[Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch

Joel Franco joel.franco at gmail.com
Tue Aug 22 14:19:07 GMT 2006


I think the release notes for the 3.0.23b has the response:

"Member servers, domain accounts, and smb.conf
=============================================

Since Samba 3.0.8, it has been recommended that all domain accounts 
listed in smb.conf on a member server be fully qualified with the 
domain name.  This is now a requirement.  All unqualified names are 
assumed to be local to the Unix host, either as part of the server's 
local passdb or in the local system list of accounts (e.g. /etc/passwd 
or /etc/group).

The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization.  All names are resolved to a SID and they verified
against the logged on user's NT user token.  Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.  

If the member server is not running winbindd at all, domain 
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local 
SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin

Note that to restrict the [homes] share on a member
server to the 
owner of that directory, it is necessary to prefix the
%S value 
to "valid users".

[global]
security = {domain,ads}
workgroup = DOM
winbind separator = +
[homes]
valid users = DOM+%S
"

-- 
|
| Joel Franco Guzmán  .''`.
|  self-powered by   : :' :
|   Debian Linux     `. `' 
|                      `- 
On Ter Jul 18 06 18:03, Howard Wilkinson wrote:
> Don,
> 
> you are a genius, this fixed it! Anybody know why?
> 
> Howard.
> 
> Don Meyer wrote:
> 
> >Well, I didn't see the last bit you describe, but I don't run RFC2307 
> >(yet).  We we bit by very similar behavior when moving from 3.0.22 to 
> >the 3.0.23 RC's.  Turns out that the use-default-domain option is not 
> >being universally applied to groups in 3.0.23.   As soon as I changed 
> >my "valid users = +group" statements to the format "= +domain\group", 
> >then this problem was fixed for us.   Maybe it will do the trick for 
> >you...
> >
> >Cheers,
> >-D
> >
> >
> >At 07:41 AM 7/18/2006, Howard Wilkinson wrote:
> >
> >>I have managed to isolate where the problem is, now I need to work 
> >>out what the problem is?
> >>
> >>I have a group
> >>
> >>cohtech:*:16777225:lesley,howard,ecbull
> >>
> >>in which I am a member - howard.
> >>
> >>I have a
> >>
> >>valid users = +cohtech
> >>
> >>entry in smb.conf for the share I am trying to connect to, I get the 
> >>following reported in the machine.log file -
> >>
> >>zebra.log:  string_to_sid: Sid +cohtech does not start with 'S-'.
> >>
> >>and the users get rejected. If I declare the user directly then 
> >>access is allowed.
> >>
> >>This server gets its group database from the AD controllers via RFC2307.
> >>
> >>Anybody know why group expansion may be broken in 3.0.23?
> >
> >
> >Don Meyer                                           <dlmeyer at uiuc.edu>
> >Network Manager, ACES Academic Computing Facility
> >Technical System Manager, ACES TeleNet System
> >UIUC College of ACES, Information Technology and Communication Services
> >
> >  "They that can give up essential liberty to obtain a little 
> >temporary safety,
> >        deserve neither liberty or safety."     -- Benjamin Franklin, 
> >1759
> 
> 
> -- 
> 
> Howard Wilkinson
> 
> 	
> 
> Phone:
> 
> 	
> 
> +44(20)76907075
> 
> Coherent Technology Limited
> 
> 	
> 
> Fax:
> 
> 	
> 
> 
> 
> 23 Northampton Square,
> 
> 	
> 
> Mobile:
> 
> 	
> 
> +44(7980)639379
> 
> London, United Kingdom, EC1V 0HL
> 
> 	
> 
> Email:
> 
> 	
> 
> howard at cohtech.com
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 


More information about the samba mailing list