# Samba 3.6 Problem with Active Directory Groups



## tuaris (Aug 6, 2013)

With net/samba34 everything was working properly, I had my FreeBSD system joined as an active directory member server to an existing Windows 2000 active directory domain. I had set up a few shares on this FreeBSD server and it was authenticating client access through Active Directory's user and group permissions.

After upgrading to net/samba36 this stopped functioning. Samba would no longer authenticate a client connection using AD.  According to the forum post located at  http://forums.freebsd.org/showthread.php?t=13423, something has changed in 3.5/3.6 that prevents this specific feature from functioning.

For example, a share that is not working is defined as follows in /usr/local/etc/smb.conf:


```
[web]
	writeable = yes
	path = /usr/local/www
	write list = @"HOME\Domain Users"
	force group = wheel
	force user = root
	comment = Default Website
	valid users = @"HOME\Domain Users"
	user = @"HOME\Domain Users"
```

This was working in 3.4 prior to upgrading to 3.6. Windows XP or Windows 7 client computers that were active directory members could access this share as a valid domain user.

After upgrading to 3.6, access is denied with the error:


```
NT_STATUS_ACCESS_DENIED
```

The logs reveal that Samba is attempting to look up a user permission and doesn't check group permissions (/var/log/samba/log.home-2fbd51e957):


```
[2013/08/05 22:07:46.639636,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [Domain Users]!
[2013/08/05 22:07:46.640189,  5] smbd/share_access.c:120(token_contains_name)
  lookup_name HOME\Domain Users failed
[2013/08/05 22:07:46.640204, 10] smbd/share_access.c:219(user_ok_token)
  User daniel not in 'valid users'
[2013/08/05 22:07:46.640215,  2] smbd/service.c:627(create_connection_session_info)
  user 'daniel' (from session setup) not permitted to access this share (web)
```

I have no problem downgrading to net/samba34, but that port is no longer available. What can be done?


----------



## gkontos (Aug 7, 2013)

tuaris said:
			
		

> ```
> [web]
> writeable = yes
> path = /usr/local/www
> ...



Can you try removing the lines in bold?


----------



## tuaris (Aug 7, 2013)

Thanks that worked.  What does this mean if you don't mind me asking?


```
writeable = yes
	path = /usr/local/www
	write list = @"HOME\Domain Users"
	force group = wheel
	force user = root
	comment = Default Website
```


----------



## gkontos (Aug 7, 2013)

tuaris said:
			
		

> Thanks that worked.  What does this mean if you don't mind me asking?



I think that by passing the user variable the group was ignored.


----------



## tuaris (Aug 24, 2013)

Quick update on this issue.  I think I may have found out the reason behind it.  According to this bug report, it only affects Samba clients with Windows 2000 domain controllers:

https://bugzilla.samba.org/show_bug.cgi?id=9615

Looks like it's fixed in 3.6.19.


----------

