[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)

Rowland Penny rowlandpenny at googlemail.com
Sat Nov 9 01:41:27 MST 2013 

On 09/11/13 01:16, Trent W. Buck wrote:
> My samba thinks its own groups don't exist.
>
>
> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.
Some desktops? Linux?
>
> Users can log in and browse their home share -- but the other shares
> aren't working.  They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>
>      [fnord]
>      comment                 = Project Fnord
>      path                    = /srv/share/fnord
>      create mask             = 0664
>      force create mode       = 0664
>      directory mask          = 0775
>      force directory mode    = 0775
>      read only               = no
>      force group             = fnord
>      valid users             = @fnord
>
> With those settings, and "cyber" in the fnord group,
>
>      $ smbclient -U cyber //gumbo/fnord
>      tree connect failed: NT_STATUS_ACCESS_DENIED
>
> If I comment out the last two lines, it works.
>
> If I comment out the last line, I get
>
>      tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> If I comment out the "force group" line, and change the last line to
> "valid users = cyber", it also works.
>
> I'm using nss_winbind to make users and groups visible to gumbo's
> unix-land, but it seems that samba-talking-to-unix-talking-to-samba
> doesn't see the groups, though unix-talking-to-samba does.
>
>      # getent group fnord
>      PI\fnord:*:3000021:
>
>      # getent passwd cyber
>      PI\cyber:*:3000177:100:Cybersource tech:/home/PI/cyber:/bin/false
>
>      # id cyber
>      uid=3000177(PI\cyber) gid=100(users) groups=100(users),3000008(PI\Domain Admins),3000021(PI\fnord),[...]
>
>
> What should I do about this?
>
> Should I be using those fancy NT recursive ACLs instead of doing this
> in the share config?
>
> Are those options simply not supported under samba4?
>
> Plan B, which I really hate, is to simply remove "valid users" and
> "force group" and write an hourly cron job that will run chgrp -R and
> chmod -R across each project share.
>
If your clients are linux running samba3, I think that you are running 
into the 'samba3 winbind != samba4 winbind' problem, you need to use 
RFC2307 attributes to get your users to have the same uid & gid on the 
server as on the client.

Rowland

More information about the samba mailing list