
I'm using the nss_ldap method with nss-ldapd

    security = domain
    workgroup = DOMAIN
    ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com

    ldap suffix = dc=domain,dc=com

    ldap user suffix = ou=people

    ldap group suffix = ou=groups

    ldap idmap suffix = ou=idmap

    ldap machine suffix = ou=winstations,ou=systems

    ldap ssl = Off

         idmap config DOMAIN : backend     = ldap
         idmap config DOMAIN : range        = 80000-99000
         idmap config DOMAIN : ldap_url     = ldap://my.ldap.serverl/

    winbind use default domain = yes

path = /home/shares/comp
inherit permissions = yes
public = no
browsable = yes
writeable = yes
valid users = @computer

Directory perms
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns wins
networks:       files

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://my.ldap.server/

# The search base that will be used for all queries.
base dc=domain,dc=com

# The LDAP protocol version to use.
#ldap_version 3

# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

More information about the samba mailing list