[Samba] Group member can not delete files - only dir (775) owner can

Hi there,

I have a problem I can not solve myself.
I have samba 3.0.28 installed on a Ubuntu 8.0.4 server.
Samba is a member of AD. Authentication is kerberos, user- / group ids are
handled by nis (Windows 2008 SFU / NIS Server).

My Samba config:

[global]
write list = admin,rado,@Administratoren
deny hosts = 0.0.0.0/0.0.0.0
client schannel = No
allow hosts = localhost, 192.168.1.0/255.255.252.0
netbios name = HORST
printing = bsd
delete readonly = yes
invalid users = root
local master = No
workgroup = COCON
debug level = 3
os level = 10
printcap name = /dev/null
security = ads
usershare allow guests = Yes
disable spoolss = yes
max log size = 1000
directory mode = 775
log level = 2
log file = /var/log/samba/log.%m
load printers = no
profile acls = Yes
socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
wins server = 192.168.1.112
client use spnego = yes
interfaces = 192.168.1.0/255.255.252.0 eth0
idmap backend = ad
realm = COCON.INT
server string = %h server (Samba, Ubuntu)
wide links = no
password server = 192.168.1.112
valid users = @sambauser,@Administratoren
create mode = 664
syslog = 0
preferred master = no
panic action = /usr/share/samba/panic-action %d
bind interfaces only = Yes
dos filemode = yes
nt acl support = yes
map acl inherit = yes

[homes]
browseable = yes
writeable = yes
path = /home/%U
create mask = 0600
comment = Home Shares
directory mask = 0700
valid users = %S,@chef
available = yes
force user = %S

[SVS]
comment = SVS packages
path = /opt/svs

Everything works well except for the fact, that group members who are not
the owner of a folder can not delete/rename files in that folder.

root@horst:/opt# ls -l
....
drwxrwxr-x 10 admin Administratoren 12288 2008-08-21 14:49 svs
....

root@horst:/opt/svs# ls -l
....
-rw-rw-rw- 1 rado Administratoren 77 2008-08-17 18:05 test.txt
....

root@horst:/var/log/samba# getent group | grep rado
Administratoren::10001:scense,rado,Administrator,a dmin
sambauser::10004:ute,rado,jutta,connyie,bernd,anne
chef::10005:rado,connyie

Although /opt/svs has the dir mask of 775 and I (rado) am a member of
Administratoren I can not rename/delete test.txt.
I can create new files/folders and edit files owned by admin, so the group
mapping (AD to Samba) works.

The logfile says 'NT_STATUS_ACCESS_DENIED' but I don't know why. Maybe the
AD-Server only shows the first group (sambauser) membership when asked for
the file deletion ? How can I investigate this ?

Can anybody pls help ?

Thanks, Rado

Logfile:
....
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (10000, 10004) - sec_ctx_stack_ndx = 0
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3304)
call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3355)
call_trans2qfilepathinfo test.txt (fnum = -1) level=1004 call=5
total_data=0
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59067 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/dosmode.c:unix_mode(142)
unix_mode(test.txt) returning 0664
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 2] smbd/open.c:open_file(391)
rado opened file test.txt read=No write=No (numopen=1)
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59068 of length 76
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3244)
call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2qfilepathinfo(3355)
call_trans2qfilepathinfo test.txt (fnum = 6669) level=1006 call=7
total_data=0
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59069 of length 120
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2setfilepathinfo(5831)
call_trans2setfilepathinfo(8) test.txt (fnum 6669) info_level=1004
totdata=40
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59070 of length 45
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBclose (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/reply.c:reply_close(3338)
close fd=-1 fnum=6669 (numopen=1)
[2008/08/21 15:15:56, 2] smbd/close.c:close_normal_file(406)
rado closed file test.txt (numopen=0) NT_STATUS_OK
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59071 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(250)
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-10000
se_access_check: also S-1-22-2-10004
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-22-2-10001
se_access_check: also S-1-22-2-10005
[2008/08/21 15:15:56, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59072 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(250)
[2008/08/21 15:15:56, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-10000
se_access_check: also S-1-22-2-10004
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-22-2-10001
se_access_check: also S-1-22-2-10005
[2008/08/21 15:15:56, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59073 of length 104
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/trans2.c:call_trans2findfirst(1704)
call_trans2findfirst: dirtype = 16, maxentries = 1366,
close_after_first=1, close_if_end = 2 requires_resume_key = 4 level = 0x104,
max_data_bytes = 16384
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [./] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: ./ reduced to /opt/svs
[2008/08/21 15:15:56, 3] smbd/dir.c:dptr_create(515)
creating new dirptr 256 for path ./, expect_close = 1
[2008/08/21 15:15:56, 3] smbd/process.c:process_smb(1069)
Transaction 59074 of length 108
[2008/08/21 15:15:56, 3] smbd/process.c:switch_message(927)
switch message SMBntcreateX (pid 26522) conn 0x84cb358
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 3] smbd/dosmode.c:unix_mode(142)
unix_mode(test.txt) returning 0664
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(821)
reduce_name [test.txt] [/opt/svs]
[2008/08/21 15:15:56, 3] smbd/vfs.c:reduce_name(922)
reduce_name: test.txt reduced to /opt/svs/test.txt
[2008/08/21 15:15:56, 2] smbd/open.c:open_file(391)
rado opened file test.txt read=Yes write=No (numopen=1)
[2008/08/21 15:15:56, 3] smbd/oplock_linux.c:linux_set_kernel_oplock(180)
linux_set_kernel_oplock: got kernel oplock on file test.txt, dev = ca03,
inode = 8650754, file_id = 4069
[2008/08/21 15:15:57, 3] smbd/process.c:process_smb(1069)
Transaction 59075 of length 148
[2008/08/21 15:15:57, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 26522) conn 0x8480850
[2008/08/21 15:15:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (10000, 10004) - sec_ctx_stack_ndx = 0
[2008/08/21 15:15:57, 3] smbd/trans2.c:call_trans2findfirst(1704)
....
--
View this message in context: http://www.nabble.com/Group-member-c...p19088730.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba