[Samba] limiting access with win groups

Colht, Charles Charles.Colht at acsalaska.com
Tue Aug 2 15:31:40 GMT 2005 

I want to limit access to shares via windows groups but when I set a
share to anything other than 'valid users = %S' or 'valid users =', I
cannot access the share. The error message indicates that the share is
not accessible and I may not have sufficient permissions. If I change
just the valid users in smb.conf and restart smb, I get right in without
prompting. I also found that I could not get smb to work with '+' as a
separator. I had to use '\\' (shows up as only one) which I found in
some docs but most use the '+' . Also, how do you specify a group with a
space in the name, "@domain users" or @"domain users" and is it case
sensitive?

 

Assume ACS is my domain.

acsxpeit is the citrix server my windows session is running from, not a
real user although it does exist in AD.

Unix.Samba is the windows group I want to use: 'valid users =
@Unix.Samba'.

 

root at host# getent group | grep -i samba

unix.samba:x:15045: zz.ccolht,ccolht

Here's my config:

 

[global]

    netbios name = ANC38146

    server string = Chucks Samba

    log level = 3

    log file = /var/log/samba/%m

    syslog = 0

    ldap ssl = no

    max log size = 50

    username map = /etc/samba/smbusers

    printcap = cups

    disable spoolss = Yes

    show add printer wizard = No

    load printers = no

    printing = cups

    cups options = raw

    log file = /var/log/samba/%m.log

    max log size = 50

    security = ads

    workgroup = ACS

    realm = CORP.ACSALASKA.COM

    allow trusted domains = no

    encrypt passwords = yes

    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

    preferred master = no

    dns proxy = no

    idmap uid = 15000-20000

    idmap gid = 15000-20000

    template shell = /bin/bash

    password server = acsad6

    auth methods = winbind

    winbind separator = \\

    winbind enum users = yes

    winbind enum groups = yes

    winbind use default domain = yes

    winbind nested groups = yes

    template homedir = /home/win/%D/%U

    template shell = /bin/bash

    template primary group = "Domain Users"

 

[public]

   comment = Public Stuff

   path = /home/inst

   public = yes

   read only = yes

   valid users = @unix.samba

 

Here's part of winbindd.log right after I double click a share and get
rejected.

[2005/08/02 06:15:37, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(96)

  [ 8849]: lookupname ACS+ccolht

[2005/08/02 06:15:38, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)

  [ 8849]: request interface version

[2005/08/02 06:15:38, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)

  [ 8849]: request location of privileged pipe

[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)

  [ 8849]: getpwnam acs\acsxpeit$

[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)

  user 'acs\acsxpeit$' does not exist

[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)

  [ 8849]: getpwnam ACS\acsxpeit$

[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)

  user 'ACS\acsxpeit$' does not exist

[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)

  [ 8849]: getpwnam ACS\ACSXPEIT$

[2005/08/02 06:15:38, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)

  user 'ACS\ACSXPEIT$' does not exist

[2005/08/02 06:15:38, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)

  [ 8849]: getpwnam acsxpeit$

[2005/08/02 06:15:38, 3]
nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)

  [ 8849]: gid to sid 15000

[2005/08/02 06:15:38, 3]
nsswitch/winbindd_group.c:winbindd_getgrnam(244)

  [ 8777]: getgrnam Unix.Samba

 

Chuck Colht

Alaska Communications Systems, Inc.

907-269-2673

ccolht at acsalaska.com 

 


***********************************************************************************
This transmittal may contain confidential information intended solely for
the addressee. If you are not the intended recipient, you are hereby
notified that you have received this transmittal in error; any review,
dissemination, distribution or copying of this transmittal is strictly
prohibited. If you have received this communication in error, please notify
us immediately by reply or by telephone (collect at 907-564-1000) and ask to
speak with the message sender. In addition, please immediately delete this
message and all attachments. Thank you. ACS

More information about the samba mailing list