Valid users & SAMBA_3_0_23

Gerald (Jerry) Carter jerry at
Fri Aug 4 15:00:25 GMT 2006

Hash: SHA1


I've tested standalone servers with a very basic configuration:

        username map = /etc/samba/
        read only = no

        path = /export/u1/tmp
        valid users = +ntadmin
        force user = lizard

The username map has a single line ("jerry = gcarter").
the ntadmin group consists of jerry & root.

Things seems to be ok.

I get access denied when connecting as lizard (same as 3.0.22)
but am accepted as both gcarter and jerry.

I've also tested a Samba DC (with ldapsam) and Samba member
servers in this domain.

However, the following configuration no a member server in
a Windows 2003 domain is failing.  I'm granted or denied
access as expected.  But the force user is picking up
lizard from the AD domain and not the local Unix user lizard.

        netbios name = OAK
        workgroup = COLOR
        security = ads
        winbind uid = 60000-120000
        winbind gid = 60000-120000
        ; winbind use default domain = Yes

        comment = Public Access share
        path = /export/u1/public
        valid users = +"COLOR\Domain Admins"
        force user = lizard

Adding a username map of

	lizard = COLOR\lizard

Does not change the force user behavior.  If I remove the
force user and log ni as COLOR\lizard though, any files created
are owned by the Unix user lizard which is expected.

It appears to be the same for "valid users".  The name
lizard will match either the local user lizard or the
domain user COLOR\lizard.  The token is created appropriately
however and permissions on created files are what is expected.

Since I am of the position that all domain accounts in
smb.conf should be fully qualified, I'd expect 'force user =
lizard' to resolve the to the Unix SID and not domain SID.

I know this is subtle.  What are your thoughts here?

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list