"valid users = domain_user" without specifying domain

Johann Hanne jhml at gmx.net
Sun Apr 29 11:40:32 GMT 2007


Hi,

I've got a long time configuration wish where I was never sure if it's 
actually doable. Maybe somebody can give me some hint...

My samba configuration is rather simple: It's a Windows ADS domain member with 
a www share that's mainly accessed by Windows users:
---
[global]

netbios name = MYSERVER
workgroup = MYDOMAIN
realm = MYDOMAIN.DE
security = ADS

idmap domains = MYDOMAIN

idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:range = 500 - 999
idmap config MYDOMAIN:schema_mode = rfc2307

winbind uid = 500 - 999
winbind gid = 500 - 999
winbind use default domain = yes
--

So far, everything is working fine, but the share configuration is not how I'd 
like:
--
[www]
  comment = Web
  path = /var/www
  valid users = MYDOMAIN/user1 MYDOMAIN/user2 MYDOMAIN/user3
  ; does NOT work:
  ;valid users = user1 user2 user3
  ; what I'd like to put in is:
  ;valid users = +apache
--

My problem is that I have to specify the domain ("MYDOMAIN/") in front of each 
user, otherwise it won't work (Permission denied). It's not that I hate the 
extra typing in front of each user, it's that I already have a Unix group 
in /etc/group listing the authorized users:
--
apache::81:user1,user2,user3
--
So actually I'd like to use "valid users = +apache" in smb.conf, but this does 
not work either, probably because it's also missing the domain name 
information.

I also don't want to make apache a domain group, as I want to keep it separate 
on each web server.

Shouldn't this be a configuration that works? user1, user2 and user3 are 
actually winbind/nss mapped users, so why do I have to specify the domain 
name here?

If somebody can give me hint which part in the source code must be modified, 
I'd also give it a try myself...

Cheers, Johann


More information about the samba-technical mailing list