# Samba user doesn't recognize group membership - FTP does



## mallen324 (Nov 18, 2011)

Version: 8.1-RELEASE

I have a samba share set up (version 3.4) and I created the username mtest. 

```
sudo smbldap-useradd -a mtest

sudo smbldap-passwd mtest (set password)
```

Then I add mtest into the group 'prime' and 'pm'

```
sudo smbldap-groupmod -m mtest prime
```


```
sudo smbldap-groupmod -m mtest pm
```


```
$ id mtest
uid=1044(mtest) gid=503(prime) groups=503(prime),1004(pm)
```

Looks good to me. To test, I set up permissions and ownership on the folder TEST1:


```
sudo chown -R user:prime TEST1
sudo chmod -R 770 TEST1
```

here's my ls -l:

```
drwxrwx---    4 user        prime                 512 Nov 18 14:49 TEST1
```

So when I go to a windows machine and log in to the samba share (mapped network drive) as the user mtest, I can't even access the folder TEST1. This also happens if I change the folder over to the 'pm' group. 

```
sudo chown -R user:pm TEST1
```

However, if I connect to the server via SFTP as mtest, I can access and create subdirectories in the folder TEST1, whether the folder is owned by the group prime or pm.

Why is it that samba doesn't recognize group membership, yet SFTP does? Let me know if you need more info and Ill be glad to supply.


----------



## mallen324 (Nov 18, 2011)

I would like to also add that the username 'mtest' does show up if I use either command 

```
pw groupshow prime

or

pw groupshow pm
```

I can also ssh into the server as mtest and access the folder TEST1.

I also found this interesting:

```
$ wbinfo -r mtest
Could not get groups for user mtest
```


```
$ wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret
```


----------



## mallen324 (Nov 30, 2011)

I don't wanna bump this, but no suggestions?


----------



## soulreaver1 (Dec 4, 2011)

Paste your smb.conf.


----------



## mallen324 (Dec 5, 2011)

```
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = SPRINGFIELD
   netbios name = HOMER

# server string is the equivalent of the NT Description field
   server string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
   security = user

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
   hosts allow = 192.168.0. 127.

   name resolve order = wins bcast hosts
  time server = Yes
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
#   printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba34/log.%m
   log level = 3

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
;   realm = MY_REALM

# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
   passdb backend = ldapsam
   ldapsam:trusted = yes

ldap admin dn = "cn=Manager,dc=*****,dc=com"
#ldap server = 75.*.*.*
ldap ssl = no
#ldap port = 389
#encrypt passwords = yes
passdb backend = ldapsam:"ldap://75.*.*.* ldap://***.****.com"
ldap suffix = "dc=*****,dc=com"
#pam password change = no
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
#       this line.  The included file is read at that point.
;   include = /usr/local/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
;   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
   os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
   preferred master = auto

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
   logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\***\%U\winprofile

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
   dns proxy = no

# Charset settings
;   display charset = koi8-r
;   unix charset = koi8-r
;   dos charset = cp866

# Use extended attributes to store file modes
;    store dos attributes = yes
;    map hidden = no
;    map system = no
;    map archive = no

# Use inherited ACLs for directories
    nt acl support = yes
    inherit acls = yes
    map acl inherit = yes

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
  add user script = /usr/local/sbin/smbldap-useradd -m %u
  add group script = /usr/local/sbin/smbldap-groupadd -p %g
  add machine script = /usr/local/sbin/smbldap-useradd -w %u
  delete user script = /usr/local/sbin/smbldap-userdel %u
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
  delete group script = /usr/local/sbin/smbldap-groupdel %g


#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
 [netlogon]
   comment = Network Logon Service
   path = /usr/local/samba/lib/netlogon
   guest ok = yes
   writable = no
   share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
    path = /usr/local/samba/profiles
    browseable = no
    guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba34
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
   comment = Public Stuff
   path = /home/share/public
   public = yes
   writable = yes
   printable = no


[install]
  comment = Software Installs
  path = /home/share/install
  writable = yes
  guest ok = no

[files]
  comment = Files
  path = /home/
  writable = yes
  guest ok = no
```

Thanks in advance for any help you can offer.

-Mark


----------



## soulreaver1 (Dec 5, 2011)

It seems that 
	
	



```
hosts allow = 192.168.0. 127.
```
 blocks all network requests, except 192.168.0.127. There should be only ipv4 network ID, ex. 192.168.0.0.


```
[files]
  comment = Files
  path = /home/
  writable = yes
  guest ok = no
```

I've never used ldap so far, but for me few lines are missing here.


```
[files]
  comment = Files
  path = /home/
  writable = yes
  guest ok = no
  [B]write list = @prime[/B]  //allowing group "prime" to read & write.
  [B]browsable = yes[/B]
```


```
browsable = yes
```
 is missing from all of your shares. Without that you can't browse a share.


----------



## mallen324 (Dec 5, 2011)

Thanks for the suggestions. I know this is going to sound dumb, but I gotta restart the SMB service when I make those changes right?


----------



## soulreaver1 (Dec 5, 2011)

mallen324 said:
			
		

> Thanks for the suggestions. I know this is going to sound dumb, but I gotta restart the SMB service when I make those changes right?



As I remember Samba reloads configuration every 60 seconds automatically, but you can do that immediately with [cmd=]service samba reload[/cmd] command.


----------



## mallen324 (Dec 5, 2011)

I read up on the hosts allow at : http://www.samba.org/samba/docs/using_samba/ch06.html

From what I gathered, the 
	
	



```
hosts allow = 192.168.0. 127.
```
 would allow anyone on our network of 192.168.0.*, plus the local machine 127.0.0.1. I guess it's odd that whoever just left it at 127. Think it would be ok to fill out the rest of that 127 with .0.0.1? 

I added the lines you suggested, but still no go. 

Something I found odd was that I tried just recreating the user (mtest). Before my output would be like:

```
$ id mtest
uid=1044(mtest) gid=503(prime) groups=503(prime),1004(pm)
```

But now its like this:


```
$ id mtest
uid=1046(mtest) gid=513(Domain Users) groups=513(Domain Users),503(prime),1004(pm)
```

I did not create the user any differently. I even copied and pasted the commands from my first post to recreate the user.


----------



## mallen324 (Dec 6, 2011)

Another odd thing is, even with the 
	
	



```
browsable = yes
```
 missing from the shares, people have been using it just fine (read and write). My smb.conf file is in /usr/local/etc, is that the normal path? Am I even looking at the right smb.conf?


----------



## soulreaver1 (Dec 6, 2011)

mallen324 said:
			
		

> Another odd thing is, even with the browsable = yes missing from the shares, people have been using it just fine (read and write). My smb.conf file is in /usr/local/etc , is that the normal path? Am I even looking at the right smb.conf?



Yes, /usr/local/etc/smb.conf is the default Samba configuration file. I've just looked into Samba docs: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#BROWSEABLE. It seems that [CMD="browsable"]= yes[/CMD] is default setting for every share.


----------



## mallen324 (Dec 6, 2011)

Oh, ok that makes sense about it being the default. I hate this server. I've never had a box do so many odd things.


----------

