arif, we had a similar problem under different circumstances -- in our case
samba under solaris with the secondary group info coming from sun ldap. all
worked flawlessly with respect to primary groups, but secondary group
permissions were not honored. the "fix" in our case (until such time
as we
were able to fully patch the server) was a cron script that appended the
ldap secondary group information to the file /etc/group -- for some reason,
samba could only get secondary group info from this file, but not from any
other naming service on our out of date box. not sure why you'd be facing
this on such a recent vintage os, but i would try throwing some of the
secondary groups in that file to see if it makes a difference. good luck!
On Wed, Apr 27, 2011 at 2:32 PM, Arif Ali <arifali1 at gmail.com> wrote:
> Hi list,
>
> I have gone through several mailing list archives, googled, tested several
> options, but we cannot figure out how we fix our problem.
>
> NIS provides the uid and gid in Linux
> AD provides the passwords
> storage is provided by GPFS via samba to windows users
>
> OS: RedHat 5.5 x86_64
> Samba: 3.4.2 and/or 3.5.2
>
> We are able to mount the home directories without any problems, we can
> read/write/rename/delete. The uid, and the gid have no problems writing to
> their respective areas, as per the permissions in Linux.
>
> The problem we have is that any permissions that users have wrt secondary
> groups are not being carried forward to the windows machines, and not
> recognised. we have tried to test this with a user whose primary group
> allows to go to sambatest, as defined below, but if another user has the
> same group but as a secondary group, this person cannot read/write/mount
the
> share.
>
> My smb.conf is below, (with replaced/<snipped> sensitive information)
>
> regards,
> Arif
>
> workgroup = DOMAIN
> password server = <snip> <snip>
> realm = domain.co.uk
> security = ads
> template shell = /bin/bash
> winbind use default domain = yes
> winbind offline logon = false
> winbind seperator = +
>
> #--authconfig--end-line--
> netbios name = csfs
> idmap backend = tdb2
> encrypt passwords = true
> username map = /etc/samba/smbusers
> smb passwd file = /etc/samba/smbpasswd
> clustering = yes
> interfaces = <snip>/22
> dns proxy = no
> log file = /var/log/samba/log.%m
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> winbind enum groups = Yes
> winbind refresh tickets = true
> winbind nested groups = yes
> winbind nss info = template rfc2307
> ; passdb backend = tdbsam
> idmap uid = 1000000-5000000
> idmap gid = 1000000-5000000
> idmap config DOMAIN:default = yes
> idmap config DOMAIN:range = 500-100000
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> include = /etc/samba/loglevel.%m
> writeable = yes
> msdfs root = yes
>
> [homes]
> comment = Staff Home Directories
> path = /users/%u
> valid users = %S
> create mask = 0750
> vfs objects = gpfs fileid
> fileid:mapping = fsname
> gpfs:sharemodes = No
> # nfs4: mode = special
> # nfs4: chown = yes
> # nfs4: acedup = merge
>
> [support]
> read only = no
> comment = Support area
> path = /<snip>/support
> valid users = <snip> <snip> <snip> <snip>
<snip>
> create mode = 0664
> vfs objects = gpfs fileid
> fileid:mapping = fsname
> gpfs:sharemodes = No
>
> [sambatest]
> read only = no
> writeable = yes
> comment = Testing Samba
> path = /<snip>/sambatest
> create mask = 0750
> vfs objects = gpfs fileid
> fileid:mapping = fsname
> gpfs:sharemodes = No
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>