My setup uses the Samba box as member of a larger Active Directory domain. To grant a group of users access to all subfolders of a domain, I added to /etc/group local_admin:x:1001:MYDOMAIN_user1,MYDOMAIN_user2 Running id -G MYDOMAIN_user1 results in 10000 1001 10006 10007 10004 10005 10125 10190 getent passwd MYDOMAIN_user1 says MYDOMAIN_user1:*:10000:10000:Dress, Albrecht:/my/home/folder:/bin/bash 1st puzzling thing: the result of running wbinfo -r MYDOMAIN_user1 10000 10001 10002 10003 10004 10005 10006 10007 Now I created and exported a folder with the following setup: ls -l shared_folder dr-xr-s--- 2 MYDOMAIN_user1 local_admin 128 Apr 4 14:08 user1 dr-xr-s--- 2 MYDOMAIN_user2 local_admin 154 Apr 1 16:14 user2 Although user1 is a member of the group local_admin (and is able, if looged in via ssh, to access the folder user2 with unix commands), trying to open the subfolder user2 always results in a "permission denied" error. Running smbd in strace, the following calls to setresuid, setresgid and setgroups occurr immediately before the failed accesses: <snip> grep '\(set.*[ug]id\|Permission\|setgroups\)' smb-test [...parts of the output snipped] [pid 3513] setresuid32(0, 0, -1) = 0 [pid 3513] setgroups32(8, [10000, 10001, 10002, 10003, 10004, 10005, 10006, 10007]) = 0 [pid 3513] setresgid32(-1, 10000, -1) = 0 [pid 3513] setresuid32(10000, 10000, -1) = 0 [pid 3513] stat64("user2/Desktop.ini", 0xbfffeea0) = -1 EACCES (Permission denied) </snip> Obviously, the list of secondary groups set is the list as returned by wbinfo -r, but Linux doesn't know all, and the local admin group (id 1001) is missing. HELP!!!!
Created attachment 1142 [details] smb.conf file (sensitive info replaced)
The behavior is by design. As a performance optimization, smbd uses direct winbind calls to obtain group membership for a Windows user. Therefore not mixing membership with groups listed in /etc/group. You can however use a nested local groups. See the smb.conf(5) man page on 'winbind nested groups'