[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)

Petros Petros.Listig at fdrive.com.au
Sun Nov 10 18:05:24 MST 2013

Hi Trent,

Quoting  "Trent W. Buck" <trentbuck at gmail.com>

> My samba thinks its own groups don't exist.

I am in a similar situation, using samba-4.0.8 under FreeBSD 9 (and  
want to migrate from an older samba 3.6 fileserver). However,  
everything seems to work for me, including force group etc.

(BTW: I am using s3fs (the same as under Linux) - not ntvfs)

> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.
> Users can log in and browse their home share -- but the other shares
> aren't working.  They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>     [fnord]
>     comment                 = Project Fnord
>     path                    = /srv/share/fnord
>     create mask             = 0664
>     force create mode       = 0664
>     directory mask          = 0775
>     force directory mode    = 0775
>     read only               = no
>     force group             = fnord
>     valid users             = @fnord
> With those settings, and "cyber" in the fnord group,
>     $ smbclient -U cyber //gumbo/fnord
>     tree connect failed: NT_STATUS_ACCESS_DENIED
> If I comment out the last two lines, it works.

Here my attempt:

 From the smb4.cfg

         workgroup = DOMAIN
         realm = DOMAIN.FDA
         netbios name = SAMBA4
         server role = active directory domain controller
         dns forwarder =

         # From the services - at the end only nbt removed

         server services = rpc, wrepl, ldap, cldap, kdc, drepl,  
winbind, ntp_signd,kcc, dnsupdate, dns, smb
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,  
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,  
eventlog6, backupkey, dnsserver, winreg, srvsvc

         vfs objects = zfsacl
         nsupdate command = /usr/local/bin/samba-nsupdate -g

         # Test according to
         # http://forums.freebsd.org/showthread.php?p=226901
         interfaces = bce0
         bind interfaces only = yes
         # hosts allow does not seem to work
         #   it blocks socket communications from Winbind?

         # According to https://glsan.com/community/samba4/zfs-share-setup/

         ea support = yes
         csc policy = disable
         store dos attributes = yes

         path = /shares/petertestet
         read only = no
         browseable = yes
         guest ok = no
         delete readonly = yes
         valid users = @petertestet
         force group = petertestet
         create mask = 0770
         directory mask = 2770

I have a domain user petertest in a domain group petertestet:

# id petertest
uid=3000007(DOMAIN\petertest) gid=20(staff)  

At the moment, I have a Windows 7 and a XP VM joined to the domain,  
and could connect (map network drive) and create a document with  
expected permissions:

# ls -lisa /shares/petertestet
total 4
17037 2 drwxrws---  2 DOMAIN\petertest  DOMAIN\petertestet  3 Nov 11 11:40 .
16817 2 drwxr-xr-x  4 root              wheel               4 Nov 11 11:32 ..
17046 1 -rw-rw----  1 DOMAIN\petertest  DOMAIN\petertestet  6 Nov 11  
11:40 dada.txt

I changed /etc/nsswitch.conf:

group: files winbind
passwd: files winbind

So it looks as "my samba" is happy with winbind domain groups and can  
deal with "force group" etc.


More information about the samba mailing list