[Samba] share permissions for AD groups

Schreiber Martin martin.a.schreiber at siemens.com
Fri Oct 22 07:04:29 GMT 2004 

Hello,

We have following environment

Win2k AD with "endless" number of groups (should be more then 1000) , on the
other site solaris9 samba3.0.7 compiled with all relevant optins , winbind ,
ads and so on , installations is ok , we joined AD domain w.o problems ,
getent * shows all like expected
same for wbinfo 

The big problem remaining is , we want to restrict access to shares to given
AD groups that way:

valid users = @ADDOMAIN+ADGROUP

that doesnt work in any combination, the other way 

valid users = @ADDOMAIN+ADUSERNAME

works without any probem

there is no user or groupmapping at all

-----------------------output from level 10
log----------------------------------

2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |WW300+atw113c9| against |admoss|
[2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |WW300+atw113c9| against |ww300+csi|
[2004/10/21 17:16:44, 10] lib/username.c:user_in_list(610)
  user_in_list: checking if user |WW300+atw113c9| is in winbind group
|ww300+csi|
[2004/10/21 17:16:49, 10] lib/username.c:user_in_winbind_group_list(412)
  user_in_winbind_group_list: using groups -- 30001 30002 30003 30004 30005
30006 30007 30008 30009 300
10 30011 30012 30013 30014 30015 30016
[2004/10/21 17:16:49, 2] smbd/service.c:make_connection_snum(314)
  user 'WW300+atw113c9' (from session setup) not permitted to access this
share (pst)
[2004/10/21 17:16:49, 3] smbd/error.c:error_packet(129)
----------------------------------------------------------------------------
-----------------


as i think winbind can only reflect to first 16 or 17 groups
user_in_list checks the right group name , in this case ww300+admoss , but
user_in_winbind_group_list shows only the first 16 mapped groups , as we
have more then 1000 or 2000 and nested groups i can never be authenticated

Now my







      Siemens Business Services
 	CCN-ITS Betrieb Wien GUD
 
 	Gudrunstrasse 11
 	A-1101 Wien
 
 	Martin Schreiber			
      Phone	+43 5 1707 47565
 	Server-Administration	
      Fax	+43 5 1707 57560
 	mailto:martin.a.schreiber at siemens.com
 	http://www.sbs.at

More information about the samba mailing list