[Samba] limiting access with win groups
Colht, Charles
Charles.Colht at acsalaska.com
Tue Aug 2 15:31:40 GMT 2005
I want to limit access to shares via windows groups but when I set a
share to anything other than 'valid users = %S' or 'valid users =', I
cannot access the share. The error message indicates that the share is
not accessible and I may not have sufficient permissions. If I change
just the valid users in smb.conf and restart smb, I get right in without
prompting. I also found that I could not get smb to work with '+' as a
separator. I had to use '\\' (shows up as only one) which I found in
some docs but most use the '+' . Also, how do you specify a group with a
space in the name, "@domain users" or @"domain users" and is it case
sensitive?
Assume ACS is my domain.
acsxpeit is the citrix server my windows session is running from, not a
real user although it does exist in AD.
Unix.Samba is the windows group I want to use: 'valid users =
@Unix.Samba'.
root at host# getent group | grep -i samba
unix.samba:x:15045: zz.ccolht,ccolht
Here's my config:
[global]
netbios name = ANC38146
server string = Chucks Samba
log level = 3
log file = /var/log/samba/%m
syslog = 0
ldap ssl = no
max log size = 50
username map = /etc/samba/smbusers
printcap = cups
disable spoolss = Yes
show add printer wizard = No
load printers = no
printing = cups
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ads
workgroup = ACS
realm = CORP.ACSALASKA.COM
allow trusted domains = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
dns proxy = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template shell = /bin/bash
password server = acsad6
auth methods = winbind
winbind separator = \\
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/win/%D/%U
template shell = /bin/bash
template primary group = "Domain Users"
[public]
comment = Public Stuff
path = /home/inst
public = yes
read only = yes
valid users = @unix.samba
Here's part of winbindd.log right after I double click a share and get
rejected.
[2005/08/02 06:15:37, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(96)
[ 8849]: lookupname ACS+ccolht
[2005/08/02 06:15:38, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[ 8849]: request interface version
[2005/08/02 06:15:38, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[ 8849]: request location of privileged pipe
[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
[ 8849]: getpwnam acs\acsxpeit$
[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'acs\acsxpeit$' does not exist
[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
[ 8849]: getpwnam ACS\acsxpeit$
[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'ACS\acsxpeit$' does not exist
[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
[ 8849]: getpwnam ACS\ACSXPEIT$
[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'ACS\ACSXPEIT$' does not exist
[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
[ 8849]: getpwnam acsxpeit$
[2005/08/02 06:15:38, 3]
nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
[ 8849]: gid to sid 15000
[2005/08/02 06:15:38, 3]
nsswitch/winbindd_group.c:winbindd_getgrnam(244)
[ 8777]: getgrnam Unix.Samba
Chuck Colht
Alaska Communications Systems, Inc.
907-269-2673
ccolht at acsalaska.com
***********************************************************************************
This transmittal may contain confidential information intended solely for
the addressee. If you are not the intended recipient, you are hereby
notified that you have received this transmittal in error; any review,
dissemination, distribution or copying of this transmittal is strictly
prohibited. If you have received this communication in error, please notify
us immediately by reply or by telephone (collect at 907-564-1000) and ask to
speak with the message sender. In addition, please immediately delete this
message and all attachments. Thank you. ACS
More information about the samba
mailing list