I also facing same issue.
Does it mean that we cant specify secondary group as 'force group' in
group.
On 11/5/09, Andrey Zykov <andrey at dce.ifmo.ru>
wrote:> Hello!
>
> I tryed to configure Debian Linux file server as Windows 2003 domain
> member using samba with security = ADS mode and stucked with such problem:
>
> File server (fs) succesfully joined my domain with correct user and
> group mapping (i'm using idmap rid). Users from domain have their unix
> accounts with <DOMAIN_NAME>\ prefix, i.e for domain user
"andrey" i have
> local unix user: 'DOMAIN\andrey':
>
> fs:~# id DOMAIN\\andrey
> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\???????????? ??????)
> ??????=10513(DOMAIN\???????????? ??????),10512(DOMAIN\??????????????
>
??????),11395(DOMAIN\??????????),10001(BUILTIN\users),10000(BUILTIN\administrators)
>
> as you can see, user have uid=11118, primary group
> gid=10513('DOMAIN\???????????? ??????' - 'DOMAIN\domain
users' in
> english) and few supplementary groups.
> Now i want to make a share restricted to use by users from one of
> supplementary groups, i.e. 11395(DOMAIN\??????????).
> I created a directory:
>
> fs:~# ls -l /home/sambashare/ | grep officepub
> drwxrwx--- 2 DOMAIN\admin DOMAIN\?????????? 4096 ??? 26
> 20:28 officepub
>
> and checked that i can access it localy via ssh:
>
> fs:~# su DOMAIN\\andrey
> DOMAIN\andrey at fs:/root$ cd /home/sambashare/officepub/
> DOMAIN\andrey at fs:/home/sambashare/officepub$ touch file
> DOMAIN\andrey at fs:/home/sambashare/officepub$ rm file
>
> Next i added share definition in smb.conf with my group in 'force
group'
> parameter:
> ...
> [officepub]
> comment = Office Public Share
> path = /home/sambashare/officepub
> force group = +DOMAIN\??????????
> read only = No
> browseable = No
>
> restarted samba, tried to access it via smbclient and got following error:
>
> fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
> Enter DOMAIN\andrey's password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
> smb: \> ls
> NT_STATUS_NETWORK_ACCESS_DENIED listing \*
>
> 0 blocks of size 0. 61680 blocks available
> smb: \>
>
> But in the same time i have similar working share with restriction by
> _primary_ group:
>
> fs:~# id DOMAIN\\andrey
> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\???????????? ??????)
> ??????=10513(DOMAIN\???????????? ??????),10512(DOMAIN\??????????????
>
??????),11395(DOMAIN\??????????),10001(BUILTIN\users),10000(BUILTIN\administrators)
> fs:~# ls -l /home/sambashare/ | grep pub
> drwxrwx--- 2 DOMAIN\admin DOMAIN\???????????? ?????? 4096 ??? 4
> 00:00 pub
> fs:~# su DOMAIN\\andrey
> DOMAIN\andrey at fs:/root$ cd /home/sambashare/pub/
> DOMAIN\andrey at fs:/home/sambashare/pub$ touch file
> DOMAIN\andrey at fs:/home/sambashare/pub$ exit
> exit
> fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
> Enter DOMAIN\andrey's password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
> smb: \> ls
> . D 0 Thu Nov 5 17:02:01 2009
> .. D 0 Wed Jun 3 18:22:47 2009
> file 0 Thu Nov 5 17:02:01 2009
>
> 64000 blocks of size 8192. 28337 blocks available
> smb: \>
>
> So i've decided that problem is in the not working (or
> misundertandeted?) 'force group' parameter.
>
> What did i do wrong and how to fix this?
>
> Some technical information:
>
> Distro used: Debian Lenny, kernel 2.6.26-2-amd64
> Samba version: 3.2.5-4lenny6
> Domain Controller: Windows Server 2003 R2 Enterprise Edition
> smb.conf: http://pastebin.ca/1658364
> Log file: http://pastebin.ca/1658368
>
> P.S. Sorry for my english :-)
>
> --
> Andrey Zykov
>
> e-mail: andrey at dce.ifmo.ru
> jabber: zblk at jabber.org.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Sent from my mobile device
http://linuxinterviews.blogspot.com