[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)

David Keegel djk at cyber.com.au
Sun Nov 10 02:09:01 MST 2013

> On 09/11/13 01:16, Trent W. Buck wrote:
> > My samba thinks its own groups don't exist.
> >
> >
> > Background: I had a samba3 server operating as a NAS with some desktops
> > joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.
> Some desktops? Linux?
> >
> > Users can log in and browse their home share -- but the other shares
> > aren't working.  They're per-project shares set up to allow that
> > project's group access, and to forcibly make all files uploaded
> > accessible to that group:
> >
> >      [fnord]
> >      comment                 = Project Fnord
> >      path                    = /srv/share/fnord
> >      create mask             = 0664
> >      force create mode       = 0664
> >      directory mask          = 0775
> >      force directory mode    = 0775
> >      read only               = no
> >      force group             = fnord
> >      valid users             =  <at> fnord
> >

> >
> > I'm using nss_winbind to make users and groups visible to gumbo's
> > unix-land, but it seems that samba-talking-to-unix-talking-to-samba
> > doesn't see the groups, though unix-talking-to-samba does.
> >

Rowland Penny <rowlandpenny <at> googlemail.com> writes:
> >
> If your clients are linux running samba3, I think that you are running 
> into the 'samba3 winbind != samba4 winbind' problem, you need to use 
> RFC2307 attributes to get your users to have the same uid & gid on the 
> server as on the client.
> Rowland

The clients (desktops) are all windows, so I don't think that is the issue.  

Random brainstorming: Would it make a difference if the samba config was
written with PI\fnord (where PI is the name of the AD domain) instead of
fnord for force group and valid users?

PS: I work with Trent. In case anyone was wondering, gumbo is the name of
the new Samba4 server (on Debian) which is replacing the old Samba3 server
(on Ubuntu) with OpenLDAP, so we can use AD features (which makes the
Windows IT guy happy when he can use MMC, group policy, etc).  

We had a daily script on the Samba4 server which uses rsync from the old
server and does some post-rsync cleanup (eg changing uid/gid numbers) to map
from old Samba3 server to new Samba4 server (which is now not using UPG so
we don't get a clash with some group names the same as user names and the
old "pi" group has been renamed because we had trouble with a group named
the same thing as the AD domain).

More information about the samba mailing list