I have a samba server on Debian Buster that was upgraded from Debian Stretch. This upgraded Samba from 4.5.16 to 4.9.5. Somewhere in this process, it seems that handling of groups changed. Users that could previously access shares with the correct group memberships can no longer access them.
- Users are able to access their home directories
- Users are able to access guest shares
- Users are able to access shares with their main group
- Users are unable to access shares with their secondary groups
The smb.conf file is effectively as follows:
[global] workgroup = EXAMPLE realm = WIN.EXAMPLE.COM security = ADS server string = %h wins server = 10.0.1.10 10.0.2.20 panic action = /usr/share/samba/panic-action %d invalid users = root server signing = required ntlm auth = no dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 server role = standalone server obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes min protocol = SMB2 [guestshare] path = /srv/guestshare guest ok = yes writeable = yes [working] path = /srv/working guest ok = no writable = yes create mask = 0660 directory mask = 0770 valid users = +working [notworking] path = /srv/notworking guest ok = no writable = yes create mask = 0660 directory mask = 0770 valid users = +notworking
The user can access the guestshare and the working shares, but not the notworking share.
Group membership for the user looks like this:
# id user uid=1234(user) gid=10000(working) groups=10000(working),10010(notworking),10020(othergroup)
Please tell me what I’m missing here.