Samba permission error with newly created AD group

Hi all,

Hi have samba setup and working (kind of…) on OpenSuse 11.1.
My server is part of an AD domain, to which it is correctly joined. Authentication is done via active directory, windbind works.

I have some shares set up correctly with valid users = "@MYDOMAIN+somegroup", and all domain users can access them correctly.

I have created a new group in active directory and added myself in it.

I created a new share in samba with valid users = "@LOCAL+newgroup"
I cannot access this share (on my windows box, I have an authentication window that pops-up".

I checked the samba log of my workstation (in /var/log/samba/myipaddress), and I have this :

[2009/02/11 09:08:12, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid @MYDOMAIN+newgroup does not start with ‘S-’.
[2009/02/11 09:08:12, 2] smbd/service.c:make_connection_snum(736)
user ‘MYDOMAIN+myself’ (from session setup) not permitted to access this share (test)
[2009/02/11 09:08:12, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/reply.c(696) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

If I change valid users = "@LOCAL+newgroup" to valid users = "@LOCAL+someoldgroup" in my smb.conf, if works OK.

I thought that “idmap uid” or “idmap gid” could be set incorrectly, but I have them at “1200 20000” both, and I don’t see any other user/group in this range in /etc/passwd.

Any idea ?

Thanks a lot !

I think I solved this problem.

First of all, changing “security = ADS” to “security = domain” solved the problem.

I’ve read the smb.conf man page many times, but I still don’t really understand the point of having “security = ADS” when using the samba server only as a file server.
Anyway, I was still not pleased with this quick and dirty fix.

The main difference between these two security modes in the samba HOW-TO “Domain Membership” is that the kerberos configuration file explicitly lists encryption types.
The note states that this is for heimdal <0.6 (I don’t know what that is, so I guess I’m not using it).
Anyway, I finally tried to add these lines to /etc/krb5.conf, and lo!, it worked !

[libdefaults]
default_realm = MY.DOMAIN
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5

At last ! :slight_smile: