I'm having trouble getting group permissions to work when I have winbind use default domain = yes, which is fairly necessary for a bunch of applications to work, ie. CVS, mail, some home made web apps.
Here's the technical background:
Debian Woody Box
Samba 3.0.10-1 deb package
Win2k AD
security = ADS
Here's the trouble, if I set up a share such as this:
[shared]
comment = Network Drive
path = /home/shared
valid users = @testgroup, @"DOMAIN+testgroup"
read only = no
browseable = yes
and I try to connect as my test user account, test which is in the test group as verified like so:
styx~# getent group |grep test
Domain Users:x:15002:test
testgroup:x:15010:test
styx~#
The primary group for the test user is domain users, the secondary group is testgroup. Thats all working, if I run id on test it shows all the groups:
styx:~# id test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)
Here's were everything breaks down. If you connect to the share from a windows 2000 machine while logged in as test the password box pops telling me I'm denied access. Here is the auth log for the connection:
[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)
user 'DOMAIN+test' (from session setup) not permitted to access this share (shared)
So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is a different user than test. If I run id on the DOMAIN+test user I get this:
styx:~# id DOMAIN+test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)
Same UID and same primary GID, but when searching the group file for the username DOMAIN+test, it rightfully finds no entries because winbind has stripped the domain from all users.
So the question of the day, is this a bug, and am I screwed?
--ned
Here's the technical background:
Debian Woody Box
Samba 3.0.10-1 deb package
Win2k AD
security = ADS
Here's the trouble, if I set up a share such as this:
[shared]
comment = Network Drive
path = /home/shared
valid users = @testgroup, @"DOMAIN+testgroup"
read only = no
browseable = yes
and I try to connect as my test user account, test which is in the test group as verified like so:
styx~# getent group |grep test
Domain Users:x:15002:test
testgroup:x:15010:test
styx~#
The primary group for the test user is domain users, the secondary group is testgroup. Thats all working, if I run id on test it shows all the groups:
styx:~# id test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)
Here's were everything breaks down. If you connect to the share from a windows 2000 machine while logged in as test the password box pops telling me I'm denied access. Here is the auth log for the connection:
[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)
user 'DOMAIN+test' (from session setup) not permitted to access this share (shared)
So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is a different user than test. If I run id on the DOMAIN+test user I get this:
styx:~# id DOMAIN+test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)
Same UID and same primary GID, but when searching the group file for the username DOMAIN+test, it rightfully finds no entries because winbind has stripped the domain from all users.
So the question of the day, is this a bug, and am I screwed?
--ned