samba - Nov 2006 - Groups not emulating in Samba3.0.23d-SerNet-RedHat

Hi all,

 

I just upgraded a test copy of my samba server from version 3.0.10E to
the latest, 3.0.23D - the RPM available for Red Hat AS4 on the samba.org
site. There was no samba-common, just samba, samba-client and
samba-winbind RPMs. I installed all three successfully. I backed up my
configs before hand and replaces / adapted them afterwards. I
successfully added this server to the domain after upgrade with the net
ads join command.

 

The problem: Group emulation is not working. I can access shares where
my account is specifically listed in the  "valid users" settings in
the
smb.conf file for the share (NYC-14\mcasale), but not if my group is
listed (NYC-14\Staff or NYC-14\Domain Admins).

 

Wbinfo -g shows all the groups, and wbinfo -u shows all users. But for
some reason on this test server, and on the live server, these commands
show the group or user names but the domain is never appended to the
beginning. The live, un-updated server always has had this output yet
works fine, though. Just thought I should mention this.

 

Klist shows tickets fine. I re-added this server to the domain after I
upgraded it.

 

Getent passwd and getent group works fine.

 

So, when I navigate to the server in Windows XP in network Neighborhood,
I can see all the shares. When I click on a share where I am
specifically listed under "valid users" it opens fine. When I click on
a
share where my group is specifically listed in "valid users" it
prompts
me for a username and password, which it never accepts, no matter how I
put it in.

 

I checked the log under /var/log/samba/mymachinename.log and it logs no
errors. I'm suprised.

 

Here is my smb.conf file:

 

[global]

 

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = NYC-14

   netbios name = MAN

# MC Below 3 lines added to test Win2003 AD connection as per Red Hat
Docs Recommendations.

client schannel = no

client use spnego = yes 

server signing = auto

# server string is the equivalent of the NT Description field

   server string = TEST SAMBA SERVER 

   printcap name = /etc/printcap

   load printers = no

 

cups options = raw

 

log file = /var/log/samba/%m.log

   max log size = 50

 

# Security mode. Most people will want user level security. See

# security_level.txt for details.

   security = ads

   realm = nyc-14.knoa.com

# Use password server option only with security = server

   password server = 192.168.14.240 192.168.14.243 

 

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

 

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

#     Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both

   wins server = 192.168.14.239

 

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,

# this has been changed in version 1.9.18 to no.

   dns proxy = no 

 

# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis

;  preserve case = no

;  short preserve case = no

# Default case is normally upper case for all DOS files

;  default case = lower

# Be very careful with case sensitivity - it can break things!

;  case sensitive = no

 

   idmap uid = 10000-20000

   idmap gid = 10000-20000

   winbind separator = \

   winbind enum users = yes

   winbind enum groups = yes

   template shell = /bin/false

   winbind use default domain = yes

 

#============================ Share Definitions
=============================
# backup depository

[backup]

  comment = Backup Repository

  force create mode = 0777

  force directory mode = 6777

  path = /share1

  browseable = no

  writable = yes

  valid users = NYC-14\mcasale, NYC-14\administrator, NYC-14\sys_bak,
NYC-14\PDS$, NYC-14\RDS$, NYC-14\MXS$, "NYC-14\Domain Admins"

 

 

# bulk data storage for Development

[bulk]

  browsable = no

  force create mode = 0777

  force directory mode = 6777

#  path = /mnt/data/bulk

  path = /share2

  writable = yes

  guest ok = yes

 

# clients data

[Clients]

  browsable = yes

  comment = Clients of Knoa Software

  inherit permissions = yes

#  path = /mnt/data/clients

  path = /share3

  valid users = NYC-14\Staff, NYC-14\Extranet, NYC-14\administrator,
"NYC-14\Domain Admins"

  writable = yes

 

# Engineering signing keys

[CSPDID]

  browseable = no

  # access to this share is controled via valid users list 

  force create mode = 0777

  force directory mode = 6777

#  path = /mnt/data/cspdid

  path = /share4

  valid users = NYC-14\Administrator, "NYC-14\Domain Admins"

  writable = yes

 

# file share for all company departments

[Company]

   comment = Departamental File Share

   browseable = yes

   inherit permissions = yes

#   force create mode = 0777

#   force directory mode = 6777

#   path = /mnt/data/company

   path = /share5

   valid users = NYC-14\mcasale, NYC-14\Staff, NYC-14\tester,
NYC-14\Administrator, "NYC-14\Domain Admins"

   writable = yes

   inherit permissions = yes

 

# image depository

[image]

   comment = Disk Image Repository

 #  path = /mnt/data/image

   path = /share6

   browseable = yes 

   write list = NYC-14\mcasale, NYC-14\Administrator, "NYC-14\Domain
Admins"

 

# intranet site files for access by the Intranet server VMC

[intranet]

#  path = "/mnt/data/company/Web Development/Intranet"

  path = /share7 

  browsable = no

  guest ok = yes

#  valid users = NYC-14\sys_web, NYC-14\vmc$

 

# server root - for backup only

[home]

#   path = /mnt/data

   path = /share8

   valid users = NYC-14\Services, root, NYC-14\Administrator,
"NYC-14\Domain Admins" NYC-14\mcasale

   browseable = no

 

# software library

[Software]

  comment = Software Library

#  path = /mnt/data/software

  path = /share9

  valid users = NYC-14\Staff, NYC-14\Administrator

  write list = NYC-14\Administrator, "NYC-14\Domain Admins",
NYC-14\mcasale

 

[Operations]

  comment = Operations Share 

#  path = /mnt/data/operations

  path = /share10

  valid users = NYC-14\Operations, NYC-14\Administrator

  write list = NYC-14\Operations, NYC-14\Administrator, "NYC-14\Domain
Admins", NYC-14\mcasale

 

[VSS]

  browseable = no

  comment = Visual Source Safe

  create mask = 0666

  directory mask = 0777

#  path = /mnt/data/vss

  path = /share11

  valid users = NYC-14\Staff, NYC-14\tester, NYC-14\Administrator,
"NYC-14\Domain Admins"

  writable = yes

 

# Users - public files of staff members

[Users]

   comment = Personal File Repositories

#   create mask = 0666

#   directory mask = 0777

#   path = /mnt/data/profiles/public

   path = /share12

   valid users = NYC-14\Staff, NYC-14\administrator, "NYC-14\Domain
Admins"

   writable = yes

   browseable = yes

#   inherit permissions = yes

 

# user profiles

[%U]

 #  path = /mnt/data/profiles/%U

   path = /share13/%U

   create mask = 0666

   directory mask = 0777

   valid users = NYC-14\%U, "NYC-14\Domain Admins"

   writable = yes

   browseable = no

   inherit permissions = yes

 

 

 

 

Michael Casale

Systems Administrator / IT Manager

Knoa Software

mcasale@knoa.com <mailto:mcasale@knoa.com> 

Ph.  (212) 807-9608 ext. 6000

Fax  (212) 675-6121

Michael Casale wrote:

> The problem: Group emulation is not working. I can access shares where
> my account is specifically listed in the  "valid users" settings
in the
> smb.conf file for the share (NYC-14\mcasale), but not if my group is
> listed (NYC-14\Staff or NYC-14\Domain Admins).
WORKSFORME, but groups must have a @ prefix, so try (for example): 
valid users = @NYC-14\Staff
instead.

-- Rex