https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468148#M16005 It was a winbind problem, I installed a patch that I got from a developer on the samba mailing list. The code was later included in the main source.<BR /><BR />The filesystem in question used ext3 with posix ACL's. The ACL's work fine now.<BR /><BR />Also don't use '+' for the domain delimiter character its a PITA for scripts later.<BR /><BR />--Dave Mon, 20 Jun 2005 17:35:34 GMT Dave Falloon 2005-06-20T17:35:34Z https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468146#M16003 I'm having trouble getting group permissions to work when I have winbind use default domain = yes, which is fairly necessary for a bunch of applications to work, ie. CVS, mail, some home made web apps.<BR /><BR />Here's the technical background:<BR /><BR />Debian Woody Box<BR />Samba 3.0.10-1 deb package<BR />Win2k AD<BR />security = ADS<BR /><BR />Here's the trouble, if I set up a share such as this:<BR /><BR />[shared]<BR />comment = Network Drive<BR />path = /home/shared<BR />valid users = @testgroup, @"DOMAIN+testgroup"<BR />read only = no<BR />browseable = yes<BR /><BR />and I try to connect as my test user account, test which is in the test group as verified like so:<BR /><BR />styx~# getent group |grep test<BR />Domain Users:x:15002:test<BR />testgroup:x:15010:test<BR />styx~#<BR /><BR />The primary group for the test user is domain users, the secondary group is testgroup. Thats all working, if I run id on test it shows all the groups:<BR /><BR />styx:~# id test<BR />uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)<BR /><BR />Here's were everything breaks down. If you connect to the share from a windows 2000 machine while logged in as test the password box pops telling me I'm denied access. Here is the auth log for the connection:<BR /><BR />[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)<BR /> user 'DOMAIN+test' (from session setup) not permitted to access this share (shared)<BR /><BR />So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is a different user than test. If I run id on the DOMAIN+test user I get this:<BR /><BR />styx:~# id DOMAIN+test<BR />uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)<BR /><BR />Same UID and same primary GID, but when searching the group file for the username DOMAIN+test, it rightfully finds no entries because winbind has stripped the domain from all users.<BR /><BR />So the question of the day, is this a bug, and am I screwed?<BR /><BR />--Dave Thu, 20 Jan 2005 20:21:19 GMT https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468146#M16003 Dave Falloon 2005-01-20T20:21:19Z https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468147#M16004 How are the filesystem permissions configured on /home/shared? Mon, 20 Jun 2005 15:32:42 GMT https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468147#M16004 Ivan Ferreira 2005-06-20T15:32:42Z https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468148#M16005 It was a winbind problem, I installed a patch that I got from a developer on the samba mailing list. The code was later included in the main source.<BR /><BR />The filesystem in question used ext3 with posix ACL's. The ACL's work fine now.<BR /><BR />Also don't use '+' for the domain delimiter character its a PITA for scripts later.<BR /><BR />--Dave Mon, 20 Jun 2005 17:35:34 GMT https://community.hpe.com/t5/operating-system-linux/samba-ads-member-group-permissions-problem/m-p/3468148#M16005 Dave Falloon 2005-06-20T17:35:34Z