I'm not sure if this is an LDAP issue, a Samba issue, a BSD issue or a FreeNAS issue...
I'm working at migrating a large block of file shares from an aging CentOS/Samba 3.0.9 server to a FreeNAS (8.0.2) server. (The FreeNAS box is running FreeBSD 8.2-RELEASE-p3 and Samba 3.5.11.) I will eventually be migrating the entire domain and user base off of that server, but for the time being, I have set up a process where I mirror the user and group information from the Samba 3 domain to an LDAP (fedora 389) server. (Long story...) I'm syncing the actual folders from the current production server to the FreeNAS volumes, through either NFS or rsync. This maintains all the original group and owner permissions on the files and directories. One of the things I like about the FreeNAS server is that it can be configured to talk to either AD (MS or Samba4) or LDAP. I have logged in to the NAS and using the "getent" command, confirmed that it correctly understands both the users and the groups from LDAP. One interesting difference between LDAP and AD is that, when you use "getent passwd" (or "getent group"), the AD users are of the form "DOMAIN\username", while the LDAP users just list the name. THE PROBLEM I AM SEEING is in setting access permissions based on secondary group membership. When I use the simple Unix owner/group/other permissions on our original Samba server, I can effectively control which Windows users have permission to read or write to files and folders based on what group owns the files, and the groups the users are a member of. I can also specify through the Samba configuration which groups are allowed to map the share ("valid users = @groupname"). However, my observation in FreeNAS is that, using LDAP, THIS DOESN'T WORK. If I set the Unix folder permissions in a share to "770", then the actual owner of the file/folder can open it up, but not other users who are in the group. The only way to grant access to other users is to set the permissions to "777" and open it up to the world. Also, the "valid users" parameter in the Samba conf file doesn't work with a group name. If I specify a group, then noone can map the share. One interesting thing is, if I use AD (Samba4) as the source of users and groups, and the group based permissions (either "valid users" or through Unix group permissions) all seem to work as expected, both to allow and disallow users by their group membership. I've done a great deal of googling around, and have found lots of people reporting similar problems, but no one with a solution... :-( Is there any way to check how the Samba subsystem on the FreeNAS server is validating group membership? /etc/local/smb.conf (generated through the FreeNAS GUI): [global] encrypt passwords = yes dns proxy = no strict locking = no read raw = yes write raw = yes oplocks = yes max xmit = 65535 deadtime = 15 display charset = LOCALE max log size = 10 syslog only = yes syslog = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes smb passwd file = /var/etc/private/smbpasswd private dir = /var/etc/private getwd cache = yes guest account = nobody map to guest = Bad Password netbios name = freenas2 workgroup = OMUSA server string = FreeNAS Server large readwrite = no ea support = yes store dos attributes = yes local master = yes security = user passdb backend = ldapsam:ldap://abraham ldap admin dn = cn=Directory manager ldap suffix = dc=usa,dc=om,dc=org ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap ssl = off ldap replication sleep = 1000 ldap passwd sync = yes #ldap debug level = 1 #ldap debug threshold = 1 ldapsam:trusted = yes idmap uid = 10000-39999 idmap gid = 10000-39999 create mask = 0666 create mask = 0666 directory mask = 0777 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 10 aio read size = 1 aio write size = 1 [homes] comment = Home Directories valid users = %U writable = yes browseable = no path = /mnt/Vol1/home/users/%U [dept-it] path = /mnt/Vol1/groups/computer printable = no veto files = /.snap/.windows/ comment = IT Department writeable = yes browseable = yes inherit owner = no inherit permissions = no vfs objects = zfsacl hosts allow = 10.4.0.0/23 inherit acls = Yes map archive = No map readonly = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes valid users=@computer -- Charles Tryon _________________________________________________________________________ "It's the job that's never started that takes longest to finish." -- Samwise Gamgee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba