[Samba] Valid users directive

Gary Dale garydale at torfree.net
Wed May 24 16:31:16 GMT 2006 

Gary Dale wrote:

> Nicolas Kassis wrote:
>
>> ---------- Forwarded message ----------
>> From: Nicolas Kassis <nic.kassis at gmail.com>
>> Date: May 23, 2006 11:49 PM
>> Subject: Re: [Samba] Valid users directive
>> To: gary at extremeground.com
>>
>> Gary Dale wrote:
>>
>>> Nicolas Kassis wrote:
>>>
>>>> Hi Everyone
>>>>
>>>> I'm new to samba and I have been trying in vein to find a solution to
>>>> this problem. I am setting up a linux samba server as a domain member
>>>> server. It is part of the MAINT workgroup. Winbind and Samba
>>>> authenticate correctly. The issue arises when I try to limit the
>>>> users who are allowed to use a my share folder.
>>>>
>>>> Most of the information I have lookup seem to say that I should set
>>>> up the Valid Users directive like this :
>>>>
>>>> valid users  = '@MAINT\nkassis', '@MAINT\aburns'
>>>>
>>>> Of course this dosen't work. Can anyone point me to a place where I
>>>> can find information about this or any indepth explanation of how to
>>>> define users in this directive ?
>>>>
>>>> Nic
>>>>
>>>>
>>>>
>>>>
>>> If you look in the smb.conf man page, you will find (under invalid
>>> users) the following:
>>> >>>>>>>>>>>>
>>>
>>> A name starting with a '@' is interpreted as an NIS netgroup first (if
>>> your system supports NIS), and then as a UNIX group if the name was
>>> not found in the NIS netgroup database.
>>>
>>> A name starting with '+' is interpreted only by looking in the UNIX
>>> group database. A name starting with '&' is interpreted only by
>>> looking in the NIS netgroup database (this requires NIS to be working
>>> on your system). The characters '+' and '&' may be used at the start
>>> of the name in either order so the value /|+&group|/ means check the
>>> UNIX group database, followed by the NIS netgroup database, and the
>>> value /|&+group|/ means check the NIS netgroup database, followed by
>>> the UNIX group database (the same as the '@' prefix).
>>>
>>> <<<<<<<<<<<<<<
>>>
>>> Since NIS not being used, your valid users group has to be the
>>> Unix/Linux group that the Domain group maps to.
>>>
>>>
>>>
>>> From what I understand the Group they belong to is Domain Users but
>>
>>
>> specifying the following +Domain Users and  also trying again using
>> quotes around it is still incorrect. One thing I should mention. When I
>> list the users with the command wbinfo -u the users are listed only by
>> theyre users name not with the domain like this: MAINT\nkassis is this
>> correct ?
>>
>> Nic
>>
>>
> You're not listening.  :)
>
> "Domain users" is a Windows group. It should be mapped to a local Unix 
> group. The local Unix group is what you put in smb.conf.
>

I didn't set the behaviour. I just read the documentation.    :)

I don't know why smb.conf expects the Unix group instead of doing a 
lookup, but I'm sure there's a good reason. The Samba developers know a 
lot more about this than I do and they are very, very good at it.

More information about the samba mailing list