Valid users & SAMBA_3_0_23

Gerald (Jerry) Carter jerry at samba.org
Fri Aug 4 15:00:25 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guys,

I've tested standalone servers with a very basic configuration:

[global]
        username map = /etc/samba/username.map
        read only = no

[test]
        path = /export/u1/tmp
        valid users = +ntadmin
        force user = lizard

The username map has a single line ("jerry = gcarter").
the ntadmin group consists of jerry & root.

Things seems to be ok.

I get access denied when connecting as lizard (same as 3.0.22)
but am accepted as both gcarter and jerry.

I've also tested a Samba DC (with ldapsam) and Samba member
servers in this domain.

However, the following configuration no a member server in
a Windows 2003 domain is failing.  I'm granted or denied
access as expected.  But the force user is picking up
lizard from the AD domain and not the local Unix user lizard.

[global]
        netbios name = OAK
        workgroup = COLOR
        REALM = COLOR.PLAINJOE.ORG
        security = ads
        winbind uid = 60000-120000
        winbind gid = 60000-120000
        ; winbind use default domain = Yes

[public]
        comment = Public Access share
        path = /export/u1/public
        valid users = +"COLOR\Domain Admins"
        force user = lizard

Adding a username map of

	lizard = COLOR\lizard

Does not change the force user behavior.  If I remove the
force user and log ni as COLOR\lizard though, any files created
are owned by the Unix user lizard which is expected.

It appears to be the same for "valid users".  The name
lizard will match either the local user lizard or the
domain user COLOR\lizard.  The token is created appropriately
however and permissions on created files are what is expected.

Since I am of the position that all domain accounts in
smb.conf should be fully qualified, I'd expect 'force user =
lizard' to resolve the to the Unix SID and not domain SID.

I know this is subtle.  What are your thoughts here?




cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE02EJIR7qMdg1EfYRAhfNAJ0Yx54MKjzg7BjVNO7wfbRlMzKc7gCgx0x6
dGS7UVkoatrlV60WCCgXKbY=
=Yiyw
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list