Supplementary groups are not used if `security = domain or ads` and `winbind use default domain = True`. So permissions setted on supplementary groups don't work. If `winbind use default domain = False` then permissions work. My configurations: server - nasos.belcaf.minsk.by, client - pc346.belcaf.minsk.by. Server side: bash-2.05b# hostname nasos.belcaf.minsk.by bash-2.05b# id u1 uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1) bash-2.05b# chacl -l /drives/Volume1/s1/ /drives/Volume1/s1/ [u::---,g::---,g:g1:rwx,m::rwx,o::---] bash-2.05b# su - u1 -s /bin/bash -bash-2.05b$ cd /drives/Volume1/s1 -bash-2.05b$ id uid=508(u1) gid=501(Domain Users) groups=501(Domain Users),510(g1) -bash-2.05b$ pwd /drives/Volume1/s1 -bash-2.05b$ touch u1_file -bash-2.05b$ ls -la total 4 d---rwx--- 2 root root 20 Sep 4 17:13 . drwxr-xr-x 3 root root 47 Sep 4 16:56 .. -rw-r--r-- 1 u1 Domain Users 0 Sep 4 17:13 u1_file So user u1 can create/read files /drives/Volume1/s1 locally. Additional: bash-2.05b# cat /etc/samba/smb.conf #======================= Global Settings ===================================== [global] ; socket options is here before any changes are made to the code ; page so the options will be interpreted correctly socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; ccp and cs must be at the top here so workgroup can be in whatever ; language dos charset = CP932 unix charset = UTF-8 display charset = UTF-8 veto oplock files = /*.sem/ map hidden = yes map archive = yes create mask = 0777 nt acl support = yes inherit acls = yes inherit permissions = yes map to guest = never guest account = guest add user script = /usr/bin/serviceware-wrapper addUser workgroup = MIXED server string = NASS (tm) load printers = no log file = /var/log/samba/log.smb max log size = 500000 ; added 08/14/01 to fix username case problems. 15 is max len of username. username level = 15 security = domain encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/sbin/parse '1210,%u,%n' ; interfaces = 192.168.12.2/24 192.168.13.2/24 ; remote browse sync = 192.168.3.25 192.168.5.255 ; remote announce = 192.168.1.255 192.168.2.44 local master = no os level = 32 ; name resolve order = wins bcast ; wins support = yes ; wins server = x.x.x.x ; wins proxy = yes dns proxy = no preserve case = yes short preserve case = yes default case = lower change notify timeout = 30 add share command = /usr/bin/serviceware-wrapper addShare change share command = /usr/bin/serviceware-wrapper changeShare delete share command = /usr/bin/serviceware-wrapper deleteShare ; winbind uid = 500-25000 ; winbind gid = 500-25000 winbind separator = + winbind use default domain = True ; template homedir = /home/%D/%U ; template shell = /bin/false #============================ Share Definitions ============================== vfs object = netatalk disable spoolss = yes log level = 10 idmap uid = 500-25000 idmap gid = 500-25000 admin users = @"Domain Admins" wins support = no password server = 192.168.117.5 wins server = 192.168.117.5 [c$] path = /drives/Volume1 writeable = yes valid users = MIXED"Domain Admins" [s1] path = /drives/Volume1/s1 public = no writeable = yes directory mask = 0771 hide dot files = true delete veto files = true veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/Temporary Items/TheFindByContentFolder/.DS_Store/ hide files = /.*/DesktopFolderDb/TrashFor%m/resource.frk/ valid users = "MIXED+g1" read list = "MIXED+g1" write list = "MIXED+g1" bash-2.05b# getent passwd root:x:0:0:System Administrator:/root:/bin/bash ... Administrator:x:500:501::/home/MIXED/administrator:/bin/false Guest:x:501:501::/home/MIXED/guest:/bin/false krbtgt:x:502:501::/home/MIXED/krbtgt:/bin/false TsInternetUser:x:503:501::/home/MIXED/tsinternetuser:/bin/false IUSR_W2K-MIX:x:504:501::/home/MIXED/iusr_w2k-mix:/bin/false IWAM_W2K-MIX:x:505:501::/home/MIXED/iwam_w2k-mix:/bin/false root:x:506:501::/home/MIXED/root:/bin/false win2kmixed:x:507:501::/home/MIXED/win2kmixed:/bin/false u1:x:508:501::/home/MIXED/u1:/bin/false u2:x:509:501::/home/MIXED/u2:/bin/false u3:x:510:501::/home/MIXED/u3:/bin/false bash-2.05b# getent group root:x:0:root ... Domain Admins:x:502:Administrator,root Domain Users:x:501:Administrator,Guest,TsInternetUser,IUSR_W2K-MIX,IWAM_W2K-MIX,krbtgt,root,win2kmixed,u1,u2,u3 Domain Guests:x:503:Guest Domain Computers:x:504: Domain Controllers:x:505: Cert Publishers:x:506: Schema Admins:x:500:Administrator,root Enterprise Admins:x:507:Administrator Group Policy Creator Owners:x:508:Administrator DnsUpdateProxy:x:509: g1:x:510:u1,u2 g2:x:511:u2,u3 Now try to read files via samba, client side: [13:24:05 stiblo@pc346 stiblo]$hostname pc346.belcaf.minsk.by [13:42:56 stiblo@pc346 stiblo]$smbclient //nasos/s1 -W MIXED -U u1%u1 smb: \> ls NT_STATUS_NETWORK_ACCESS_DENIED listing \* 0 blocks of size 0. 0 blocks available smb: \> [13:49:39 stiblo@pc346 stiblo]$ If set `winbind use default domain` to false then user can get shared files.
Created attachment 123 [details] samba logs. level 10
Created attachment 168 [details] Test case on a production server running 3.0rc4. This is a copy of the mail I've sent to the maintainer of debian port of Samba a week ago.
Created attachment 187 [details] patch for 'winbind use default domain' & secondary groups
This patch fixes things for my tests. I'll check it into the SAMBA_3_0/HEAD branches later today. You can wait until then and grab the cvs tree or apply the patch locally. It should apply cleanly to the 3.0.0 codebase.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup