[Samba] Samba 3.0.23 + ADS + 'valid users' + 'force user' does not
work
Andrei Nazarenko
a.nazarenko at gmail.com
Tue Jul 11 16:25:57 GMT 2006
Just upgraded Samba to 3.0.23 and can no longer map any non-anonymous shares.
Here is my smb.conf file:
[global]
map to guest = Bad User
guest account = nobody
syslog = 0
log level = 3
workgroup = OAAD
realm = OA.PNRAD.NET
security = ADS
[intranet]
path = /srv/www/intranet
valid users = nazaand
write list = nazaand
force user = intranet
force group = intranet
create mask = 0660
directory mask = 0770
browseable = No
Unix user 'nazaand' exists with UID:1000 and GID:100.
The ADS authentication also works fine, I get the following entries in
the log file:
[2006/07/11 17:53:18, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine FRPDC003.OA.PNRAD.NET pipe \NETLOGON
fnum 0xa bind request returned ok.
[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
store_gid_sid_cache: gid 100 in cache ->
S-1-5-21-2802976709-2047762053-2842697490-1201
[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:fetch_gid_from_cache(999)
fetch gid from cache 100 -> S-1-5-21-2802976709-2047762053-2842697490-1201
[2006/07/11 17:53:18, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: winbind authentication for user [nazaand] succeeded
[2006/07/11 17:53:18, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [nazaand] -> [nazaand]
-> [nazaand] succeeded
But the share cannot be mapped because of this:
[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
store_gid_sid_cache: gid 2147483404 in cache ->
S-1-5-21-2802976709-2047762053-2842697490-513
[2006/07/11 17:53:18, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/07/11 17:53:18, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xe2088215
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(280)
User name: nazaand Real name:
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(301)
UNIX uid 1000 is UNIX user nazaand, and will be vuid 103
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(332)
Adding homes service for user 'nazaand' using home directory:
'/srv/www/htdocs'
[2006/07/11 17:53:18, 3] smbd/process.c:process_smb(1110)
Transaction 7 of length 86
[2006/07/11 17:53:18, 3] smbd/process.c:switch_message(914)
switch message SMBtconX (pid 16063) conn 0x0
[2006/07/11 17:53:18, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/11 17:53:18, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid nazaand does not start with 'S-'.
[2006/07/11 17:53:18, 2] smbd/service.c:make_connection_snum(571)
user 'nazaand' (from session setup) not permitted to access this
share (intranet)
[2006/07/11 17:53:18, 3] smbd/error.c:error_packet(146)
error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
Why do I get the "not permitted to access this share" error if my user
is in the "valid users" list?
If I remove the "valid users" list completely, then the share can be
mapped, but I cannot write to it. If I use "security = user" then
everything works ok.
Does new Samba version require a different format format for the
'valid users' and 'write list' directives or do I need to specify any
additional parameters for it to work as 3.0.22?
Thanks for your time
More information about the samba
mailing list