[Samba] How to grant access to file shares by AD groups that have spaces in their name?
Jon Detert
jdetert at infinityhealthcare.com
Tue Jun 3 14:05:58 MDT 2014
Hi,
I hava a Samba4 file server joined to a Samba4 domain.
I made a share for all members of the INFINITY domain 'Domain Users' group to access:
[demoshare]
comment = Test share
path = /usr/local/samba/demoshare
read only = no
valid users = @"INFINITY+Domain Users"
but no group member can access it. Any ideas what is wrong?
It works if I change the group to one with no spaces in the name:
[demoshare]
comment = Test share
path = /usr/local/samba/demoshare
read only = no
valid users = @INFINITY+jontest
When the group is specified as 'Domain Users', this is what smclient says when trying to connect:
$ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
Password for [INFINITY\jdetert]:
Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
$
and this is what the samba log file (at log level 3) says for the IP that smbclient was run from:
[2014/06/03 15:02:21.810055, 3] ../source3/smbd/process.c:1795(process_smb)
Transaction 3 of length 96 (0 toread)
[2014/06/03 15:02:21.810863, 3] ../source3/smbd/process.c:1398(switch_message)
switch message SMBtconX (pid 15310) conn 0x0
[2014/06/03 15:02:21.811941, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.168.99 (192.168.168.99)
[2014/06/03 15:02:21.812679, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.823678, 3] ../source3/smbd/service.c:375(find_forced_group)
Forced group Domain Users
[2014/06/03 15:02:21.824421, 3] ../source3/smbd/service.c:612(make_connection_snum)
Connect path is '/usr/local/samba/demoshare' for service [demoshare]
[2014/06/03 15:02:21.825045, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.825997, 3] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2014/06/03 15:02:21.835782, 3] ../source3/smbd/server_exit.c:212(exit_server_common)
Server exit (failed to receive smb request)
Lastly, here's a snippet from the smb.conf global section, that might be helpful:
[global]
workgroup = INFINITY
server string = %h server (Samba, Ubuntu)
security = ads
realm = infinity.local
domain master = no
local master = no
preferred master = no
server role = member server
netbios name = mkejdev1
map to guest = bad user
idmap config *:range = 70001-80000
idmap config * : backend = tdb
idmap config INFINITY : backend = rid
idmap config INFINITY : range = 60000-70000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind trusted domains only = no
Thanks,
Jon Detert
More information about the samba
mailing list