User A is a member of Global Group Public in Windows 2003 Active Directory.
Global Group
Maintenance is a member of Domain Local Group Maintenance. Domain Local Group
Maintenance is
afforded access to Linux directory /home/maint with this smb.conf share
definition:
[maintenance]
comment = Maintenance Share
valid users = "MYDOMAIN+Pulaski - Maintenance - DLoc" "MYDOMAIN+shawnadm"
path = /home/maint
writeable = yes
create mode = 0660
directory mode = 0770
the directory:
[EMAIL PROTECTED] home]# ll | grep maint
drwxrwx--- 2 root MYDOMAIN+Domain Users 4096 Dec 15 13:11 maint
getent group from the Samba box shows that user MYDOMAIN+bwatkins, for
instance, IS a member of
the following Maintenance groups:
[EMAIL PROTECTED] proc]# getent group | grep Maint
MYDOMAIN+Pulaski - Maintenance
-Glo:x:10541:MYDOMAIN+tnewton,MYDOMAIN+jwillia1,MYDOMAIN+bwatkins,MYDOMAIN+rwilliam,MYDOMAIN+dkermicl,MYDOMAIN+jburress
MYDOMAIN+Pulaski - Maintenance - DLoc:x:10524:
Note group #'s 10541 and 10524. The logs for the IP address of the machine
that bwatkins logs in
from show the following. Note that supplementary groups 10541 and 10524 are
not present. Because
of this, access is denied to the share defined above.
[2004/12/15 14:28:20, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 10002
Primary group is 10000 and contains 8 supplementary groups
Group[ 0]: 10000
Group[ 1]: 10020
Group[ 2]: 10035
Group[ 3]: 10037
Group[ 4]: 10039
Group[ 5]: 10042
Group[ 6]: 10507
Group[ 7]: 10508
We've noticed that after some time - and it certainly seems to vary - access is
granted. Until
then, the user is denied access and is challenged for credentials. *** Is
there some GID cache
that I'm not aware of? ***
Relevant System Info:
Fedora Core 2: Linux version 2.6.5-1.358
[EMAIL PROTECTED] home]# rpm -qa | grep samba
samba-common-3.0.9-1.fc2
samba-client-3.0.9-1.fc2
samba-3.0.9-1.fc2
smb.conf global section:
[global]
unix charset = LOCALE
workgroup = MYDOMAIN
realm = MYDOMAIN.ORG
server string = PULASKI-FS-001
security = ADS
username map = /etc/samba/smbusers
log level = 9
syslog = 0
log file = /var/log/samba/%M
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
winbind cache time = 10
printing = cups
client use spnego = yes
invalid users = root bin daemon adm sync shutdown halt mail news uucp
operator
printer admin = "MYDOMAIN+Americas Zone Admins" "MYDOMAIN+shawnadm"
# commented out 12-15-04 by Kel: encrypt password = yes
oplocks = no
level2 oplocks = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
