"valid users = domain_user" without specifying domain

Johann Hanne jhml at gmx.net
Mon Apr 30 11:11:34 GMT 2007


On Monday 30 April 2007 00:37, Gerald (Jerry) Carter wrote:
> Johann Hanne wrote:
> > Hi,
> >
> > I've got a long time configuration wish where I was never sure if it's
> > actually doable. Maybe somebody can give me some hint...
> >
> > My samba configuration is rather simple: It's a Windows ADS domain member
> > with a www share that's mainly accessed by Windows users:
> > ---
> > [global]
> >
> > netbios name = MYSERVER
> > workgroup = MYDOMAIN
> > realm = MYDOMAIN.DE
> > security = ADS
> >
> > idmap domains = MYDOMAIN
> >
> > idmap config MYDOMAIN:default = yes
> > idmap config MYDOMAIN:backend = ad
> > idmap config MYDOMAIN:range = 500 - 999
> > idmap config MYDOMAIN:schema_mode = rfc2307
> >
> > winbind uid = 500 - 999
> > winbind gid = 500 - 999
> > winbind use default domain = yes
> > --
> >
> > So far, everything is working fine, but the share configuration is not
> > how I'd like:
> > --
> > [www]
> >   comment = Web
> >   path = /var/www
> >   valid users = MYDOMAIN/user1 MYDOMAIN/user2 MYDOMAIN/user3
> >   ; does NOT work:
> >   ;valid users = user1 user2 user3
> >   ; what I'd like to put in is:
> >   ;valid users = +apache
> > --
> >
> > My problem is that I have to specify the domain ("MYDOMAIN/")
> > in front of each  user, otherwise it won't work (Permission denied).
>
> I'm pretty sure this behavior is described in the release notes for
> the 3.0.23 release series.  It is by deisgn.  DOMAION\group1 and
> (local) group1 have different SIDs.
Yes, I've read the release notes, but maybe I'm misunderstanding something. I 
thought that "valid users = +apache" is the same as "valid users = 
+MACHINE\apache" and that MACHINE is the literal string "MACHINE"?

> > Shouldn't this be a configuration that works? user1,
> > user2 and user3 are actually winbind/nss mapped users, so why
> > do I have to specify the domain name here?
>
> Just make MACHINE\Apache and add domain users to that.
I really tried everything I could think of. And I've also added all possible 
combinations (even those which don't make sense to me), currently I have:

/etc/group:
--
apache::81:user1,MYDOMAIN\user1
MYSERVER\apache::82:user1,MYDOMAIN\user1
MACHINE\apache::83:user1,MYDOMAIN\user1
--

smb.conf share configuration:
--
[www]
  comment = Web
  path = /var/www
  valid users = +MACHINE\apache +MYSERVER\apache +apache
--

And I still get permission denied for user1. A debug level 100 log looks like 
this:
--
...
Processing section "[www]"
...
doing parameter valid users = +MACHINE\apache +INTRANET02\apache +apache
...
making a connection to 'normal' service www

string_to_sid: Sid +MACHINE\apache does not start with 'S-'.
lookup_name: MACHINE\apache => MACHINE (domain), apache (name)
map_name_to_wellknown_sid: looking up apache
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

string_to_sid: Sid +MYSERVER\apache does not start with 'S-'.
lookup_name: MYSERVER\apache => MYSERVER (domain), apache (name)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
lookup_name MYSERVER\apache failed

string_to_sid: Sid +apache does not start with 'S-'.
lookup_name: MYSERVER\apache => MYSERVER (domain), apache (name)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
lookup_name: Unix Group\apache => Unix Group (domain), apache (name)

User MYDOMAIN\user1 not in 'valid users'
user 'MYDOMAIN\user1' (from session setup) not permitted to access this share 
(www)
--

So what's wrong with my configuration?

Cheers, Johann


More information about the samba-technical mailing list