I have installed samba 3.0.23d on FreeBSD 6.1. It is running with
"security = ads". Plan is to replace current server running Samba
3.0.14a on FreeBSD 5.3 in the Windows2003 domain.
I have successfully joined the domain and can list users and groups (I
did notice that when I review Computer Properties under Operating
Systems tab it does not list Samba and the corresponding version like
before (Windows DC box, Active Directory Users and Computers)).
The problem is that for some groups, permissions are not honored when
accessing share from Windows XP clients. If I ssh to the server
permissions work as expected and I can access those files. For example:
id testuser
uid=11111(testuser) gid=11195(systems) groups=11195(systems), 0(wheel),
10512(domain admins), 10513(domain users), 11137(cpo), 11191(physical),
11194(records), 11205(vpn users), 11666(fao), 12023(webpages), 10000,
10001
pw group show wheel
wheel:*:0:root,testuser
pw group show records
records:*:11194:testuser
drwsrwx--- 4 root avc 512 Nov 23 2004 AVC
drwsrwx--- 155 root analysis 5120 Dec 14 11:49 Analysis
drwsrwx--- 45 root capital 2048 Dec 27 13:59 Capital
drwxrwx--- 5 root community 512 Dec 27 13:59 Community
drwxrwx--- 14 root wheel 512 Jun 8 2006 Financial
drwxrwx--- 35 root physical 1024 Dec 27 13:59 Physical
drwsrwx--- 10 root cpo 1024 Dec 27 13:59 Planning
drwxrwx--- 24 root records 1024 Dec 27 13:59 Records
drwxrwx--- 11 root systems 512 Dec 29 10:45 Systems
If I try accessing Planning or Systems folder I have no problems. If I
try accessing Records or Financial folders I get "...Records is not
accessible. Access is denied" error even though I am member of both
wheel and records group. Advanced Security Settings tab on the windows
client displays proper access privileges.
I can cd to both folders when I ssh in on the server using the testuser
account.
If I use Windows DC to change testuser's primary group to records I can
get into Records folder.
id testuser
uid=11111(testuser) gid=11194(records) groups=11194(records), 0(wheel),
10512(domain admins), 10513(domain users), 11137(cpo), 11191(physical),
11195(systems), 11205(vpn users), 11666(fao), 12023(webpages), 10000,
10001
I've tried creating new account with membership only in records group,
but the access fails unless I set the primary group as records.
I've seen the post by Cameron Murdoch on Dec 06, so this might be
FreeBSD related issue. Any help would be greatly appreciated.
My smb.conf is as follows:
[global]
workgroup = XXX
realm = XXX.YYY.ZZZ
security = ads
encrypt passwords = yes
log file = /var/log/samba/log.%m
max log size = 50
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
allow trusted domains = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /usr/local/bin/bash
winbind cache time = 3600
winbind nested groups = yes
winbind use default domain = yes
syslog only = yes
#===Share Definitions ==============================
[Files]
browseable = yes
writable = yes
path = /usr/smbmnt/Files
printable = no
--
Thanks,
Vladimir Orlic
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
