On Wed, Mar 18, 2009 at 07:40:47PM +0100, Andras Korn wrote: > I have a samba pdc that uses an ldapsam backend. Everything seems to work, > with the expection of the following share: > > [store] > path = /store > hide unreadable = yes > csc policy = disable > force group = +Power Users > inherit acls = true > volume = STORE > create mask = 0666 > directory mask = 0777
I'm using the force group option on my ldapsam-based Samba domain servers, without the plus option (we want to force it on all), and it has been working fine, but when I tried setting the plus option on a test share, I got NT_STATUS_NO_SUCH_GROUP as the response. Without debugging much more, I read up on the the upstream bug 6230, and one thing struck me while reading what Volker Lendecke wrote: > Ok, this took a while. This is very, very confusing but technically not a > bug. You have ldapsam:trusted=yes with an invalid LDAP database. The > primary group of user "guy", also "guy" does not have a sambaGroupMapping. > This is the invalid configuration part. In my directory we have users bound to gidNumber 100, which is 'users', and I have that in LDAP, but it's also not a sambaGroupMapping - yet everything seems to work, likely because users have sambaPrimaryGroupSID pointing to the group "Domain Users" which we exists in LDAP and it *is* a sambaGroupMapping. I've had a run-in before with that warning message, "ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=xyz))" but this is still a mere level 4 log message. If we know that it can be so relevant to authorization, it would really be a good idea to emphasize it by making it e.g. a level 2 or level 3 log message. For example, smbd/dosmode.c:unix_mode() logs all inheritance matters as level 2; conversely, libsmb/nmblib.c:debug_nmb_packet() logs packet dumps as level 4. Looking at those, the "Did not find group" message definitely deserves to go up a notch so that people notice it with less overhead. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org