[Samba] Bug in "force group" parameter, or group membership checking?

Wim Bakker koreander at planet.nl
Sat Apr 17 18:21:50 GMT 2004

I have the following situation:
Samba with ldap passdb backend.
In my setup I have a group called exact:
dn: cn=exact,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: exact
gidNumber: 1000
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
sambaGroupType: 4
memberUid: gerrit,piet,hornie
maps to the unix group exact:
exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact


Users gerrit,piet and hornie can't use the share exact unless I specify
the parameter : force group = exact : (smb.conf entry):
        path = /shares/exact
        browseable = no
        read only = no
        force group = exact

If I don't specify force group = exact , apparently the authorized users
(gerrit, piet and hornie) connect as members of their default group,
being "Domain Users" and they aren't allowed anyhting on the share
permissions on this share exact:
# file: shares/exact
# owner: root
# group: exact

So I take it that there is no checking whether a user that tries to
connect to a share is , besides it's default group, the user connects
with, allso member of the group that is auhorized to connect to
that share, in this case being the group exact, so I have to set
force group = exact , so a user that connects to that share, 
connects with default group exact , and is allowed to access the
share and do it's thing. But apparently there is no checking whether
that user is actually a member of that group , because when I connect
as a completely different user, not at all listed in the group exact as a
member , I get full access allso. Now I add the parameter :
valid users = @exact

to that entry in the smb.conf, but than not one user can connect anymore,
allso not the users that are listed in the groupparameters as being a member
of that group.

Where is it going wrong?
When I make the default group of the users that are allowed to access the 
share exact , members of the group exact, there is no problem, than they
are recognized as being members of the group exact and get access, when
exact is not their default group , but just one of the groups they are allso a 
member of, there is no way to grant them access , without granting evryone


Wim bakker

More information about the samba mailing list