samba - Jun 2014 - access rights for unix groups unreliable

Hello,

Please help me with this.

Access rights granted with acl to unix groups work only
on about 2 out of 10 logins, otherwise I get access denied.
Directories with rights granted to everybody are always accessible.

Rights were granted from within Windows 7 to a unix-group named
"g_all".
Samba is 4.1.6 of Ubuntu 14.04
Output of testparm:
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
[global]
	workgroup = AAA
	server string = BBB
	server role = classic primary domain controller
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	lanman auth = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	show add printer wizard = No
	mangle prefix = 5
	add machine script = /usr/sbin/useradd -g machines -c "%u machine 
account" -d /var/lib/samba -s /bin/false %u
	logon script = logon.cmd
	logon path 	logon drive = H:
	logon home = \\%L\S\usr\%U
	domain logons = Yes
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	recycle:maxsixe = 0
	recycle:versions = Yes
	recycle:touch = Yes
	recycle:keeptree = Yes
	recycle:repository = .recyclebin
	idmap config * : backend = tdb
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	case sensitive = No
	short preserve case = No
	delete veto files = Yes
	map archive = No
	map readonly = no
	store dos attributes = Yes
	strict locking = Yes
	fstype = Samba
	vfs objects = acl_xattr

[netlogon]
	comment = Network Logon Service
	path = /srv/samba/netlogon
	guest ok = Yes

[G]
	path = /srv/samba/files/G
	valid users = +g_all, admin, guest
	admin users = admin
	read only = No
	veto files = /.rights/
	vfs objects = recycle, acl_xattr

[S]
	path = /srv/samba/files/S
	valid users = +g_all, admin, guest
	admin users = admin
	read only = No
	veto files = /.rights/
	vfs objects = recycle, acl_xattr

On 2014-06-24 15:35, Klaus Hartnegg wrote:
> Hello,
> 
> Please help me with this.
> 
> Access rights granted with acl to unix groups work only
> on about 2 out of 10 logins, otherwise I get access denied.
> Directories with rights granted to everybody are always accessible.
> 
> Rights were granted from within Windows 7 to a unix-group named
"g_all".
> Samba is 4.1.6 of Ubuntu 14.04
> Output of testparm:
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> [global]
>     workgroup = AAA
>     server string = BBB
>     server role = classic primary domain controller
>     map to guest = Bad User
>     obey pam restrictions = Yes
>     pam password change = Yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     unix password sync = Yes
>     lanman auth = Yes
>     syslog = 0
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     load printers = No
>     printcap name = /dev/null
>     disable spoolss = Yes
>     show add printer wizard = No
>     mangle prefix = 5
>     add machine script = /usr/sbin/useradd -g machines -c "%u machine
> account" -d /var/lib/samba -s /bin/false %u
>     logon script = logon.cmd
>     logon path >     logon drive = H:
>     logon home = \\%L\S\usr\%U
>     domain logons = Yes
>     dns proxy = No
>     usershare allow guests = Yes
>     panic action = /usr/share/samba/panic-action %d
>     recycle:maxsixe = 0
>     recycle:versions = Yes
>     recycle:touch = Yes
>     recycle:keeptree = Yes
>     recycle:repository = .recyclebin
>     idmap config * : backend = tdb
Are the gids/uids stable?
>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     printing = bsd
>     print command = lpr -r -P'%p' %s
>     lpq command = lpq -P'%p'
>     lprm command = lprm -P'%p' %j
>     case sensitive = No
>     short preserve case = No
>     delete veto files = Yes
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>     strict locking = Yes
>     fstype = Samba
>     vfs objects = acl_xattr
> 
> [netlogon]
>     comment = Network Logon Service
>     path = /srv/samba/netlogon
>     guest ok = Yes
> 
> [G]
>     path = /srv/samba/files/G
>     valid users = +g_all, admin, guest
>     admin users = admin
>     read only = No
>     veto files = /.rights/
>     vfs objects = recycle, acl_xattr
> 
> [S]
>     path = /srv/samba/files/S
>     valid users = +g_all, admin, guest
>     admin users = admin
>     read only = No
>     veto files = /.rights/
>     vfs objects = recycle, acl_xattr
> 
-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20140624/f1500ea7/attachment.pgp>