#StackBounty: #debian #samba Samba only sees first group of a user

Bounty: 50

I have a samba server on Debian Buster that was upgraded from Debian Stretch. This upgraded Samba from 4.5.16 to 4.9.5. Somewhere in this process, it seems that handling of groups changed. Users that could previously access shares with the correct group memberships can no longer access them.

  • Users are able to access their home directories
  • Users are able to access guest shares
  • Users are able to access shares with their main group
  • Users are unable to access shares with their secondary groups

The smb.conf file is effectively as follows:

[global]
workgroup = EXAMPLE
realm = WIN.EXAMPLE.COM
security = ADS
server string = %h
wins server = 10.0.1.10 10.0.2.20
panic action = /usr/share/samba/panic-action %d
invalid users = root

server signing = required
ntlm auth = no

dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
min protocol = SMB2

[guestshare]
path = /srv/guestshare
guest ok = yes
writeable = yes

[working]
path = /srv/working
guest ok = no
writable = yes
create mask = 0660
directory mask = 0770
valid users = +working

[notworking]
path = /srv/notworking
guest ok = no
writable = yes
create mask = 0660
directory mask = 0770
valid users = +notworking

The user can access the guestshare and the working shares, but not the notworking share.

Group membership for the user looks like this:

# id user
uid=1234(user) gid=10000(working) groups=10000(working),10010(notworking),10020(othergroup)

Please tell me what I’m missing here.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.