"valid users = domain_user" without specifying domain
Johann Hanne
jhml at gmx.net
Mon Apr 30 11:11:34 GMT 2007
On Monday 30 April 2007 00:37, Gerald (Jerry) Carter wrote:
> Johann Hanne wrote:
> > Hi,
> >
> > I've got a long time configuration wish where I was never sure if it's
> > actually doable. Maybe somebody can give me some hint...
> >
> > My samba configuration is rather simple: It's a Windows ADS domain member
> > with a www share that's mainly accessed by Windows users:
> > ---
> > [global]
> >
> > netbios name = MYSERVER
> > workgroup = MYDOMAIN
> > realm = MYDOMAIN.DE
> > security = ADS
> >
> > idmap domains = MYDOMAIN
> >
> > idmap config MYDOMAIN:default = yes
> > idmap config MYDOMAIN:backend = ad
> > idmap config MYDOMAIN:range = 500 - 999
> > idmap config MYDOMAIN:schema_mode = rfc2307
> >
> > winbind uid = 500 - 999
> > winbind gid = 500 - 999
> > winbind use default domain = yes
> > --
> >
> > So far, everything is working fine, but the share configuration is not
> > how I'd like:
> > --
> > [www]
> > comment = Web
> > path = /var/www
> > valid users = MYDOMAIN/user1 MYDOMAIN/user2 MYDOMAIN/user3
> > ; does NOT work:
> > ;valid users = user1 user2 user3
> > ; what I'd like to put in is:
> > ;valid users = +apache
> > --
> >
> > My problem is that I have to specify the domain ("MYDOMAIN/")
> > in front of each user, otherwise it won't work (Permission denied).
>
> I'm pretty sure this behavior is described in the release notes for
> the 3.0.23 release series. It is by deisgn. DOMAION\group1 and
> (local) group1 have different SIDs.
Yes, I've read the release notes, but maybe I'm misunderstanding something. I
thought that "valid users = +apache" is the same as "valid users =
+MACHINE\apache" and that MACHINE is the literal string "MACHINE"?
> > Shouldn't this be a configuration that works? user1,
> > user2 and user3 are actually winbind/nss mapped users, so why
> > do I have to specify the domain name here?
>
> Just make MACHINE\Apache and add domain users to that.
I really tried everything I could think of. And I've also added all possible
combinations (even those which don't make sense to me), currently I have:
/etc/group:
--
apache::81:user1,MYDOMAIN\user1
MYSERVER\apache::82:user1,MYDOMAIN\user1
MACHINE\apache::83:user1,MYDOMAIN\user1
--
smb.conf share configuration:
--
[www]
comment = Web
path = /var/www
valid users = +MACHINE\apache +MYSERVER\apache +apache
--
And I still get permission denied for user1. A debug level 100 log looks like
this:
--
...
Processing section "[www]"
...
doing parameter valid users = +MACHINE\apache +INTRANET02\apache +apache
...
making a connection to 'normal' service www
string_to_sid: Sid +MACHINE\apache does not start with 'S-'.
lookup_name: MACHINE\apache => MACHINE (domain), apache (name)
map_name_to_wellknown_sid: looking up apache
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
string_to_sid: Sid +MYSERVER\apache does not start with 'S-'.
lookup_name: MYSERVER\apache => MYSERVER (domain), apache (name)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
lookup_name MYSERVER\apache failed
string_to_sid: Sid +apache does not start with 'S-'.
lookup_name: MYSERVER\apache => MYSERVER (domain), apache (name)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
lookup_name: Unix Group\apache => Unix Group (domain), apache (name)
User MYDOMAIN\user1 not in 'valid users'
user 'MYDOMAIN\user1' (from session setup) not permitted to access this share
(www)
--
So what's wrong with my configuration?
Cheers, Johann
More information about the samba-technical
mailing list