Michael Davidson
2006-Aug-16 19:20 UTC
[Samba] Trouble with Winbind and domain group membership
Summary of problem: members of Active Directory groups cannot access Samba
shares that their group membership should allow.
I recently joined our Linux servers to our Windows 2003 domain using
Samba/Winbind. The research and implementation were time-consuming, but the
results made it all worthwhile. Unfortunately I am running into a problem
relating to group membership on the domain as it relates to share access.
I'll give a pared-down example of a share definition from smb.conf:
[graphics]
comment = Graphic design files
path = /srv/samba/graphics
valid users = @%D+Graphics
public = no
force group = %D+Graphics
(The winbind separator is +)
The idea is to allow only members of the domain group "Graphics"
access to
the share and to force group ownership on files that are created through the
share to be "Graphics".
Here is some command output (The domain name is MWO):
wbinfo -g | grep Graphics
MWO+Graphics
getent group | grep Graphics
MWO+Graphics:x:10029:MWO+mdavidson
wbinfo -G 10029
S-1-5-21-1830939736-2914305965-1243072980-1232
The first command tells me that Winbind know the group is there. The second
tells me that I'm a member of the group. The third tells me that the Unix
GID translates to an NT ID properly.
The problem happens when I attempt to connect to the share. It says
"Access
is Denied". If I comment out the valid users parameter in smb.conf, I get
"The specified group does not exist" when connecting to the share. If
I
comment out both the valid users and force group parameters, I can connect,
however this does not make good security.
To complicate matters, testparm says "'winbind separator = +' might
cause
problems with group membership." In your experience, is this truly the
problem? I am hesitant to make a change to the [global] section unless I am
confident it will solve my problem.
Thank you,
Michael Davidson
Mount Washington Observatory
www.mountwashington.org
Seemingly Similar Threads
Wisdom of the Ancients
