Eric,
Try changing your smb.conf file to:
[accounts]
valid users = @accounts
force group = accounts
(along with the other usual stuff)
[finsvcs]
valid users = @finsvcs
force group = finsvcs
(along with the other usual stuff)
This will limit access to members of the appropriate group. It will
also force all files created in those shares to be owned by the group,
so other group members should have no problem using them.
HTH,
Michael
Eric Hines told me on 12/7/2005 21:36:> I'm at my wit's end on this, and I hope someone can help.
>
> I'm running SUSE Pro 9.3 with Samba 3.0.13, and I can't get
connected to
> my shares properly. Valid users (e.g., for [accounts]) is set to %G,
> and I've confirmed that the users are members of the owning groups for
> the shares and that they are in the passwd and smbpasswd files with the
> same passwords as on the Win2k PC from which they're trying to gain
> access. Network Neighborhood browsing shows up the shares, but access
> is denied.
>
> The directory structure is:
> /data (owned by root:root)
> /data/accounts (owned by owner:group)
>
> When I try to gain access to [accounts] as ehines (one of the users),
> all I get is a dialog box saying "incorrect password or unknown user
> name," and I'm invited to log in--which is then rejected, also.
There
> is a [homes] share to which I gain access easily and correctly. I can
> gain access to [accounts] by logging in from the Win2k PC as root (yes,
> the UNIX root) and using the UNIX root password. However, once I've
> done that, no one else can ever gain access again--including to the
> [homes] share--until I reboot the PC.
>
> I know I'm dong something basic and brain dead wrong, but I can't
find
> it. I've been through the TOSHARG2 and the Samba-3 documentation, but
> I'm not finding my error.
>
> I set system log to level 2, and following are the relevant parts of the
> smbd and winbindd logs:
>
> from log.smbd:
>
> [2005/12/07 20:53:47, 2] auth/auth.c:check_ntlm_password(305)
> check_ntlm_password: authentication for user [EHines] -> [EHines]
->
> [ehines] succeeded
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
> [2005/12/07 20:53:49, 2] smbd/service.c:make_connection_snum(321)
> user 'ehines' (from session setup) not permitted to access this
share
> (accounts)
>
>
> from log.winbindd:
>
> [2005/12/07 20:48:07, 0] nsswitch/winbindd_util.c:winbindd_param_init(555)
> winbindd: idmap uid range missing or invalid
> [2005/12/07 20:48:07, 0] nsswitch/winbindd_util.c:winbindd_param_init(556)
> winbindd: cannot continue, exiting.
> [2005/12/07 20:48:07, 1] nsswitch/winbindd.c:main(897)
> Could not init idmap -- netlogon proxy only
>
> Thanks for your help.
>
> Eric Hines
>
> There is no nonsense so errant that it cannot be made the creed of the
> vast majority by adequate governmental action.
> --Bertrand Russell