Michael Davidson
2006-Aug-16 19:20 UTC
[Samba] Trouble with Winbind and domain group membership
Summary of problem: members of Active Directory groups cannot access Samba shares that their group membership should allow. I recently joined our Linux servers to our Windows 2003 domain using Samba/Winbind. The research and implementation were time-consuming, but the results made it all worthwhile. Unfortunately I am running into a problem relating to group membership on the domain as it relates to share access. I'll give a pared-down example of a share definition from smb.conf: [graphics] comment = Graphic design files path = /srv/samba/graphics valid users = @%D+Graphics public = no force group = %D+Graphics (The winbind separator is +) The idea is to allow only members of the domain group "Graphics" access to the share and to force group ownership on files that are created through the share to be "Graphics". Here is some command output (The domain name is MWO): wbinfo -g | grep Graphics MWO+Graphics getent group | grep Graphics MWO+Graphics:x:10029:MWO+mdavidson wbinfo -G 10029 S-1-5-21-1830939736-2914305965-1243072980-1232 The first command tells me that Winbind know the group is there. The second tells me that I'm a member of the group. The third tells me that the Unix GID translates to an NT ID properly. The problem happens when I attempt to connect to the share. It says "Access is Denied". If I comment out the valid users parameter in smb.conf, I get "The specified group does not exist" when connecting to the share. If I comment out both the valid users and force group parameters, I can connect, however this does not make good security. To complicate matters, testparm says "'winbind separator = +' might cause problems with group membership." In your experience, is this truly the problem? I am hesitant to make a change to the [global] section unless I am confident it will solve my problem. Thank you, Michael Davidson Mount Washington Observatory www.mountwashington.org