[Samba] Trouble with restricting access and ads

D G Teed donald.teed at gmail.com
Wed Jan 30 03:00:37 GMT 2008 

We are migrating old FreeBSD machines to Redhat EL 5.

On FreeBSD, we have previously used "valid users =" with sucess.
"valid users" was never a group, but always a list of user names like:
valid users = david joe henry

Moving to Redhat Enterprise 5, I used the system authentication GUI
to set up Winbind and Kerberos and pam and nsswitch.conf.
We authenticate off AD, and do not make local Unix accounts for
the samba share users.

I discovered the old "valid users = " configuration from the FreeBSD
legacy smb.conf did not allow access, but simply "users = " and
a list of accounts worked OK.  I tested with my user
and it could read/write files on the share.  I thought I
was done, until I learned that any user authenticating in AD could
connect to the published shares!!!!

Here is my global section (beer used to protect the innocent):

[global]
        workgroup = BEER
        realm = BEERAD
        server string = Web Server
        security = ADS
        password server = adc1.ad.beer.ca
        idmap backend = rid:BEER=5000-100000000
        idmap uid = 5000-100000000
        idmap gid = 5000-100000000
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind enum users = No
        winbind enum groups = No
;       winbind nested groups = Yes
        allow trusted domains = No
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        dns proxy = No
        winbind use default domain = Yes
        encrypt passwords = yes

[www]
        comment = web
        path = /usr/local/www/www
        guest ok = no
        valid users = john todd greg alice
        users = john todd greg alice
        write list = john todd greg alice
        writable = yes
        force user = www
        force group = www

With the above set up, connection to www is not possible.

If I comment out the valid users line, then authentication works.

If I connect to \\\\beer\\www as user donald, which authenticates OK,
I can read or write or delete files from the www share.

I've spent a full day going through various permutations to the puzzle
and cannot find a solution that only lets in the people I want to list.
I either get nothing working, or everyone in the domain can
connect and write!

Please shed some light on this if anyone can.

--Donald

More information about the samba mailing list