I have a bit of an odd one here and I am hoping someone might have a clue as to what I am missing...

The plan was to take a Fedora 3 2TB server and replace it with a Fedora 7 4TB server. The system has been duplicated and the systems appear to be identical except for IP address and host names. As soon as I can get the following problem resolved, the old server will be removed and the new one will take it's place.

I copied over the smb.conf file (as well as everything in /etc/samba/*), and have duplicated the data in the filesystem, I can view the shares from both Windows and *nix boxes. My Win-XP boxes can map the drives in and they show the shared directories when you browse the machine over the network.

The odd part is that I can only actually get into the directories and view the files when the logged in user is listed as "admin users" but not as "valid users" or no specified lists.

I went through the Samba-HOWTO tests and when I got to test 7, it failed with the following error message:

[root@fileserver2 ~]# smbclient //fileserver2/Art
Password:
Anonymous login successful
Domain=[DOMAINNAME] OS=[Unix] Server=[Samba 3.0.27a-0.fc7]
tree connect failed: NT_STATUS_ACCESS_DENIED

The network is also shared with an Active Directory Server, but it does not interact with this machine or the one it will be replacing.

Any ideas?

Here's a part of the smb.conf

[global]
workgroup = WORKGROUP
server string = Linux Samba Server
guest account = temp
log file = /var/log/samba/%m.log
max log size = 50
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 192.168.0.2
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
cups options = raw

[www]
comment = IntraNet WWW Folder
path = /var/www
valid users = adamc, robert.k, apache, ted, davidb
admin users = adamc, robert.k
force group = apache
read only = No
create mask = 00
force create mode = 0777
directory mask = 0777
hosts allow = 192.168.0.
...

In the www share above, robert.k can access the files in this directory, if you comment out the "admin users" line, robert.k will not be able to view the files in the directory, this issue is system wide between all shared folders and used home directories. I actually added the "admin users" to the homes entry and he could view his files there.

did u map the windows nt and unix groups?? try it if u didnt, use this command

groupmap modify ntgroup="Domain Admins" unixgroup=<"name of admin group">
groupmap modify ntgroup="Domain Users" unixgroup=<"users">

try it it may work, also post ur smbd.log file

I assume you were referring to the net command.

I hadn't mapped the drives and tried yours above and this (SID taken from other machine):

net groupmap add sid=S-1-5-32-545 unixgroup=users type=builtin

My log.smb error messages in both cases became:

[2007/12/12 15:23:21, 0] smbd/service.c:make_connection_snum(850)
make_connection: connection to art denied due to security descriptor.

This is the only error messages that show up. The terminal session looks like this:

[root@fileserver2 samba]# smbclient //fileserver2/Art
Password:
Anonymous login successful
Domain=[E...CH] OS=[Unix] Server=[Samba 3.0.27a-0.fc7]
tree connect failed: NT_STATUS_ACCESS_DENIED

I am at the point that I don't really think it is Samba but something in access/security control. There are no firewalls and SELinux is disabled (it's a closed system)

Let me know if there is anything that makes sense...

The other issue the "net" command brought up is that when I started to attempt to duplicate the entries from the old server to the new server, using net groupmap list verbose, I received several entries that had groups of -1 in them. I don't get that one... see below (from original server):

System Operators
SID : S-1-5-32-549
Unix group: -1
Group type: Builtin group
Comment :
Replicators
SID : S-1-5-32-552
Unix group: -1
Group type: Builtin group
Comment :
Domain Guests
SID : S-1-5-21-3119555352-1113490366-2152548915-514
Unix group: -1
Group type: Domain group
Comment :
Guests
SID : S-1-5-32-546
Unix group: -1
Group type: Builtin group
Comment :

hey check out the permission on the folder i mean the linux file permission, that may work.

Yeah, I checked them, they are all 777, 755 or 750...

I'm working on an smb server too. From what I'd read tonight on various Internet sites, I'm guessing that the -1's in the output indicate that the group's been mapped, but it's got the wrong RID.

It seems to be a change in the pre-mapped groups. I know that on my machine, I got the same type of output too. So probably some standard groups aren't mapped. In case you don't know, the RID is like the GID on Linux systems.

How did you duplicate the settings on the older server? Did you use dd or install Fedora 7 from scratch and copy the configuration files verbatim. How did you migrate the data from the old server to the new one?

Have you also got SELinux enabled on the FC7 server?

If so check the policies as you can prevent access by users to network accessible files