I also facing same issue. Does it mean that we cant specify secondary group as 'force group' in group.
On 11/5/09, Andrey Zykov <and...@dce.ifmo.ru> wrote: > Hello! > > I tryed to configure Debian Linux file server as Windows 2003 domain > member using samba with security = ADS mode and stucked with such problem: > > File server (fs) succesfully joined my domain with correct user and > group mapping (i'm using idmap rid). Users from domain have their unix > accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have > local unix user: 'DOMAIN\andrey': > > fs:~# id DOMAIN\\andrey > uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) > группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы > домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) > > as you can see, user have uid=11118, primary group > gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in > english) and few supplementary groups. > Now i want to make a share restricted to use by users from one of > supplementary groups, i.e. 11395(DOMAIN\сотрудники). > I created a directory: > > fs:~# ls -l /home/sambashare/ | grep officepub > drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26 > 20:28 officepub > > and checked that i can access it localy via ssh: > > fs:~# su DOMAIN\\andrey > domain\and...@fs:/root$ cd /home/sambashare/officepub/ > domain\and...@fs:/home/sambashare/officepub$ touch file > domain\and...@fs:/home/sambashare/officepub$ rm file > > Next i added share definition in smb.conf with my group in 'force group' > parameter: > ... > [officepub] > comment = Office Public Share > path = /home/sambashare/officepub > force group = +DOMAIN\сотрудники > read only = No > browseable = No > > restarted samba, tried to access it via smbclient and got following error: > > fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey > Enter DOMAIN\andrey's password: > Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > NT_STATUS_NETWORK_ACCESS_DENIED listing \* > > 0 blocks of size 0. 61680 blocks available > smb: \> > > But in the same time i have similar working share with restriction by > _primary_ group: > > fs:~# id DOMAIN\\andrey > uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) > группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы > домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) > fs:~# ls -l /home/sambashare/ | grep pub > drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4 > 00:00 pub > fs:~# su DOMAIN\\andrey > domain\and...@fs:/root$ cd /home/sambashare/pub/ > domain\and...@fs:/home/sambashare/pub$ touch file > domain\and...@fs:/home/sambashare/pub$ exit > exit > fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey > Enter DOMAIN\andrey's password: > Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Thu Nov 5 17:02:01 2009 > .. D 0 Wed Jun 3 18:22:47 2009 > file 0 Thu Nov 5 17:02:01 2009 > > 64000 blocks of size 8192. 28337 blocks available > smb: \> > > So i've decided that problem is in the not working (or > misundertandeted?) 'force group' parameter. > > What did i do wrong and how to fix this? > > Some technical information: > > Distro used: Debian Lenny, kernel 2.6.26-2-amd64 > Samba version: 3.2.5-4lenny6 > Domain Controller: Windows Server 2003 R2 Enterprise Edition > smb.conf: http://pastebin.ca/1658364 > Log file: http://pastebin.ca/1658368 > > P.S. Sorry for my english :-) > > -- > Andrey Zykov > > e-mail: and...@dce.ifmo.ru > jabber: z...@jabber.org. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Sent from my mobile device http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba