Note:sau1 is a normal AD user from asmb.test, but it is not a member of group "asmb\sag1", the machine joined to asmb.test domain. asmb\sag1'gid is 10001 Edit smb.conf, then set "force group = +asmb\sag1" for samba share named samba-test ===================================================================== [samba-test] path = /samba-test public = yes force create mode = 0775 force directory mode = 0775 force group = asmb\sag1 writable = yes ===================================================================== 3. Access samba share via "sau1",and create a directory named "test" ===================================================================== [root@rhel57v3 samba]# smbclient -U sau1%password //server-ip/samba-test smb: \> mkdir test ===================================================================== 4. Go to "samba-test", check the directory' attribute which is created in step#3 ===================================================================== [root@rhel57v3 samba-test]# ls -al total 32 drwxrwxrwx 4 root root 4096 Oct 11 13:43 . drwxr-xr-x 26 root root 4096 Oct 11 13:40 .. drwxrwxr-x 2 sac2 sag1 4096 Oct 11 13:43 samba drwxrwxr-x 2 sbu1 1008 4096 Oct 11 13:42 test <-------This is unexpected, directory's group should be "sag1",not 1008.
*** Bug 9287 has been marked as a duplicate of this bug. ***
[2012/10/14 01:32:59.274669, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [SAMBA-TEST] [2012/10/14 01:32:59.274738, 5] smbd/service.c:1321(make_connection) making a connection to 'normal' service samba-test [2012/10/14 01:32:59.274792, 3] lib/access.c:338(allow_access) Allowed connection from 10.100.60.34 (10.100.60.34) [2012/10/14 01:32:59.274842, 10] smbd/share_access.c:241(user_ok_token) user_ok_token: share samba-test is ok for unix user ASMB\sau1 [2012/10/14 01:32:59.275127, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user ASMB\sau1 [2012/10/14 01:32:59.275198, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is asmb\sau1 [2012/10/14 01:32:59.275246, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [ASMB\sau1]! [2012/10/14 01:32:59.275319, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: asmb\sag1 => domain=[asmb], name=[sag1] [2012/10/14 01:32:59.275397, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2012/10/14 01:32:59.283457, 10] passdb/lookup_sid.c:1636(sid_to_gid) sid S-1-5-21-389355910-562143428-3661938687-1110 -> gid 1008 <<<< to faulty GID, it should 10001 [2012/10/14 01:32:59.283526, 3] smbd/service.c:581(find_forced_group) Forced group asmb\sag1 [2012/10/14 01:32:59.283578, 10] smbd/service.c:162(set_conn_connectpath) set_conn_connectpath: service samba-test, connectpath = /samba-test [2012/10/14 01:32:59.283627, 3] smbd/service.c:837(make_connection_snum) Connect path is '/samba-test' for service [samba-test] [2012/10/14 01:32:59.283688, 10] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0x10000000 to 0x001f01ff [2012/10/14 01:32:59.283807, 10] ../libcli/security/access_check.c:178(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0x101f01ff, remaining = 0x101f01ff [2012/10/14 01:32:59.283957, 3] smbd/vfs.c:102(vfs_init_default) Initialising default vfs hooks [2012/10/14 01:32:59.284011, 3] smbd/vfs.c:128(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2012/10/14 01:32:59.284057, 10] smbd/vfs.c:53(vfs_find_backend_entry) vfs_find_backend_entry called for /[Default VFS]/ Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2012/10/14 01:32:59.284147, 5] smbd/connection.c:134(claim_connection) claiming [samba-test] [2012/10/14 01:32:59.284273, 10
If use "force group = sag1" instead of "force group = asmb\sag1" can work arround this issue.
The issue just exists following situation: 1>With “force group = domain-name\group-name” (not add + character) setting , the user’s primary group is not “group-name”(include user in the “group-name” but is not primary group and not in the “group-name”) 2>With “force group = +domain-name\group-name” (add + character) setting , the user’s primary group is not “group-name”, but in “group-name”.
There are some tiny errors in bug description, 1> it did not add ‘+’ character when testing as smb.conf show: [samba-test] path = /samba-test public = yes force create mode = 0775 force directory mode = 0775 force group = asmb\sag1 writable = yes 2> uid is correct, not sbu1 but sau1 in step4. as Go to "samba-test", check the directory' attribute which is created in step#3 ===================================================================== [root@rhel57v3 samba-test]# ls -al total 32 drwxrwxrwx 4 root root 4096 Oct 11 13:43 . drwxr-xr-x 26 root root 4096 Oct 11 13:40 .. drwxrwxr-x 2 sac2 sag1 4096 Oct 11 13:43 samba drwxrwxr-x 2 sau1 1008 4096 Oct 11 13:42 test <-------This is unexpected, directory's group should be "sag1",not 1008.