"valid users = domain_user" without specifying domain

Gerald (Jerry) Carter jerry at samba.org
Sun Apr 29 22:37:49 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johann Hanne wrote:
> Hi,
> 
> I've got a long time configuration wish where I was never sure if it's 
> actually doable. Maybe somebody can give me some hint...
> 
> My samba configuration is rather simple: It's a Windows ADS domain member with 
> a www share that's mainly accessed by Windows users:
> ---
> [global]
> 
> netbios name = MYSERVER
> workgroup = MYDOMAIN
> realm = MYDOMAIN.DE
> security = ADS
> 
> idmap domains = MYDOMAIN
> 
> idmap config MYDOMAIN:default = yes
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:range = 500 - 999
> idmap config MYDOMAIN:schema_mode = rfc2307
> 
> winbind uid = 500 - 999
> winbind gid = 500 - 999
> winbind use default domain = yes
> --
> 
> So far, everything is working fine, but the share configuration is not how I'd 
> like:
> --
> [www]
>   comment = Web
>   path = /var/www
>   valid users = MYDOMAIN/user1 MYDOMAIN/user2 MYDOMAIN/user3
>   ; does NOT work:
>   ;valid users = user1 user2 user3
>   ; what I'd like to put in is:
>   ;valid users = +apache
> --
> 
> My problem is that I have to specify the domain ("MYDOMAIN/") 
> in front of each  user, otherwise it won't work (Permission denied).

I'm pretty sure this behavior is described in the release notes for
the 3.0.23 release series.  It is by deisgn.  DOMAION\group1 and
(local) group1 have different SIDs.

> Shouldn't this be a configuration that works? user1, 
> user2 and user3 are actually winbind/nss mapped users, so why
> do I have to specify the domain name here?

Just make MACHINE\Apache and add domain users to that.







cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGNR49IR7qMdg1EfYRAn7CAJ47Y4Y57NSnN2CTZcDOon5r75M2ZQCfWy0j
5vAjUdqFfAcuY08+dvFYlsM=
=X6Rg
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list