[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)
Trent W. Buck
trentbuck at gmail.com
Fri Nov 8 18:16:58 MST 2013
My samba thinks its own groups don't exist.
Background: I had a samba3 server operating as a NAS with some desktops
joined to the domain. I'm migrating it to samba 4.0.9 as an AD domain.
Users can log in and browse their home share -- but the other shares
aren't working. They're per-project shares set up to allow that
project's group access, and to forcibly make all files uploaded
accessible to that group:
comment = Project Fnord
path = /srv/share/fnord
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
read only = no
force group = fnord
valid users = @fnord
With those settings, and "cyber" in the fnord group,
$ smbclient -U cyber //gumbo/fnord
tree connect failed: NT_STATUS_ACCESS_DENIED
If I comment out the last two lines, it works.
If I comment out the last line, I get
tree connect failed: NT_STATUS_NO_SUCH_GROUP
If I comment out the "force group" line, and change the last line to
"valid users = cyber", it also works.
I'm using nss_winbind to make users and groups visible to gumbo's
unix-land, but it seems that samba-talking-to-unix-talking-to-samba
doesn't see the groups, though unix-talking-to-samba does.
# getent group fnord
# getent passwd cyber
# id cyber
uid=3000177(PI\cyber) gid=100(users) groups=100(users),3000008(PI\Domain Admins),3000021(PI\fnord),[...]
What should I do about this?
Should I be using those fancy NT recursive ACLs instead of doing this
in the share config?
Are those options simply not supported under samba4?
Plan B, which I really hate, is to simply remove "valid users" and
"force group" and write an hourly cron job that will run chgrp -R and
chmod -R across each project share.
More information about the samba