"valid users = domain_user" without specifying domain

Johann Hanne jhml at gmx.net
Thu May 3 19:00:59 GMT 2007


On Thursday 03 May 2007 15:08, you wrote:
> On Mon, 2007-04-30 at 13:11 +0200, Johann Hanne wrote:
> > > I'm pretty sure this behavior is described in the release notes for
> > > the 3.0.23 release series.  It is by deisgn.  DOMAION\group1 and
> > > (local) group1 have different SIDs.
> >
> > Yes, I've read the release notes, but maybe I'm misunderstanding
> > something. I thought that "valid users = +apache" is the same as "valid
> > users = +MACHINE\apache" and that MACHINE is the literal string
> > "MACHINE"?
>
> no, MACHINE is the name of your machine (netbios name), and MACHINE
> +apache refer to a mapped group you can create (mapped to the local
> apache).
>
> > > > Shouldn't this be a configuration that works? user1,
> > > > user2 and user3 are actually winbind/nss mapped users, so why
> > > > do I have to specify the domain name here?
> > >
> > > Just make MACHINE\Apache and add domain users to that.
> >
> > I really tried everything I could think of. And I've also added all
> > possible combinations (even those which don't make sense to me),
> > currently I have:
>
> just map a local group to apache and it should just work.
I tried:
--
# net groupmap add unixgroup=apache type=local
No rid or sid specified, choosing a RID
Got RID 1163
Successfully added group apache to the mapping db as a alias (local) group
# net groupmap list
apache (S-1-5-21-3048374563-2127316528-2660899232-1163) -> apache
# net sam list localgroups
apache
# net sam listmem apache
MYSERVER\apache has 0 members
--
(It works if I add MYDOMAIN\user1 with "net sam addmem", but this is not what 
I want - I'd like to maintain 1 group only...)

/etc/group has:
--
apache::81:user1
--

smb.conf has:
--
[www]
  comment = Web
  path = /var/www
  valid users = +apache
--

smbd -i -S -d 100
--
...
enum_group_mapping: returning group apache of type Local Group
...
making a connection to 'normal' service www
string_to_sid: Sid +apache does not start with 'S-'.
lookup_name: MYSERVER\apache => MYSERVER (domain), apache (name)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
tdb_unpack(ddff, 32) -> 32
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
User MYDOMAIN\user1 not in 'valid users'
...
--

Am I still missing something?? I really can't find anything related in the 
HOWTOs...

Thanks for your help!

Cheers, Johann


More information about the samba-technical mailing list