winbind has broken samba share making it not accessible

[Criller]

I have samba share up and running which can be accessed by users from their Windows client PC’s. These users have local Linux accounts on the Samba server.
To control access I have a Linux security group called ‘accounts’ and permissions on the Samba directory called ‘shared’ are set as below:-

drwxrws--- 2 root accounts 4096 Feb 21 12:14 shared

I have now implemented windbind to give me Windows AD authentication and the above Samba share is no longer accessible. When I type \\samba server in Windows explorer the shared directory is displayed but when you try to go in to the directory I get an error saying the folder is not accessible and that I do not permission to use the network resource. If I set the Linux permissions to 777 I do not have an issue. I’ve tried adding ‘write list =domain name’ into smb.conf. I’ve also tried net groupmap my AD ‘accounts’ group to my Linux ‘accounts’ group. But all have failed. When I look in the samba logs I see the following:-

[2008/02/21 16:21:50, 0] smbd/service.c:set_current_service(184)
chdir (/u01/samba) failed

If I login via SSH using my AD domain account I can cd to /u01/shared without any issues.

If I disable winbind the share becomes accessible.

My smb.conf looks like:-
[global]
workgroup = EXAMPLE
realm = EXAMPLE.XXX.COM
server string = Production Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = /etc/printcap
dns proxy = No
remote announce = xxx.xx.6.255 xxx.xx.3.255
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /xxxx/xxx/home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hosts allow = xxx.xx., 127.
cups options = raw

[homes]
comment = Accounts
path = /u01/shared
write list = EXAMPLE.xx.COM\user
read only = No
create mask = 0774
browseable = No

can anybody suggest how I resolve this as I’m pulling my hair out trying to find a resolution even after lots of googling.

Thanks

[patrickbeyer]

Have you tried removing one machine from the Domain and then adding it again?

[blade4383]

have you tried making browseable=yes in [homes]

also comment the line hosts allow=xxxx....

and try logging in ... also post the last 10 lines of the log file /var/log/samba/%m.log
when u do the above things

[Criller]

Thanks for your replies.

To get over the problem I created a Windows AD group called accounts. I then changed the group ownership on the samba directory.

chgrp DOMAIN\\accounts sambadirectory

The original group ownership was set to a local group called accounts. Users, who were authenticating via winbind were members of this local group but it needed an equivilent AD group for things to work.

I'm guessing that you cannot mix and match permissions when using winbind/samba? i.e. owner can be a domain user and group owner can be local group (/etc/group)

[tgp1994]

I would like to add to this, in that I managed to solve this problem by simply setting the group owner of the shared folder in question to nogroup. I.E. since I was trying to share my tftpboot directory, I ran this command under root:

chown tftp:nogroup /var/lib/tftpboot

Hope this helps.