username map behavior
Levi Ruiz
lruiz at pnicorp.com
Tue Oct 16 13:09:02 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, I tried adding "Domain Admins" to the /home/profiles dir and no
effect. I tried adding Domain Admins into the ACL for the share through
Windows 2000 and it just said "Access Denied" and gave me this error in the
log:
getgrname_from_group(): could not get domain sid for domain
[2001/10/16 10:27:30, 0]
nsswitch/winbindd_user.c:winbindd_getpwnam_from_user(122)
I can't think of anything else to try.
Also, what is the deal with that error?
- -----Original Message-----
From: Christian Barth [mailto:barth at cck.uni-kl.de]
Sent: Tuesday, October 16, 2001 10:07 AM
To: 'samba at lists.samba.org'; Levi Ruiz
Subject: Re: username map behavior
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there a way in samba 2.2.2-pre (SAMBA_2_2 latest CVS) to grant a user
> privileges as another user instead of just remapping the user to another
> user? I set the "username map = /etc/samba/user.map" configuration option
> and added:
>
> root = "DOMAIN+ at Domain Admins"
>
> to the user.map file but whenever I create a file it is owned by root
> instead of my username...is there any way around this? I would like to
> grant Domain Admins privileged access to the samba shares but still be
able
> to make new files and folders as their own account.
This is going to be hard. The user name map maps the userid given
from the client to the userid used by samba on the server. An this is
one userid per smbd. This means: if you map your domain admins to
root, there smbd runs as root an files are created as root.
What kind of privileged do you want to give them? Access to certain
files / shares? Then you shoulb be fine with putting all admins into
a group (or maping a domain group to a unix group (?)) and give this
group file access privileged on the samba server. If the standard
unix rights sheme doesn't fit your needs, acl's are your friend. If
it's for shares you can use "valid users = @group" in smb.conf
Christian
>
> I am using Red Hat 7.1 with kernel 2.4.9 with the ACL patch version
0.7.16.
> I am using winbindd to enumerate users and groups from the PDC which is
> running NT4 SP6a with all current security patches. My workstation I am
> doing my testing from is Windows 2000 SP2 also with all current security
> patches.
>
> Please send any responses directly to my e-mail as I am not currently
> subscribed to the list.
>
> Thank you
>
> <begin smb.conf>
>
> [global]
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 10
> template shell = /bin/bash
> template homedir = /home/profiles/%U
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> workgroup = DOMAIN
> server string = Network Storage
> security = DOMAIN
> encrypt passwords = Yes
> password server = *
> domain logons = no
> local master = no
> domain master = no
> preferred master = no
> log file = /var/log/samba/%m.log
> max log size = 0
> name resolve order = wins lmhosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> dns proxy = No
> wins server = 10.1.1.5
> remote announce = 10.1.1.255
> remote browse sync = 10.1.1.2
> hosts allow = 10.1.1. 127.
> printing = lprng
> add user script = /usr/sbin/useradd -g domain -d /home/samba -s
> /dev/null -c %u %u
> delete user script = /usr/sbin/userdel %u
> username map = /etc/samba/users.map
>
> [public]
> comment = Public Stuff
> path = /home/samba
> writeable = Yes
> guest ok = No
> createmode = 740
> directory mode = 740
>
> [public2]
> comment = Test share
> path = /usr/local/src
> writeable = Yes
> guest ok = No
>
> [profiles]
> comment = User Profiles
> path = /home/profiles
> create mask =0600
> directory mask = 0700
> ; restrict acl with mask = yes
> force directory mode = 0700
> force create mode = 0600
> restrict acl with mask = yes
> map hidden = yes
> map system = yes
> writeable = Yes
> guest ok = No
>
> [archives]
> comment = Archives
> path = /home/archives
> writeable = Yes
> guest ok = No
>
> [forms]
> comment = Forms
> path = /home/forms
> writeable = Yes
> guest ok = No
>
> [Test]
> comment = Test
> path = /tmp
> writeable = Yes
> guest ok = No
>
> <end smb.conf>
>
> .·°·»---------------------------------------------------------«·°·.
> -If everyone throws in their two cents worth, -
> -but its a penny for your thoughts...who keeps the profit?-
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.1
>
> iQA/AwUBO8xCBcbgHXR4hb1iEQJtEgCgj2Nov00+Frg9CT9O4Tgb/Qzn9WUAoNGw
> 5sF/t9QJzoh21giTOLqLQv2G
> =PLvD
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
_(_)_ wWWWw _
@@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_
@@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_)
@@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\
/ Y \| \|/ /(_) \| |/ |
\ | \ |/ | / \ | / \|/ |/ \| \|/
jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|//
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO8yLZ8bgHXR4hb1iEQKZ/wCeLE1KOuNDjhnh7fySppw5rAn4BeMAmwdC
7ivvuxCyIgSvlzCx4HCBXIQr
=kMHi
-----END PGP SIGNATURE-----
More information about the samba
mailing list