[Samba] NT_STATUS_NETWORK_ACCESS_DENIED for a single user

Lorenzo Milesi maxxer at ufficyo.com
Thu Sep 12 08:45:20 MDT 2013

I've a "special" user (it has nothing special, just this exception) in a group that cannot access a share.
I check share access using UNIX permissions.

This is the share definition:
        comment = progettazione
        path = /dati/progettazione
        writeable = yes
        browseable = Yes
        directory mask = 0770
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory security mask = 0777
        force directory security mode = 0
        hide unreadable = Yes
        force create mode = 0775
        force directory mode = 6775
        vfs object = recycle
        recycle: config-files = /etc/samba/samba-recycle.conf

this is the directory permission
# ls -la /dati/progettazione/ | head
drwxrws--- 55 lorenzo       progettazione     4096 2013-09-12 10:10 .
drwxr-xr-x 20 root          root              4096 2013-07-22 08:29 ..

all the user in "progettazione" group can access the share EXCEPT this one:
# groups bosco
bosco : dipendenti disegni progettazione

I'm not using acl, anyway I tried remounting the partition without acl and nothing changes.
This user and group comes from ldap. If I 
# su - bosco
I can chdir to /dati/progettazione without issues.
The only strange thing I experience is that whether ls and all unix commands decode users and group correctly when I sudo as the "bosco" user the prompt cannot decode user and groups.

# su - bosco
groups: impossibile trovare il nome del gruppo con id 10001
groups: impossibile trovare il nome del gruppo con id 10003
groups: impossibile trovare il nome del gruppo con id 10010
Manca il nome at file-server:~$ id
uid=10010 gid=10001 gruppi=10001,10003,10010   

10010 is gid of group "progettazione".

Adding o+rwx permissions to the directory allows the user to chdir. It seems like 

I really don't know what else to look for.
Any help is welcome.
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - http://www.yetopen.it/

More information about the samba mailing list