[Samba] Winbind and groups
simo
idra at samba.org
Tue Dec 11 17:53:10 GMT 2007
You are welcome :-)
On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote:
> And the correct answer is...
>
> Using a valid users line that looks like this:
>
> Valid users = +DOMAIN\group
>
> Many thanks to "irda" on the #samba IRC channel.
>
> Ben
>
>
> Ben Vaughan
> Globalcom IT Infrastructure Support Team
> bvaughan at global-com.com
> 312 673 4116
>
>
> -----Original Message-----
> From: samba-bounces+bvaughan=global-com.com at lists.samba.org [mailto:samba-bounces+bvaughan=global-com.com at lists.samba.org] On Behalf Of Ben Vaughan
> Sent: Tuesday, December 11, 2007 10:30 AM
> To: samba at lists.samba.org
> Subject: [Samba] Winbind and groups
>
> Hello Friendly Samba People,
>
> I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble.
>
> I am running into trouble when trying to use groups defined in the AD as "valid users" or ACLs on the linux box.
>
> Smb.conf:
> [global]
> security = ADS
> realm = CORP.CALLGLOBALCOM.COM
> workgroup = CORP
> log file = /var/log/samba/%m
> log level = 2
>
> #winbind / AD stuff
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind expand groups = 2
> winbind nss info = rfc2307
> winbind nested groups = Yes
> idmap uid range = 1000 - 30000000
> idmap gid range = 100 - 30000000
> idmap domains = CORP
> idmap config CORP:backend = ad
> idmap config CORP:default = yes
> idmap config CORP:readonly = yes
>
> [homes]
>
> [sysadmins]
> path = /tmp
> writeable = yes
> comment = Globalcom Sysadmins share
> valid users = @gc_sysadmins
> create mask = 0775
> directory mask = 0775
>
> # getent group gc_sysadmins
> gc_sysadmins:*:10001:bvaughan
>
> # getent passwd bvaughan
> bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash
>
> When trying to access the [sysadmins] share defined as above, samba logging says this:
>
> user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins)
>
>
> I see the disconnect, the "CORP\bvaughan" that samba sees here, vs the "bvaughan" seen in the group entry. Is there a way to make these two come together so the "valid users=" line works?
>
> I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.
>
> Any help would be appreciated.
>
> Ben
>
>
>
> Ben Vaughan
> Globalcom IT Infrastructure Support Team
> bvaughan at global-com.com
> 312 673 4116
>
> --
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
More information about the samba
mailing list