[Samba] AW: share permissions for AD groups
Schreiber Martin
martin.a.schreiber at siemens.com
Fri Oct 22 07:16:47 GMT 2004
> Hello,
>
> We have following environment
>
> Win2k AD with "endless" number of groups (should be more then 1000) , on
> the other site solaris9 samba3.0.7 compiled with all relevant optins ,
> winbind , ads and so on , installations is ok , we joined AD domain w.o
> problems , getent * shows all like expected
> same for wbinfo
>
> The big problem remaining is , we want to restrict access to shares to
> given AD groups that way:
>
> valid users = @ADDOMAIN+ADGROUP
>
> that doesnt work in any combination, the other way
>
> valid users = @ADDOMAIN+ADUSERNAME
>
> works without any probem
>
> there is no user or groupmapping at all
>
> -----------------------output from level 10
> log----------------------------------
>
> 2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
> user_in_list: checking user |WW300+atw113c9| against |admoss|
> [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
> user_in_list: checking user |WW300+atw113c9| against |ww300+csi|
> [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(610)
> user_in_list: checking if user |WW300+atw113c9| is in winbind group
> |ww300+csi|
> [2004/10/21 17:16:49, 10] lib/username.c:user_in_winbind_group_list(412)
> user_in_winbind_group_list: using groups -- 30001 30002 30003 30004
> 30005 30006 30007 30008 30009 300
> 10 30011 30012 30013 30014 30015 30016
> [2004/10/21 17:16:49, 2] smbd/service.c:make_connection_snum(314)
> user 'WW300+atw113c9' (from session setup) not permitted to access this
> share (pst)
> [2004/10/21 17:16:49, 3] smbd/error.c:error_packet(129)
> --------------------------------------------------------------------------
> -------------------
>
>
> as i think winbind can only reflect to first 16 or 17 groups
> user_in_list checks the right group name , in this case ww300+admoss , but
> user_in_winbind_group_list shows only the first 16 mapped groups , as we
> have more then 1000 or 2000 and nested groups i can never be authenticated
>
> my uid range is 100000-120000
> gid range is 30000-50000
>
> Now my second question ; the only workaround in this siuations is to do a
> valid user statement to every user who should connect
> So is there a limitation to the string length of valid users =
> I fear i need 4 to 500 users at all....
>
> Any help or workaround is pretty appreciated
>
>
>
> kind regards martin schreiber
>
>
>
>
>
>
> Siemens Business Services
> CCN-ITS Betrieb Wien GUD
>
> Gudrunstrasse 11
> A-1101 Wien
>
> Martin Schreiber
> Phone +43 5 1707 47565
> Server-Administration
> Fax +43 5 1707 57560
> mailto:martin.a.schreiber at siemens.com
> http://www.sbs.at
>
>
More information about the samba
mailing list