[Samba] AW: share permissions for AD groups

Schreiber Martin martin.a.schreiber at siemens.com
Fri Oct 22 07:16:47 GMT 2004 


> Hello,
> 
> We have following environment
> 
> Win2k AD with "endless" number of groups (should be more then 1000) , on
> the other site solaris9 samba3.0.7 compiled with all relevant optins ,
> winbind , ads and so on , installations is ok , we joined AD domain w.o
> problems , getent * shows all like expected
> same for wbinfo 
> 
> The big problem remaining is , we want to restrict access to shares to
> given AD groups that way:
> 
> valid users = @ADDOMAIN+ADGROUP
> 
> that doesnt work in any combination, the other way 
> 
> valid users = @ADDOMAIN+ADUSERNAME
> 
> works without any probem
> 
> there is no user or groupmapping at all
> 
> -----------------------output from level 10
> log----------------------------------
> 
> 2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
>   user_in_list: checking user |WW300+atw113c9| against |admoss|
> [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533)
>   user_in_list: checking user |WW300+atw113c9| against |ww300+csi|
> [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(610)
>   user_in_list: checking if user |WW300+atw113c9| is in winbind group
> |ww300+csi|
> [2004/10/21 17:16:49, 10] lib/username.c:user_in_winbind_group_list(412)
>   user_in_winbind_group_list: using groups -- 30001 30002 30003 30004
> 30005 30006 30007 30008 30009 300
> 10 30011 30012 30013 30014 30015 30016
> [2004/10/21 17:16:49, 2] smbd/service.c:make_connection_snum(314)
>   user 'WW300+atw113c9' (from session setup) not permitted to access this
> share (pst)
> [2004/10/21 17:16:49, 3] smbd/error.c:error_packet(129)
> --------------------------------------------------------------------------
> -------------------
> 
> 
> as i think winbind can only reflect to first 16 or 17 groups
> user_in_list checks the right group name , in this case ww300+admoss , but
> user_in_winbind_group_list shows only the first 16 mapped groups , as we
> have more then 1000 or 2000 and nested groups i can never be authenticated
> 
> my uid range is 100000-120000
>       gid range is  30000-50000
> 
> Now my second question ; the only workaround in this siuations is to do a
> valid user statement to every user who should connect
> So is there a limitation to the string length of valid users = 
> I fear i need 4 to 500 users at all....
> 
> Any help or workaround is pretty appreciated 
> 
> 
> 
> kind regards		martin  schreiber
> 
> 
> 
> 
> 
> 
>       Siemens Business Services
>  	CCN-ITS Betrieb Wien GUD
>  
>  	Gudrunstrasse 11
>  	A-1101 Wien
>  
>  	Martin Schreiber			
>       Phone	+43 5 1707 47565
>  	Server-Administration	
>       Fax	+43 5 1707 57560
>  	mailto:martin.a.schreiber at siemens.com
>  	http://www.sbs.at
> 
>

More information about the samba mailing list