I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------

Can you share the smb.conf file ?
Is it working earlier ? If so, then what was the Samba version ?

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Tue June 02, 2020 06:04 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------

Hi Ayappan P

This is my current smb.conf

#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HQ
realm = HQ.LOCAL
# password server = 172.18.8.12, 172.18.8.26, 172.19.8.12
# password server = 172.19.6.26, 172.19.8.12, 172.18.8.12
password server = 172.18.8.25, 172.18.8.16
domain master = no
protocol = SMB3

# server string is the equivalent of the NT Description field
server string = SPVX10069 (Samba)

# stop nmbd from binding to the broadcast address of the subnet
nmbd bind explicit broadcast = no

# Printcap parameter set to /dev/null required to stop smbd crashing at startup if you have AIX printers configured
printcap name = /dev/null

# Make sure printers are not automatically loaded
load printers = no

# this tells Samba to use a separate log file for each machine
# that connects
log file = /opt/freeware/var/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50
log level = 1

encrypt passwords = yes
# Make sure that users are validated via NT
security = ADS
# password server = awmltd.com.au
# password server = adelaide_sms

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# socket options = TCP_NODELAY
# Network Interfaces used
# interfaces = en4 172.24.229.74/255.255.255.224
# interfaces = en4 172.24.229.74

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = 172.24.226.7

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# username map
# Map a Windows user to a UNIX user
# username map = /opt/pware/samba/3.0.28/lib/usermap
username map = /usr/local/samba/lib/usermap

# Follow Symbolic Links
follow symlinks = yes
wide links = yes
unix extensions = no

#============================ Share Definitions ==============================
#
# Share the Performance Doco on the IBM
#
[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
public = no
writable = no
valid users = piszcykj goughj campbelt

#
# Share the Performance Logs on the IBM
#
[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
public = no
writable = no
valid users = goughj payner piszcykj

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[ChampV8]
comment = Champ Version 8.0 Export Directory
path = /u3/champ
public = no
writable = yes
valid users = +champ champ wolfa champv8 prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

#
# Some directories for Workflow
#
[TrusDown]
comment = Workflow download directory
path = /u1/AUSTRUST/trusdown
public = yes
writable = yes
create mask = 0640

#--- [TrusTEST]
#--- comment = Workflow TEST download directory
#--- path = /tact/dev/DEV_ETRUST/trustest
#--- public = yes
#--- writable = yes
#--- create mask = 0640
#
#
# EFT Directories
#
[EFT]
comment = EFT Transfer Directory
path = /u3/ETRUST/eft
public = yes
writable = yes
create mask = 0640

#--- [EFTTest]
#--- comment = EFT Test Transfer Directory
#--- path = /tact/dev/DEV_ETRUST/efttest
#--- public = yes
#--- writable = yes
#--- create mask = 0640

#
# SuperSur directories
#
[SuperSur]
comment = Super Surcharge
path = /usr/local/samba/services/supersur
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +supersur
group = supersur

#
# General Data
#
[GenData]
comment = General Data
path = /usr/local/samba/services/gendata
guest ok = no
public = yes
writeable = yes
create mask = 0664
directory mask = 0775
preserve case = yes
short preserve case = yes

#
# FundTraq directories
#
[FundTraq]
comment = Fund Traq
path = /usr/local/samba/services/fundtraq
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +fundtraq
group = fundtraq
default case = lower
preserve case = no
short preserve case = no

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[QAChamp]
comment = Champ Export Directory for QA_ETRUST
path = /tact/qa/champ
public = no
writable = yes
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

It was working prior to upgrade we were running Samba 3.6.25 without winbindd

I am testing from my user account ppp001 as per below config on the Samba server 

root@spvx10069 /usr/local/samba/bin # lsuser ppp001
ppp001 id=8328 pgrp=TTAProd groups=TTAProd,ROOTUSER,champ,is,fundtraq home=/home/ppp001 shell=/usr/bin/ksh gecos=Peter Platanitis Admin user login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=14 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=4 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1590815761 time_last_unsuccessful_login=1588122414 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.28.30.97 host_last_unsuccessful_login=cdt8277.hq.local unsuccessful_login_count=0 roles=



------------------------------
Peter Platanitis
------------------------------

Original Message:
Sent: Wed June 03, 2020 01:53 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Can you share the smb.conf file ?
Is it working earlier ? If so, then what was the Samba version ?

------------------------------
Ayappan P

Original Message:
Sent: Tue June 02, 2020 06:04 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------

Lot of things changed in Samba 4.10.13 when compared with 3.6.25 version. especially the things we put in smb.conf file. 
I suggest you to run testparm to check the correctness of smb.conf. And also you can re-check the group related settings in the conf file.

The valid users field should have the prefix "@" (or &,+) to be treated as group names.

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Wed June 03, 2020 02:29 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Hi Ayappan P

This is my current smb.conf

#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HQ
realm = HQ.LOCAL
# password server = 172.18.8.12, 172.18.8.26, 172.19.8.12
# password server = 172.19.6.26, 172.19.8.12, 172.18.8.12
password server = 172.18.8.25, 172.18.8.16
domain master = no
protocol = SMB3

# server string is the equivalent of the NT Description field
server string = SPVX10069 (Samba)

# stop nmbd from binding to the broadcast address of the subnet
nmbd bind explicit broadcast = no

# Printcap parameter set to /dev/null required to stop smbd crashing at startup if you have AIX printers configured
printcap name = /dev/null

# Make sure printers are not automatically loaded
load printers = no

# this tells Samba to use a separate log file for each machine
# that connects
log file = /opt/freeware/var/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50
log level = 1

encrypt passwords = yes
# Make sure that users are validated via NT
security = ADS
# password server = awmltd.com.au
# password server = adelaide_sms

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# socket options = TCP_NODELAY
# Network Interfaces used
# interfaces = en4 172.24.229.74/255.255.255.224
# interfaces = en4 172.24.229.74

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = 172.24.226.7

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# username map
# Map a Windows user to a UNIX user
# username map = /opt/pware/samba/3.0.28/lib/usermap
username map = /usr/local/samba/lib/usermap

# Follow Symbolic Links
follow symlinks = yes
wide links = yes
unix extensions = no

#============================ Share Definitions ==============================
#
# Share the Performance Doco on the IBM
#
[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
public = no
writable = no
valid users = piszcykj goughj campbelt

#
# Share the Performance Logs on the IBM
#
[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
public = no
writable = no
valid users = goughj payner piszcykj

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[ChampV8]
comment = Champ Version 8.0 Export Directory
path = /u3/champ
public = no
writable = yes
valid users = +champ champ wolfa champv8 prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

#
# Some directories for Workflow
#
[TrusDown]
comment = Workflow download directory
path = /u1/AUSTRUST/trusdown
public = yes
writable = yes
create mask = 0640

#--- [TrusTEST]
#--- comment = Workflow TEST download directory
#--- path = /tact/dev/DEV_ETRUST/trustest
#--- public = yes
#--- writable = yes
#--- create mask = 0640
#
#
# EFT Directories
#
[EFT]
comment = EFT Transfer Directory
path = /u3/ETRUST/eft
public = yes
writable = yes
create mask = 0640

#--- [EFTTest]
#--- comment = EFT Test Transfer Directory
#--- path = /tact/dev/DEV_ETRUST/efttest
#--- public = yes
#--- writable = yes
#--- create mask = 0640

#
# SuperSur directories
#
[SuperSur]
comment = Super Surcharge
path = /usr/local/samba/services/supersur
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +supersur
group = supersur

#
# General Data
#
[GenData]
comment = General Data
path = /usr/local/samba/services/gendata
guest ok = no
public = yes
writeable = yes
create mask = 0664
directory mask = 0775
preserve case = yes
short preserve case = yes

#
# FundTraq directories
#
[FundTraq]
comment = Fund Traq
path = /usr/local/samba/services/fundtraq
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +fundtraq
group = fundtraq
default case = lower
preserve case = no
short preserve case = no

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[QAChamp]
comment = Champ Export Directory for QA_ETRUST
path = /tact/qa/champ
public = no
writable = yes
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

It was working prior to upgrade we were running Samba 3.6.25 without winbindd

I am testing from my user account ppp001 as per below config on the Samba server 

root@spvx10069 /usr/local/samba/bin # lsuser ppp001
ppp001 id=8328 pgrp=TTAProd groups=TTAProd,ROOTUSER,champ,is,fundtraq home=/home/ppp001 shell=/usr/bin/ksh gecos=Peter Platanitis Admin user login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=14 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=4 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1590815761 time_last_unsuccessful_login=1588122414 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.28.30.97 host_last_unsuccessful_login=cdt8277.hq.local unsuccessful_login_count=0 roles=



------------------------------
Peter Platanitis

Original Message:
Sent: Wed June 03, 2020 01:53 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Can you share the smb.conf file ?
Is it working earlier ? If so, then what was the Samba version ?

------------------------------
Ayappan P

Original Message:
Sent: Tue June 02, 2020 06:04 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------

HI Ayappan

The output from my testparm command.

root@spvx10069 /usr/local/samba/bin # ./testparm /usr/local/samba/lib/smb.conf
Load smb config files from /usr/local/samba/lib/smb.conf
Loaded services file OK.
WARNING: lock directory /var/locks should have permissions 0755 for browsing to work

WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
dns proxy = No
domain master = No
load printers = No
local master = No
log file = /opt/freeware/var/log.%m
max log size = 50
nmbd bind explicit broadcast = No
password server = 172.18.8.25, 172.18.8.16
printcap name = /dev/null
realm = HQ.LOCAL
security = ADS
server string = SPVX10069 (Samba)
unix extensions = No
username map = /usr/local/samba/lib/usermap
workgroup = HQ
idmap config * : backend = tdb
wide links = Yes


[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
valid users = piszcykj goughj campbelt


[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
valid users = goughj payner piszcykj


[ChampV8]
comment = Champ Version 8.0 Export Directory
create mask = 0660
path = /u3/champ
preserve case = No
read only = No
short preserve case = No
valid users = +champ champ wolfa champv8 prtape NTService Scheduler


[TrusDown]
comment = Workflow download directory
create mask = 0640
guest ok = Yes
path = /u1/AUSTRUST/trusdown
read only = No


[EFT]
comment = EFT Transfer Directory
create mask = 0640
guest ok = Yes
path = /u3/ETRUST/eft
read only = No


[SuperSur]
comment = Super Surcharge
create mask = 0660
directory mask = 0770
force group = supersur
path = /usr/local/samba/services/supersur
read only = No
valid users = +supersur


[GenData]
comment = General Data
create mask = 0664
directory mask = 0775
guest ok = Yes
path = /usr/local/samba/services/gendata
read only = No


[FundTraq]
comment = Fund Traq
create mask = 0660
directory mask = 0770
force group = fundtraq
path = /usr/local/samba/services/fundtraq
preserve case = No
read only = No
short preserve case = No
valid users = +fundtraq


[QAChamp]
comment = Champ Export Directory for QA_ETRUST
create mask = 0660
path = /tact/qa/champ
preserve case = No
read only = No
short preserve case = No
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler


------------------------------
Peter Platanitis
------------------------------

Original Message:
Sent: Wed June 03, 2020 03:02 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Lot of things changed in Samba 4.10.13 when compared with 3.6.25 version. especially the things we put in smb.conf file. 
I suggest you to run testparm to check the correctness of smb.conf. And also you can re-check the group related settings in the conf file.

The valid users field should have the prefix "@" (or &,+) to be treated as group names.

------------------------------
Ayappan P

Original Message:
Sent: Wed June 03, 2020 02:29 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Hi Ayappan P

This is my current smb.conf

#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HQ
realm = HQ.LOCAL
# password server = 172.18.8.12, 172.18.8.26, 172.19.8.12
# password server = 172.19.6.26, 172.19.8.12, 172.18.8.12
password server = 172.18.8.25, 172.18.8.16
domain master = no
protocol = SMB3

# server string is the equivalent of the NT Description field
server string = SPVX10069 (Samba)

# stop nmbd from binding to the broadcast address of the subnet
nmbd bind explicit broadcast = no

# Printcap parameter set to /dev/null required to stop smbd crashing at startup if you have AIX printers configured
printcap name = /dev/null

# Make sure printers are not automatically loaded
load printers = no

# this tells Samba to use a separate log file for each machine
# that connects
log file = /opt/freeware/var/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50
log level = 1

encrypt passwords = yes
# Make sure that users are validated via NT
security = ADS
# password server = awmltd.com.au
# password server = adelaide_sms

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# socket options = TCP_NODELAY
# Network Interfaces used
# interfaces = en4 172.24.229.74/255.255.255.224
# interfaces = en4 172.24.229.74

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = 172.24.226.7

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# username map
# Map a Windows user to a UNIX user
# username map = /opt/pware/samba/3.0.28/lib/usermap
username map = /usr/local/samba/lib/usermap

# Follow Symbolic Links
follow symlinks = yes
wide links = yes
unix extensions = no

#============================ Share Definitions ==============================
#
# Share the Performance Doco on the IBM
#
[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
public = no
writable = no
valid users = piszcykj goughj campbelt

#
# Share the Performance Logs on the IBM
#
[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
public = no
writable = no
valid users = goughj payner piszcykj

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[ChampV8]
comment = Champ Version 8.0 Export Directory
path = /u3/champ
public = no
writable = yes
valid users = +champ champ wolfa champv8 prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

#
# Some directories for Workflow
#
[TrusDown]
comment = Workflow download directory
path = /u1/AUSTRUST/trusdown
public = yes
writable = yes
create mask = 0640

#--- [TrusTEST]
#--- comment = Workflow TEST download directory
#--- path = /tact/dev/DEV_ETRUST/trustest
#--- public = yes
#--- writable = yes
#--- create mask = 0640
#
#
# EFT Directories
#
[EFT]
comment = EFT Transfer Directory
path = /u3/ETRUST/eft
public = yes
writable = yes
create mask = 0640

#--- [EFTTest]
#--- comment = EFT Test Transfer Directory
#--- path = /tact/dev/DEV_ETRUST/efttest
#--- public = yes
#--- writable = yes
#--- create mask = 0640

#
# SuperSur directories
#
[SuperSur]
comment = Super Surcharge
path = /usr/local/samba/services/supersur
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +supersur
group = supersur

#
# General Data
#
[GenData]
comment = General Data
path = /usr/local/samba/services/gendata
guest ok = no
public = yes
writeable = yes
create mask = 0664
directory mask = 0775
preserve case = yes
short preserve case = yes

#
# FundTraq directories
#
[FundTraq]
comment = Fund Traq
path = /usr/local/samba/services/fundtraq
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +fundtraq
group = fundtraq
default case = lower
preserve case = no
short preserve case = no

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[QAChamp]
comment = Champ Export Directory for QA_ETRUST
path = /tact/qa/champ
public = no
writable = yes
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

It was working prior to upgrade we were running Samba 3.6.25 without winbindd

I am testing from my user account ppp001 as per below config on the Samba server 

root@spvx10069 /usr/local/samba/bin # lsuser ppp001
ppp001 id=8328 pgrp=TTAProd groups=TTAProd,ROOTUSER,champ,is,fundtraq home=/home/ppp001 shell=/usr/bin/ksh gecos=Peter Platanitis Admin user login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=14 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=4 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1590815761 time_last_unsuccessful_login=1588122414 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.28.30.97 host_last_unsuccessful_login=cdt8277.hq.local unsuccessful_login_count=0 roles=



------------------------------
Peter Platanitis

Original Message:
Sent: Wed June 03, 2020 01:53 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Can you share the smb.conf file ?
Is it working earlier ? If so, then what was the Samba version ?

------------------------------
Ayappan P

Original Message:
Sent: Tue June 02, 2020 06:04 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------

" ERROR: Invalid idmap range for domain"
You need to set the idmap range as well. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Mon June 08, 2020 09:07 PM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

HI Ayappan

The output from my testparm command.

root@spvx10069 /usr/local/samba/bin # ./testparm /usr/local/samba/lib/smb.conf
Load smb config files from /usr/local/samba/lib/smb.conf
Loaded services file OK.
WARNING: lock directory /var/locks should have permissions 0755 for browsing to work

WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
dns proxy = No
domain master = No
load printers = No
local master = No
log file = /opt/freeware/var/log.%m
max log size = 50
nmbd bind explicit broadcast = No
password server = 172.18.8.25, 172.18.8.16
printcap name = /dev/null
realm = HQ.LOCAL
security = ADS
server string = SPVX10069 (Samba)
unix extensions = No
username map = /usr/local/samba/lib/usermap
workgroup = HQ
idmap config * : backend = tdb
wide links = Yes


[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
valid users = piszcykj goughj campbelt


[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
valid users = goughj payner piszcykj


[ChampV8]
comment = Champ Version 8.0 Export Directory
create mask = 0660
path = /u3/champ
preserve case = No
read only = No
short preserve case = No
valid users = +champ champ wolfa champv8 prtape NTService Scheduler


[TrusDown]
comment = Workflow download directory
create mask = 0640
guest ok = Yes
path = /u1/AUSTRUST/trusdown
read only = No


[EFT]
comment = EFT Transfer Directory
create mask = 0640
guest ok = Yes
path = /u3/ETRUST/eft
read only = No


[SuperSur]
comment = Super Surcharge
create mask = 0660
directory mask = 0770
force group = supersur
path = /usr/local/samba/services/supersur
read only = No
valid users = +supersur


[GenData]
comment = General Data
create mask = 0664
directory mask = 0775
guest ok = Yes
path = /usr/local/samba/services/gendata
read only = No


[FundTraq]
comment = Fund Traq
create mask = 0660
directory mask = 0770
force group = fundtraq
path = /usr/local/samba/services/fundtraq
preserve case = No
read only = No
short preserve case = No
valid users = +fundtraq


[QAChamp]
comment = Champ Export Directory for QA_ETRUST
create mask = 0660
path = /tact/qa/champ
preserve case = No
read only = No
short preserve case = No
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler


------------------------------
Peter Platanitis

Original Message:
Sent: Wed June 03, 2020 03:02 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Lot of things changed in Samba 4.10.13 when compared with 3.6.25 version. especially the things we put in smb.conf file. 
I suggest you to run testparm to check the correctness of smb.conf. And also you can re-check the group related settings in the conf file.

The valid users field should have the prefix "@" (or &,+) to be treated as group names.

------------------------------
Ayappan P

Original Message:
Sent: Wed June 03, 2020 02:29 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Hi Ayappan P

This is my current smb.conf

#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HQ
realm = HQ.LOCAL
# password server = 172.18.8.12, 172.18.8.26, 172.19.8.12
# password server = 172.19.6.26, 172.19.8.12, 172.18.8.12
password server = 172.18.8.25, 172.18.8.16
domain master = no
protocol = SMB3

# server string is the equivalent of the NT Description field
server string = SPVX10069 (Samba)

# stop nmbd from binding to the broadcast address of the subnet
nmbd bind explicit broadcast = no

# Printcap parameter set to /dev/null required to stop smbd crashing at startup if you have AIX printers configured
printcap name = /dev/null

# Make sure printers are not automatically loaded
load printers = no

# this tells Samba to use a separate log file for each machine
# that connects
log file = /opt/freeware/var/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50
log level = 1

encrypt passwords = yes
# Make sure that users are validated via NT
security = ADS
# password server = awmltd.com.au
# password server = adelaide_sms

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# socket options = TCP_NODELAY
# Network Interfaces used
# interfaces = en4 172.24.229.74/255.255.255.224
# interfaces = en4 172.24.229.74

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = 172.24.226.7

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# username map
# Map a Windows user to a UNIX user
# username map = /opt/pware/samba/3.0.28/lib/usermap
username map = /usr/local/samba/lib/usermap

# Follow Symbolic Links
follow symlinks = yes
wide links = yes
unix extensions = no

#============================ Share Definitions ==============================
#
# Share the Performance Doco on the IBM
#
[AIXDoco]
comment = AIX Performance Toolkit Documentation
path = /usr/share/man/info/en_US
public = no
writable = no
valid users = piszcykj goughj campbelt

#
# Share the Performance Logs on the IBM
#
[PerfLogs]
comment = AIX Performance Logs
path = /usr/local/logs/Perflogs
public = no
writable = no
valid users = goughj payner piszcykj

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[ChampV8]
comment = Champ Version 8.0 Export Directory
path = /u3/champ
public = no
writable = yes
valid users = +champ champ wolfa champv8 prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

#
# Some directories for Workflow
#
[TrusDown]
comment = Workflow download directory
path = /u1/AUSTRUST/trusdown
public = yes
writable = yes
create mask = 0640

#--- [TrusTEST]
#--- comment = Workflow TEST download directory
#--- path = /tact/dev/DEV_ETRUST/trustest
#--- public = yes
#--- writable = yes
#--- create mask = 0640
#
#
# EFT Directories
#
[EFT]
comment = EFT Transfer Directory
path = /u3/ETRUST/eft
public = yes
writable = yes
create mask = 0640

#--- [EFTTest]
#--- comment = EFT Test Transfer Directory
#--- path = /tact/dev/DEV_ETRUST/efttest
#--- public = yes
#--- writable = yes
#--- create mask = 0640

#
# SuperSur directories
#
[SuperSur]
comment = Super Surcharge
path = /usr/local/samba/services/supersur
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +supersur
group = supersur

#
# General Data
#
[GenData]
comment = General Data
path = /usr/local/samba/services/gendata
guest ok = no
public = yes
writeable = yes
create mask = 0664
directory mask = 0775
preserve case = yes
short preserve case = yes

#
# FundTraq directories
#
[FundTraq]
comment = Fund Traq
path = /usr/local/samba/services/fundtraq
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0770
valid users = +fundtraq
group = fundtraq
default case = lower
preserve case = no
short preserve case = no

#
# Share the champ export directory
#
# We need to force lower case, etc....
#
[QAChamp]
comment = Champ Export Directory for QA_ETRUST
path = /tact/qa/champ
public = no
writable = yes
valid users = champ wolfa champv8 champqa howards coxs prtape NTService Scheduler
create mask = 0660
default case = lower
preserve case = no
short preserve case = no

It was working prior to upgrade we were running Samba 3.6.25 without winbindd

I am testing from my user account ppp001 as per below config on the Samba server 

root@spvx10069 /usr/local/samba/bin # lsuser ppp001
ppp001 id=8328 pgrp=TTAProd groups=TTAProd,ROOTUSER,champ,is,fundtraq home=/home/ppp001 shell=/usr/bin/ksh gecos=Peter Platanitis Admin user login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=14 account_locked=false minage=0 maxage=0 maxexpired=1 minalpha=4 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1590815761 time_last_unsuccessful_login=1588122414 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.28.30.97 host_last_unsuccessful_login=cdt8277.hq.local unsuccessful_login_count=0 roles=



------------------------------
Peter Platanitis

Original Message:
Sent: Wed June 03, 2020 01:53 AM
From: Ayappan P
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

Can you share the smb.conf file ?
Is it working earlier ? If so, then what was the Samba version ?

------------------------------
Ayappan P

Original Message:
Sent: Tue June 02, 2020 06:04 AM
From: Peter Platanitis
Subject: Samba 4.10.13 ignoring secondary group access for Samba share

I installed on an AIX 7.1 lpar the compiled version for AIX of Samba 4.10.13 from https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/

This was installed to resolve the issue with Samba server having negotiation protocol issues when authenticating to a Windows Server 2016 Domain Controller. This has resolved the authenticating issue and the shares are accessible by using fqdn hostname, cname and ip address for all Win10, Win8.1 and Win servr clients.

The issue I have is that I can open a Samba share but when attempting to write/delete files I get access denied or you need permission to perform this action even if my unix account has group membership to the group that owns the directory. Only works if I set this group as my primary group if it is my secondary group it does not work.

Versions as below

root@stvx10546 /usr/local/samba/sbin # ./smbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./nmbd -V
Version 4.10.13
root@stvx10546 /usr/local/samba/sbin # ./winbindd -V
Version 4.10.13

Please identify a resolution

------------------------------
Peter Platanitis
------------------------------