Folks,
><snip>
>Folks,
>
>I'm running SUSE Pro 9.3 with Samba 3.0.13, and I have LAN with 2
>subnets. The problem (or the symptom; I may actually have two problems)
>is that I can't get into some of the shares from my Win2k box (one
subnet)
>or from my XP laptop (other subnet). The directory structure is
> /data
> /data/accounts
> /data/finsvcs
>
>and the shares are accounts and finsvcs. /data is owned by root:root,
>while the share directories are owned by mfwic:accounts and mfwic:finsvcs.
>
>Each user can get into his own /home/directory just fine, and I've
>confirmed that the users are correctly entered in the passwd and smbpasswd
>files (as also implied by being able to get into the /home
>directories). User access to the shares is granted via "valid
>user=%G." From the windows devices, it's possible to browse over
to (or
>to go via Network Neighborhood), and see, the shares, but entering is
>denied--the Windows devices invite me to log in and then reject the
>login. Winbindd is running, and the windows devices are pointed to the
>samba box for the WINS service.
>
>I've run the checklist from TOSHARG2, and the only items that
_don't_ work are
> smbclient //lserver0/accounts -U<user> (including mfwic).
That
> gets me a tree connect failed: NT_STATUS_ACCESS_DENIED error. However,
> if I run smbclient //lserver0/accounts -Uroot with the root password, I
> get into the shares.
> I cannot ping by name the machines (PC and laptop) from lserver0,
> the samba box, or lserver0 from the windows machine. I can ping in both
> directions by IP address.
> nmblookup -B xxx '*' works when xxx=IP address, fails when
> xxx=machine name.
> net use x: \\lserver0\accounts fails with a bad password error
> from my Win2k PC, and with a multiple connections not allowed error from
> my XP laptop.
>
>Any advice would be greatly appreciated.
>
>Eric Hines
I got this to work, but I don't understand why, or what the implications
are on the change I made. Any advice would be greatly appreciated.
The change I made was to change valid users for the shares accounts and
finsvcs to %U from %G.
The documentation says that %G is the _primary_ group of the user in
question; the primary group of these users, from the way they were first
entered into the system is 'users;' they were only after that _added_ to
the groups owning the shares' directories. Could this be part of problem,
or is that a non-distinction? Also, what am I doing to security by
allowing the session user in and not mandating that that person be a member
of the share-owning group?
Thanks
Eric Hines
There is no nonsense so errant that it cannot be made the creed of the vast
majority by adequate governmental action.
--Bertrand Russell
