I did not receive any response when I originally posted, so, here goes another try. -------------- My Samba server is a domain member to a Win2k ADS domain. I have a domain group where some members of the group can access a particular share, while others cannot. If the user tries to login from a different system, the problem still exists. Additionally, the user can log into other shares. I have verified this with two different groups. It seems like the system cannot identify the username in the group. All other tests with getent and wbinfo appear as expected and the server tends to run fine for most users on most shares.
OS = RedHat Ent Server 3 update 3 Samba = 3.0.9-1.3E.5 Kerberos = 1.2.7-47 Relevant smb.conf [global] workgroup = WARGROUP realm = GT.WARMAN.COM.AU server string = sydtch1 file server security = ADS log level = 5 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 15000-20000 idmap gid = 15000-20000 template homedir = /fshare/users/%U winbind cache time = 120 cups options = raw [matproj] path = /fshare/depdata/materialprojects valid users = @WARGROUP\matproj read only = No create mask = 0660 directory mask = 0775 The WARGROUP\matproj group has four users, one of which is Administrator and cannot connect to the matproj share while the other users can. The following error appears when debugging. I have more extensive logs, if requested. The permissions on the matproj directory are 2775 with the WARGROUP\matproj group having group ownership. [2006/07/09 16:54:08, 2] smbd/service.c:make_connection_snum(314) user 'WARGROUP\administrator' (from session setup) not permitted to access this share (matproj) [2006/07/09 16:54:08, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED My krb5.conf file is as follows. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = GT.WARMAN.COM.AU dns_lookup_realm = false dns_lookup_kdc = false default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 [realms] GT.WARMAN.COM.AU = { kdc = wgtnts1.gt.warman.com.au:88 admin_server = wgtnts1.gt.warman.com.au:749 default_domain = gt.warman.com.au } [domain_realm] .gt.warman.com.au = GT.WARMAN.COM.AU gt.warman.com.au = GT.WARMAN.COM.AU [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } My nsswitch.conf file. passwd: files winbind shadow: files group: files winbind hosts: files dns winbind bootparams: files ethers: files netmasks: files networks: files dns protocols: files rpc: files services: files netgroup: files publickey: files automount: files aliases: files I'm not sure if it's related, but I'm also seeing a lot of the following errors in my winbindd.log file. [2006/07/09 17:01:24, 3] lib/charcnv.c:convert_string_allocate(576) convert_string_allocate: Conversion error: Illegal multibyte sequence(å µ ) [2006/07/09 17:01:24, 3] lib/charcnv.c:convert_string_allocate(567) convert_string_allocate: Conversion error: Incomplete multibyte sequence(µ ) Thanks for any assistance. Todd Jones ========================================================================== The information contained in this email (including any attachments) is confidential, subject to copyright and for the use of the intended recipient only. If you are not the intended recipient please delete this message after notifying the sender. Unauthorised retention, alteration or distribution of this email is forbidden and may be actionable. Attachments are opened at your own risk and you are advised to scan incoming email for viruses before opening any attached files. We give no guarantee that any communication is virus-free and accept no responsibility for virus contamination or other system loss or damage of any kind. ========================================================================== -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba