[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)

Trent W. Buck trentbuck at gmail.com
Fri Nov 8 18:16:58 MST 2013


My samba thinks its own groups don't exist.


Background: I had a samba3 server operating as a NAS with some desktops
joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.

Users can log in and browse their home share -- but the other shares
aren't working.  They're per-project shares set up to allow that
project's group access, and to forcibly make all files uploaded
accessible to that group:

    [fnord]
    comment                 = Project Fnord
    path                    = /srv/share/fnord
    create mask             = 0664
    force create mode       = 0664
    directory mask          = 0775
    force directory mode    = 0775
    read only               = no
    force group             = fnord
    valid users             = @fnord

With those settings, and "cyber" in the fnord group,

    $ smbclient -U cyber //gumbo/fnord
    tree connect failed: NT_STATUS_ACCESS_DENIED

If I comment out the last two lines, it works.

If I comment out the last line, I get

    tree connect failed: NT_STATUS_NO_SUCH_GROUP

If I comment out the "force group" line, and change the last line to
"valid users = cyber", it also works.

I'm using nss_winbind to make users and groups visible to gumbo's
unix-land, but it seems that samba-talking-to-unix-talking-to-samba
doesn't see the groups, though unix-talking-to-samba does.

    # getent group fnord
    PI\fnord:*:3000021:

    # getent passwd cyber
    PI\cyber:*:3000177:100:Cybersource tech:/home/PI/cyber:/bin/false

    # id cyber
    uid=3000177(PI\cyber) gid=100(users) groups=100(users),3000008(PI\Domain Admins),3000021(PI\fnord),[...]


What should I do about this?

Should I be using those fancy NT recursive ACLs instead of doing this
in the share config?

Are those options simply not supported under samba4?

Plan B, which I really hate, is to simply remove "valid users" and
"force group" and write an hourly cron job that will run chgrp -R and
chmod -R across each project share.



More information about the samba mailing list