[Samba] AD and samba secondary group problems

Wed, 27 Apr 2011 11:32:55 -0700 

Hi list,
I have gone through several mailing list archives, googled, tested several options, but we cannot figure out how we fix our problem. 

NIS provides the uid and gid in Linux
AD provides the passwords
storage is provided by GPFS via samba to windows users

OS: RedHat 5.5 x86_64
Samba: 3.4.2 and/or 3.5.2


We are able to mount the home directories without any problems, we can 
read/write/rename/delete. The uid, and the gid have no problems writing 
to their respective areas, as per the permissions in Linux.



The problem we have is that any permissions that users have wrt 
secondary groups are not being carried forward to the windows machines, 
and not recognised. we have tried to test this with a user whose primary 
group allows to go to sambatest, as defined below, but if another user 
has the same group but as a secondary group, this person cannot 
read/write/mount the share.


My smb.conf is below, (with replaced/<snipped> sensitive information)

regards,
Arif

    workgroup = DOMAIN
    password server = <snip> <snip>
    realm = domain.co.uk
    security = ads
    template shell = /bin/bash
    winbind use default domain = yes
    winbind offline logon = false
    winbind seperator = +

#--authconfig--end-line--
    netbios name = csfs
    idmap backend = tdb2
    encrypt passwords = true
    username map = /etc/samba/smbusers
    smb passwd file = /etc/samba/smbpasswd
    clustering = yes
        interfaces = <snip>/22
    dns proxy = no
    log file = /var/log/samba/log.%m
    socket options = TCP_NODELAY IPTOS_LOWDELAY
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
    winbind enum groups = Yes
    winbind refresh tickets = true
    winbind nested groups = yes
    winbind nss info = template rfc2307
;    passdb backend = tdbsam
    idmap uid = 1000000-5000000
    idmap gid = 1000000-5000000
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:range = 500-100000
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:schema_mode = rfc2307
    include = /etc/samba/loglevel.%m
    writeable = yes
        msdfs root = yes

[homes]
    comment = Staff Home Directories
        path = /users/%u
        valid users = %S
    create mask = 0750
    vfs objects = gpfs fileid
    fileid:mapping = fsname
    gpfs:sharemodes = No
#    nfs4: mode = special
#    nfs4: chown = yes
#    nfs4: acedup = merge

[support]
    read only = no
    comment = Support area
    path = /<snip>/support
    valid users = <snip> <snip> <snip> <snip> <snip>
    create mode = 0664
    vfs objects = gpfs fileid
    fileid:mapping = fsname
    gpfs:sharemodes = No

[sambatest]
    read only = no
    writeable = yes
    comment = Testing Samba
    path = /<snip>/sambatest
    create mask = 0750
    vfs objects = gpfs fileid
    fileid:mapping = fsname
    gpfs:sharemodes = No

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to