[Samba] Problems Authetincating users by group in Active Directoy

Pepe Barbe elventear at gmail.com
Tue Jun 21 22:21:03 GMT 2005


Hi,

I got a Samba box that is part of an Active Directory. It is working
with the most basic functions, but I want to start customizing the
security a little bit more. For that I want to grant access to
different shares by group using "valid users = @AD+group" in the
smb.conf, but hasn't worked.

I increased the verbosity of the log files and this has caught my attention:

[2005/06/21 18:07:23, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |CONTORG0+aalse001| against
|@CONTORG0+fsswebusers|
[2005/06/21 18:07:23, 5] lib/username.c:user_in_netgroup_list(315)
  Unable to get default yp domain
[2005/06/21 18:07:23, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |CONTORG0+aalse001| against |@CONTORG0+testgroup|
[2005/06/21 18:07:23, 5] lib/username.c:user_in_netgroup_list(315)
  Unable to get default yp domain
[2005/06/21 18:07:23, 2] smbd/service.c:make_connection_snum(321)
  user 'CONTORG0+aalse001' (from session setup) not permitted to
access this share (fss_web)

But if I do a getent group | grep aalse001 I get the following:

CONTORG0+testgroup:x:10026:CONTORG0+aalse001
CONTORG0+fsswebusers:x:10027:CONTORG0+aalse001  

Is it seems that unix box is getting the group through winbind, so it
is either a bug, or I haven't done something. Any ideas?

I am using Samba 3.0.13-1.4E.2 on a Centos 4 Linux box.

Thank you,
Pepe

This is my smb.conf:

[global] 
        netbios name = CONTWEB
        #socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000 
        workgroup = CONTORG0 
        #os level = 20 
        winbind enum groups = yes 
        #socket address = contweb 
        password server = contorg1 
        preferred master = no
        winbind separator = + 
        max log size = 50
        log file = /var/log/samba/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = CONTORG.BUSSERV.MY.REALM 
        security = ADS 
        #wins server = contorg1 
        wins proxy = no 
        log level = 30   

[fss_web]
        comment = Controller's Office Webserver 
        writeable = yes 
        path = /var/www/html
        force group = apache
        force user = apache
        #write list = @"CONTORG0+fsswebusers"
        valid users = @CONTORG0+fsswebusers @CONTORG0+testgroup


More information about the samba mailing list