[Samba] Domain MEmber Groups

We have two servers, one PDC and one Domain Member Server. I have been
having problems with the Domain Member Server since a recent upgrade to
Samba 3.0.28a on Ubuntu. Every time samba is restarted users lose access
to the shares on the Member Server.

It appears to be related to group mapping. Users on the Domain Member
(Louise) seem to be GID "users", not GID "samba" as expected and desired.

All of the shares are set to group samba and the PDC reports these mappings;

root@thelma:/home/rob# net groupmap list
System Operators (S-1-5-32-549) -> operator
Replicators (S-1-5-32-552) -> staff
Guests (S-1-5-32-546) -> nogroup
Domain Admins (S-1-5-21-4166445610-3302986456-3838465043-512) -> staff
Domain Guests (S-1-5-21-4166445610-3302986456-3838465043-514) -> nogroup
Power Users (S-1-5-32-547) -> atlanta
Print Operators (S-1-5-32-550) -> print
Administrators (S-1-5-32-544) -> staff
Account Operators (S-1-5-32-548) -> account
Domain Users (S-1-5-21-4166445610-3302986456-3838465043-513) -> samba
Backup Operators (S-1-5-32-551) -> backup
Users (S-1-5-32-545) -> samba

The PDC reports the correct users in the groups;

root@thelma:/home/rob# net rpc group members "Domain Users"
Password:
ATLANTA\arris
ATLANTA\administrator
ATLANTA\irving
ATLANTA\root
ATLANTA\rob
ATLANTA\debbie
ATLANTA\maria
ATLANTA\katie

The Member server can see the groups.

root@louise:/home/rob# wbinfo -g
BUILTIN\administrators
BUILTIN\users
ATLANTA\domain admins
ATLANTA\domain guests
ATLANTA\domain users

Most of the shares are in directory /files/Lucretia on the Member Server
Louise.

root@louise:/home/rob# ls -ld /files/Lucretia/*
drwxrwsr-x 72 rob samba 16088 2008-03-28 16:25 Office
drwxrwsr-x 67 rob samba 14456 1969-12-31 19:00 Office.orig
drwxrwsr-x 50 rob samba 3992 2008-07-16 17:01 Projects
drwxrwsr-x 6 rob samba 304 2008-06-23 11:33 Sigma
drwxrwsr-x 308 rob samba 19712 2008-07-16 22:09 Windows

This used to work and I'd like to figure out what is going on and fix it.

Here are the globals for the PDC, which seem to be working fine. Users
can access every thing there without a problem.

[global]
workgroup = ATLANTA
server string = %h mail passwd server (Samba, Ubuntu)
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
hostname lookups = Yes
logon path = \\THELMA\%U\.profiles
logon drive = U:
logon home = \\THELMA\%U
domain logons = Yes
domain master = Yes
preferred master = Yes
security = user
wins support = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
hide dot files = No

Here is the Globals section for the Member Server

[global]
workgroup = ATLANTA
server string = %h file server (Samba, Ubuntu)
security = domain
password server = *
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
wins proxy = yes
wins server = 192.168.1.24
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
name resolve order = wins bcast hosts
hosts allow = 192.168.1.0/255.255.255.0

Here is a typical share definition;

[Projects]
path = /files/Lucretia/Projects
username = Project Specific Data
force group = samba
read only = No
create mask = 0764
directory mask = 0775

[Office]
comment = General Office Data
path = /files/Lucretia/Office
force group = samba
read only = No
create mask = 0764
directory mask = 0775

If I comment out the "force group" then users can access the files at
the Unix "other" permissions which does not have write privileges.


--
Robert Steinmetz, AIA
Principal
Steinmetz & Associates
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba