[Samba] not working : valid users = @"DOM+USER"
Charles Bueche
charles at bueche.ch
Tue Jun 8 10:59:15 GMT 2004
Hi again,
I tested again, and I found that winbind return Windows groups up to the
OS limit (16 by default in Solaris 9). The group I wanted to check
against was mapped as 22nd in the list, so the check failed.
One solution would be to rise the limit to 32 on Solaris (using "set
ngroups_max = 32" in /etc/system), but that would only shift the problem
until someone has 33 groups.
This is a very basic problem : one would assume winbind is needed for
large organizations. My customer is large (55'000 users), so people are
usually in a lot of groups (I have found 30-60 is not unusual, one had
84 memberships). So we have a dead-lock : you should use winbind when
you don't want to manage large user lists, but can't due to group
limitations. And no, recompiling Solaris (or Linux) with a larger
limit is not an option.
I'm now investigating another solution (calling it a kludge would be
more appropriate) :
- set "preexec check_ldap $u %S" on the share
- pass user and group as parameter
- check valid group membership using LDAP to AD
- return <true|false> so "preexec close" deny|allow access
If it works, I will post check_ldap here. I plan to use Perl and
Net::LDAP for this job.
Charles
On Mon, 7 Jun 2004 20:26:18 +0200
Charles Bueche <charles at bueche.ch> wrote:
> Hi Steve,
>
> strange... so it just fallback to Win groups if it doesn't find local
> groups ?
>
> I ahve studied the source, mainly lib/username.c and friends. I have
> seen that it try to look up the name without the domain prefix, which
> fail (same effect as in wbinfo).
>
> I'm now away from this customer site, I will have to wait tomorrow to
> test again. I will report my results.
>
> Am I right to assume that I don't need pam for this ? My goal is to
> use AD for Samba, but local passwd/groups for the logins.
>
> Charles
>
> On Mon, 07 Jun 2004 15:47:40 +0100
> Spaceboy <spaceboy at spaceboy.co.uk> wrote:
>
> > Charles,
> > I've just done this here on Solaris 8.
> >
> > I have found slightly odd behaviour in that wbinfo -u and wbinfo -g
> > only return the actual usernames and groups rather than
> > "DOMAIN+Username" and "DOMAIN+Groupname".
> >
> > So in my smb.conf file I needed:-
> > valid users = @Groupname
> >
> > without the DOMAIN+ part.
> >
> > And yes I've set winbind seperator = + as well.
> >
> > Just a thought.
> > Steve
> >
> > Charles Bueche wrote:
> >
> > >Hi,
> > >
> > >I have Samba 3.0.4 on Solaris 9, recent patches applied. Samba is
> > >integrated in domain (security = domain). I have compiled and
> > >configured winbind, but not pam and no ldap. Ncsd is stopped.
> > >
> > >Winbind works OK, I can connect to share and users get mapped
> > >on-the-fly to UNIX uids and gids in the ranges specified in
> > >smb.conf. My config is included below with some tweaks to protect
> > >the innocent.
> > >
> > >---
> > >
> > >My goal : I want to create a share and restrict its access based on
> > >the membership of a Windows group.
> > >
> > >I have successfuly used :
> > >
> > > valid users = DOM+user1 DOM+user2 DOM+user3
> > >
> > >but when I try :
> > >
> > > valid users = @DOM+wingroup
> > >
> > >or :
> > >
> > > valid users = +DOM+wingroup
> > >
> > >It refuses me access to the share, even if I'm member of the
> > >Windows group.
> > >
> > >What do I do wrong ? How should I write the groupnames ? Help
> > >wanted...
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
> --
> Charles Bueche <charles at bueche.ch>
> sand, snow, wave, wind and net -surfer
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
Charles Bueche <charles at bueche.ch>
sand, snow, wave, wind and net -surfer
More information about the samba
mailing list