[Samba] Samba 3.0.7 / AD Domain Group Resolving

Grzeski.Andreas at SWM.DE Grzeski.Andreas at SWM.DE
Thu Oct 14 12:45:01 GMT 2004 

Hi Mark,

this is the Share definition from our smb.conf:

[install]
        writeable = yes
        path = /Path/to/directory
        write list = DOMAIN\Domain_Group
        valid users = DOMAIN\Domain_Group

The configuration is pretty straightforward...

Here is the Rest of our smb.conf:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.DE
        security = ADS
        netbios name = servername
        server string = Installserver
        domain master = no
        domain logons = no
        wins support = no
        wins server = ip.of.wins.server
        password server = server1 server2 server3
        idmap gid = 10000-40000
        idmap uid = 10000-40000
        winbind enum users = yes
        winbind enum groups = yes
        os level = 20
        interfaces = 127.0.0.1 eth0
        encrypt passwords = yes
        utmp = yes
        passdb backend = tdbsam:/etc/samba/passdb.tdb smbpasswd:/etc/samba/smbpasswd
        preferred master = no
        unix charset = LOCALE
        bind interfaces only = true
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        local master = no

I hope that helps...

Greetings

Andreas

-----Ursprüngliche Nachricht-----
Von: samba-bounces+grzeski.andreas=swm.de at lists.samba.org [mailto:samba-bounces+grzeski.andreas=swm.de at lists.samba.org] Im Auftrag von Mark Le Noury
Gesendet: Donnerstag, 14. Oktober 2004 14:31
An: samba at lists.samba.org
Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving


Could you post the share definition from your smb.conf file? 

-----Original Message-----
From: samba-bounces+markl=bbd.co.za at lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za at lists.samba.org] On Behalf Of Grzeski.Andreas at SWM.DE
Sent: 14 October 2004 02:10 PM
To: samba at lists.samba.org
Subject: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving


Hi Mark,

that did not resolve the problem for me. Removing the @ sign produced the same error message (see below)...

Greetings

Andreas

-----Ursprüngliche Nachricht-----
Von: Mark Le Noury [mailto:markl at bbd.co.za] 
Gesendet: Donnerstag, 14. Oktober 2004 12:43
An: samba at lists.samba.org
Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving


Hi,


I think that you are fomatting the valid users directive incorrectly.

Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute for whatever you have chosen) No @ sign necessary

It works fine for me like that.

Thanks,

Mark

-----Original Message-----
From: samba-bounces+markl=bbd.co.za at lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za at lists.samba.org] On Behalf Of Grzeski.Andreas at SWM.DE
Sent: 14 October 2004 12:38 PM
To: samba at lists.samba.org
Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving


Hello List,

currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We´re using the SerNet RPM´s (ftp.sernet.de)

Everything works fine so far, we just have a problem with resolving domain groups.

wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a "valid users = @AD_DOMAIN_GROUP" statement in the smb.conf we get the following error:

smbd/service.c:make_connection_snum(314)
  user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename)

Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name)

We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option).

I did find several post in the list archives on this topic, but no practical solution yet.

Is there a solution? Are more details necessary?

One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don´t know, if this is somehow connected.

Anyone any ideas? I´m a bit lost here...

Greetings

Andreas Grzeski
Systems Engineer/RHCE

Stadtwerke München GmbH

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list