Valid users & SAMBA_3_0_23
Gerald (Jerry) Carter
jerry at samba.org
Fri Aug 4 15:00:25 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
I've tested standalone servers with a very basic configuration:
username map = /etc/samba/username.map
read only = no
path = /export/u1/tmp
valid users = +ntadmin
force user = lizard
The username map has a single line ("jerry = gcarter").
the ntadmin group consists of jerry & root.
Things seems to be ok.
I get access denied when connecting as lizard (same as 3.0.22)
but am accepted as both gcarter and jerry.
I've also tested a Samba DC (with ldapsam) and Samba member
servers in this domain.
However, the following configuration no a member server in
a Windows 2003 domain is failing. I'm granted or denied
access as expected. But the force user is picking up
lizard from the AD domain and not the local Unix user lizard.
netbios name = OAK
workgroup = COLOR
REALM = COLOR.PLAINJOE.ORG
security = ads
winbind uid = 60000-120000
winbind gid = 60000-120000
; winbind use default domain = Yes
comment = Public Access share
path = /export/u1/public
valid users = +"COLOR\Domain Admins"
force user = lizard
Adding a username map of
lizard = COLOR\lizard
Does not change the force user behavior. If I remove the
force user and log ni as COLOR\lizard though, any files created
are owned by the Unix user lizard which is expected.
It appears to be the same for "valid users". The name
lizard will match either the local user lizard or the
domain user COLOR\lizard. The token is created appropriately
however and permissions on created files are what is expected.
Since I am of the position that all domain accounts in
smb.conf should be fully qualified, I'd expect 'force user =
lizard' to resolve the to the Unix SID and not domain SID.
I know this is subtle. What are your thoughts here?
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical