[Samba] Valid users directive

Gary Dale garydale at torfree.net
Wed May 24 13:40:33 GMT 2006 

Nicolas Kassis wrote:

> ---------- Forwarded message ----------
> From: Nicolas Kassis <nic.kassis at gmail.com>
> Date: May 23, 2006 11:49 PM
> Subject: Re: [Samba] Valid users directive
> To: gary at extremeground.com
>
> Gary Dale wrote:
>
>> Nicolas Kassis wrote:
>>
>>> Hi Everyone
>>>
>>> I'm new to samba and I have been trying in vein to find a solution to
>>> this problem. I am setting up a linux samba server as a domain member
>>> server. It is part of the MAINT workgroup. Winbind and Samba
>>> authenticate correctly. The issue arises when I try to limit the
>>> users who are allowed to use a my share folder.
>>>
>>> Most of the information I have lookup seem to say that I should set
>>> up the Valid Users directive like this :
>>>
>>> valid users  = '@MAINT\nkassis', '@MAINT\aburns'
>>>
>>> Of course this dosen't work. Can anyone point me to a place where I
>>> can find information about this or any indepth explanation of how to
>>> define users in this directive ?
>>>
>>> Nic
>>>
>>>
>>>
>>>
>> If you look in the smb.conf man page, you will find (under invalid
>> users) the following:
>> >>>>>>>>>>>>
>>
>> A name starting with a '@' is interpreted as an NIS netgroup first (if
>> your system supports NIS), and then as a UNIX group if the name was
>> not found in the NIS netgroup database.
>>
>> A name starting with '+' is interpreted only by looking in the UNIX
>> group database. A name starting with '&' is interpreted only by
>> looking in the NIS netgroup database (this requires NIS to be working
>> on your system). The characters '+' and '&' may be used at the start
>> of the name in either order so the value /|+&group|/ means check the
>> UNIX group database, followed by the NIS netgroup database, and the
>> value /|&+group|/ means check the NIS netgroup database, followed by
>> the UNIX group database (the same as the '@' prefix).
>>
>> <<<<<<<<<<<<<<
>>
>> Since NIS not being used, your valid users group has to be the
>> Unix/Linux group that the Domain group maps to.
>>
>>
>>
>> From what I understand the Group they belong to is Domain Users but
>
> specifying the following +Domain Users and  also trying again using
> quotes around it is still incorrect. One thing I should mention. When I
> list the users with the command wbinfo -u the users are listed only by
> theyre users name not with the domain like this: MAINT\nkassis is this
> correct ?
>
> Nic
>
>
You're not listening.  :)

"Domain users" is a Windows group. It should be mapped to a local Unix 
group. The local Unix group is what you put in smb.conf.

More information about the samba mailing list