Hi list, I am having a weird issue with samba as included with FreeNAS 8.0.2. All my users are in LDAP, and the local server can see and authenticate LDAP users via other mechanisms like SSH. When I log into this FreeNAS machine via SSH, the server understands group permissions and all works as expected. The filesystem that the share is on is ZFS and FreeNAS is based on FreeBSD. My issue is, when I mount a CIFS share from a Windows workstation to the FreeNAS Samba server, secondary group permissions are not honoured. In a bit more detail. I have a user in LDAP called alex.ferrara with the primary group of "Domain Users" and I can mount CIFS shares just fine. The main CIFS share destination directory is set to mode 2775 with the owner "root" and group "Domain Users". My user can create files as you would expect. So far so good. The problem comes in when I have a directory underneath the main share that is owned by "root" and group "Domain Admins". My user is a member of the domain admins group and I can create files if I log in via SSH, but when I access the same directory via CIFS, I get the message "You need permission to perform this action". The version of Samba is 3.5.11 and my config file is included below. [global] encrypt passwords = yes dns proxy = no strict locking = no read raw = yes write raw = yes oplocks = yes max xmit = 65535 deadtime = 15 display charset = LOCALE max log size = 10 syslog only = yes syslog = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes smb passwd file = /var/etc/private/smbpasswd private dir = /var/etc/private getwd cache = yes guest account = nobody map to guest = Bad Password netbios name = server workgroup = DOMAIN server string = FreeNAS Server use sendfile = yes large readwrite = no store dos attributes = yes security = user passdb backend = ldapsam:ldap://10.16.0.10 ldap admin dn = cn=admin,dc=domain ldap suffix = dc=domain ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = off ldap replication sleep = 1000 ldap passwd sync = yes #ldap debug level = 1 #ldap debug threshold = 1 ldapsam:trusted = yes idmap uid = 10000-39999 idmap gid = 10000-39999 create mask = 0664 directory mask = 0775 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 3 aio read size = 1 aio write size = 1 [share] path = /mnt/data/share printable = no veto files = /.snap/.windows/ writeable = yes browseable = yes inherit owner = yes inherit permissions = yes vfs objects = zfsacl recycle recycle:repository = .recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 inherit acls = Yes map archive = No map readonly = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E alex at receptiveit.com.au W www.receptiveit.com.au