since updating Samba from 3.0.22 to 3.0.23c I have trouble accessing shares on my first DC from computers out of my second domain.
I have two DomainControllers (MUC, PASING). On both DC I have a domaingroup "zyto" (mapped name is "Zytogenetik") with gid=202 and a user muehlfeld with uid=1061. Passdb are different ldap subtrees. The SIDs of the group and the user differs, because of the different Domain-SID. Both domains trust
I have a share "MetaSetup" on my DC of domain MUC. From any workstation on MUC I can access it like before I updated to 3.0.23c, but from workstations out of domain PASING, I get a "Permission denied" error.
The logfile now shows me at debug level 10:
chdir (/shares/MetaSystems/MetaSetup) failed
But im able to enter this directory, because my user is in group zyto:
# la -d /shares/MetaSystems/MetaSetup
drwxrws--- 25 zytogenetik zyto 736 Nov 7 13:05 /shares/MetaSystems/MetaSetup
This is the section for this share:
path = /shares/MetaSystems/MetaSetup
browseable = yes
force create mode = 0660
force directory mode = 2770
guest ok = no
#valid users = +"MUC\Zytogenetik" +"PASING\Zytogenetik"
#invalid users =
When I enable "in/valid users", like it was before, i don`t get the permission denied error, I get a request window for username and password. If I logon there with PASING\muehlfeld, I can enter the share. But I need the automatic mapping again, because the share is mapped in logonscript.
Yesterday I tried out some different settings (set sambaGroupType from 2 to 4) and changed valid users to "+Zytogenetik", and it worked after a reload. Then I did a restart without changing anything else, and it quit working again. I tried to reproduce this, and got the same after many retries again. But happens very sporadically.
Best regards Marc
PS: I think winbind could be a better way to do, but I tried and was only able to get users and groups from the other domain, not from the own, when I run it on my DC. Is this planed for future releases?
Created attachment 2201 [details]
Debug Level 10 LogFile
i haven't seen any issue like this in the last years. this is probably not a problem anymore,