[Samba] Windows 2003 Active Directory and Group Access

Franz Gsell vl950t at freenet.de
Wed May 5 19:20:21 GMT 2004

Hi Alex,

Yes I have already tried this settings:

"winbind use default domain = yes"


"valid users = @AMATEC.LOCAL+GG_Entwicklung"

But this only works for windows 2000 Clients and not for Windows XP Clients.
As you have written before everything works without "winbind use default
domain = yes" but then a user has to login e.g. for ssh with

I don't think it's a good idea to hack the pam module too, perhaps is there
another possibility - perhaps any of the developer team has a workaround?

Kind regards

-----Ursprüngliche Nachricht-----
Von: Alex de Vaal [mailto:A.Vaal at nh-hotels.com] 
Gesendet: Mittwoch, 5. Mai 2004 12:22
An: 'Franz Gsell'
Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access

Hello Franz,

You can try to set "winbind use default domain = yes" again and use as valid
users: "valid users = @AMATEC.LOCAL+GG_Entwicklung"

I've found in a faq the following:

Q: I tried to set valid users = @Engineers, but it does not work. My Samba
is an Active Directory Domain Member server. Has this been fixed now?
A: The use of this parameter has always required the full specification of
the Domain
account, for example, valid users = @"MEGANET2\Domain Admins".

You can always try if this work, while hacking pam_winbind.so seems not to
be a good idea to me.

Best regards,

-----Original Message-----
From: Franz Gsell [mailto:vl950t at freenet.de] 
Sent: Monday 26 April 2004 18:43
To: samba at lists.samba.org
Cc: 'Alex de Vaal'
Subject: RE: [Samba] Windows 2003 Active Directory and Group Access


thanks for your help - now it works :-))))))) But there is a new problem. We
log on to the linux machine for email and ssh and so on. So the new problem
is that a user is now AMATEC+testuser instead simple testuser (for the pam
module). But I think we can make a hack to the pam_winbind.so file to add
"AMATEC+" to the entered username (so a user has not to enter
AMATEC+testuser but only testuser). Or is there a better way?

Kind regards


More information about the samba mailing list