[Samba] valid users = +group doesn't work
Leonid Zeitlin
lz at csltd.com.ua
Thu Apr 17 10:52:35 GMT 2008
Hi Jerry,
Please see below.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leonid Zeitlin wrote:
>
>>> Is webdev in the local gtroup mapping table ?
>>
>> If I understand your question correctly, initally it
>> wasn't. Then I did "net sam mapunixgroup webdev", but
>> this didn't seem to have any effect.
>
> Correct. That was my question. In 3.0.23 and later
> Samba converts the name to a SID internally and then
> compares for that SID in the user's NT token.
>
> See below for why this matters.
Got you on this one, thanks.
>>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>>>> works.
>>>>
>>>> Maybe I need to configure something? Can I have valid users accept UNIX
>>>> groups?
>>>
>>> yes. But there's some missing details in your original post.
>>> Sounds like your server is configured as a domain member server.
>>> is the user logging as a domain user ? Or a local user?
>>
>> I suppose as domain user. I am sitting at my Windows computer, logged in
>> to domain as DOMAIN\lz and connecting to a share at the Unix computer.
>> The user named "lz" also exists on the Unix computer. I was thinking
>> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
>> use this user's group membership.
>
> DOMAIN\lz has a different SID and token than the local
> user "lz". Therefore the search for the local group SID
> of "webdev" will not be found in the domain user's (DOMAIN\lz)
> token. You can view the user's complete list of SIDs in the NT
> token in a level 10 smbd debug log.
I see. I observe an interesting picture here. If I specify valid users =
+DOMAIN\windows_group, then I am able to access the share, and in this case
I see the following in the log:
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
contains 19 SIDs
SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010
(... 18 more SIDs follow ... )
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 500
Primary group is 500 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
change_to_user uid=(500,500) gid=(0,500)
The list of SIDs actually includes the SID to which the local group webdev
was mapped with "net sam mapunixgroup"! The only thing that is somewhat
strange here is "contains 0 supplementary groups", since my user actually
has a number of supplementary groups, however, so far so good. Now, if I
specify valid users = +webdev, I cannot access the share and when I try the
log has something quite different:
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288)
change_to_root_user: now uid=(0,0) gid=(0,0)
Maybe I'm off base here, and this is normal, but this looks strange:
apparently Samba knows my user is a member of local webdev group, yet it
won't let me in based on this membership.
>>> The domain user will only get domain groups (and possible
>>> local nested groups from winbindd) unless you explicitly
>>> map the domain\user account to a specific local Unix account.
>>
>> I guess I am getting confused here. Are "local nested groups from
>> winbindd" the Unix local groups? If yes, this is what I need, but I'm
>> failing to grasp how to make them work.
>
> No. See the "winbind nested groups" option for more details on
> local nested groups. These are the equivalent of Windows NT
> 4.0 local machine groups.
I see. But it appears to me (correct me if I'm wrong) that if a local Unix
group is mapped with "net sam mapunixgroup", then it becomes a local nested
group and Samba could use it in "valid users" - but apparently it doesn't,
which confuses me.
BTW, I didn't mention this before, maybe it is relevant: I am using NIS on
the Samba machine. So, local user lz and group webdev are not in local
passwd and group files, but come from NIS. I don't expect it to make a
difference, but mentioning this just in case.
Thanks a lot,
Leonid
More information about the samba
mailing list