[Samba] valid users %g and %u not behaving properly...
Greg Folkert
greg at gregfolkert.net
Tue Jul 27 19:20:03 GMT 2004
On Tue, 2004-07-27 at 10:24, Chris wrote:
> Okay...
>
> I guess I can find ways around that then...
>
> My thanks to those who read.
It is times like this I like to point out that Microsoft's POS (ADS with
Kerberos) is highly undocumented. There are many caveats.
I myself have experienced similar issues with what MS throws back at
samba.
Case in point, I have just completed a full-on integration with kerberos
and ADS authentication from a pretty darn big Linux machine (Quad
Opteron 10GB Memory and 40TB+ Clarion Disk subsystem)
It is unexplainable. But, once you get it to work... it works. My
problems always start when I have to shutoff error tables and stack
smashing protection. It nearly ALWAYS ends up being a shared libraries
issue.
For winbind (what you are using) make sure the libraries it uses are put
in place and/or replaces the existing ones. The "make install" for some
reason wouldn't (couldn't) over write some libraries in /lib and
/lib/security
Hope this helps.
> On Friday 23 July 2004 02:02 pm, Chris wrote:
> > Hello.
> >
> > I have samba working with ADS and winbind (upgrading from nt4/samba-2.0.7
> > to w2k3/samba-3.0.4). Everything seems cool, but for one thing.
> >
> > My old homes share used to look like this:
> >
> > [homes]
> > path=%H/sam
> > valid users = +%G,%U
> > force user = %U
> > force group = %G
> > write list = +%U
> > create mask = 0770
> > directory mask = 0770
> > browseable=no
> > read only = no
> >
> > It worked beautifully. But the whold valid users thing isn't working on
> > the new system. To help troubleshoot, I used "root prexec" to dump the
> > contents of %U, %u, %G, and %g to a file.
> >
> > The values of these variables when connecting to the [homes] share as me:
> >
> > <>%U = username without domain (e.g. chris)
> > <>%u = username with domain name and domain seperator (e.g. DOMAIN+chris)
> > <>%G = "users" --- always equal to the group "users" -- I have no clue
> > why! Sometimes, however, %G = "%G" instead of "users". I think this is
> > true for users who don't have a local unix account on the system.
> > <>%g = groupname with domain name and domain seperator (e.g. DOMAIN+chris_)
> >
> > Here is where it gets weird.
> >
> > Because %u = DOMAIN+chris it seems I should be able to do this:
> > valid users = %u
> >
> > But it doesn't work! Once I add that line, it denies me access to the
> > share. If I comment it out, I once again have access.
> >
> > So, because %g = DOMAIN+primary_group I tried this:
> >
> > valid users = +%g (also tried valid users = @%g)
> >
> > Same thing. Doesn't grant me access. This makes absolutely no sense to
> > me.
> >
> >
> >
> > The use of these variables are critical to maintaining the security of the
> > server shares. Has this changed between versions? Is this a bug? Or am I
> > missing something all together? How can I do this? I can't find anything
> > on this in the books (I have 4 samba books...) or on line. It used to
> > work...
> >
> > I appreciate any help.
> >
> > Thanks!
> >
> > Chris
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040727/f079d283/attachment-0001.bin
More information about the samba
mailing list