[Samba] problems accessing shares with force group

Rowland penny rpenny at samba.org
Tue Feb 2 16:15:29 UTC 2021 

On 02/02/2021 15:16, Piviul via samba wrote:
> Il 02/02/21 11:26, Rowland penny via samba ha scritto:
>> [...]
>> What, apart from still using Samba 4.5.16 ?
>
> debian; I have the same strange behaviour in stretch (oldstable) and 
> in bullseye (testing), I don't known in buster (stable) but I can try. 
> oldoldstable seems to work correctly
>
>
>> I do not know, if you are going to post a part of the smb.conf, post 
>> the entire smb.conf
> # Global parameters
> [global]
>     lock directory = /var/cache/samba/
>     log file = /var/log/samba/log.%m
>     logging = file
>     map to guest = Bad User
>     max log size = 1000
>     obey pam restrictions = Yes
>     pam password change = Yes
>     panic action = /usr/share/samba/panic-action %d
>     realm = AD.CSARICERCHE.COM
>     security = ADS
>     server string = %h server (Samba, Ubuntu)
>     template shell = /bin/bash
>     usershare allow guests = Yes
>     winbind offline logon = Yes
>     winbind refresh tickets = Yes
>     wins server = 192.168.64.2
>     workgroup = DOMINIOCSA
>     idmap config dominiocsa : range = 10000-24999
>     idmap config dominiocsa : backend = rid
>     idmap config * : range = 3000-9999
>     idmap config * : backend = tdb
>
>
> [test]
>     browseable = No
>     comment = test force group directive
>     force group = "@DOMINIOCSA\Domain Users"
>     path = /home/test_share
>     write list = "@DOMINIOCSA\Domain Users"

There doesn't seem to be anything wrong with that smb.conf except for 
the 'wins server' line, you don't use wins with Samba AD.
>
>
> Furthermore I don't know if it's normal but getent group or wbinfo 
> --group-info doesn't show member users but if I set winbind expand 
> groups to 1 the getent group and wbinfo --group-info shows correctly 
> the member users.


You need to fix that, 'getent passwd username' & 'getent group 
groupname' must produce output.

Also, as 'Domain Users' is the default primary group for domain users, 
you don't really need the 'force group' line.

Rowland

More information about the samba mailing list