[Samba] Clients can't write to group-writable files - plea for help

[Rowland Penny]

On Fri, 18 Nov 2016 10:11:54 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:

> On 11/18/16 9:53 AM, Rowland Penny via samba wrote:
> >
> > OK, can I suggest you stop using either a usermap or a userscript.
> > Try setting up your domain member correctly see here:
> 
> With no usermap file or script, the behavior is the same: can't write
> to files you should be able to based on group membership.
> 
> >
> > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >
> > and here:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> 
> I thought my setup was almost that, with the exception of getting
> unix users from NIS instead of winbindd. Would that not work?
> 
> 
> > As you have Mac clients, it might be a good idea to use vfs_fruit,
> > try reading 'man vfs_fruit'
> 
> I'm not sure this will get us anything, particularly since Mac users 
> have to share files with Linux users in almost all of our workflows.
> 
> 
> > Setup correctly, you wont have windows, Mac and Unix users, you will
> > just have AD users.
> 
> Well - that might just be my complication then: We have separate 
> directories for Windows and Unix. They both contain the same users
> and have the same uid/gid numbers, but there are two directories.
> 
> >
> > Rowland
> >
> 
> Thanks again,
> 
> -Josh
> 

OK, you have Windows users stored in AD, these use SID-RIDs, but by
adding uidNumber attributes to the windows users, they become Unix
users as well, there is no need to have two directories. You would end
up with one user with one password being available on windows and Unix.

At the moment, you seem to have users stored in multiple places, with,
I take it, the same (or possibly even worse, different) password(s)
stored in multiple places.

what goes for users also goes for groups, groups and group members
stored in AD and used everywhere.

Rowland