[Samba] Option valid user not expanded for groups

Tiucra-Popa Florin Catalin popa_c at yahoo.com
Mon Apr 30 06:22:48 GMT 2007 

Hi Cleber,

I joined an old version of SAMBA Version 3.0.20b(1 year ago) and it was no need to create/recreate mappings.
Unfortunately the winbind_idmap.tdb for that machine is for another Domain Controller and I cannot populate the TPDCBR.

Take a look at the old samba machine idmap:
root at node01 / # /opt/freeware/samba/bin/net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Domain Admins (S-1-5-21-2871169248-3070897773-91520546-512) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-2871169248-3070897773-91520546-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-2871169248-3070897773-91520546-514) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

To create manualy the groupmapping is not helpful because from time to time new groups are created on AD.
Another way to map group/users exists?

Thanx,
FlorinT

----- Original Message ----
From: Cleber P. de Souza <cleberps at gmail.com>
To: Tiucra-Popa Florin Catalin <popa_c at yahoo.com>
Cc: sambalist <samba at lists.samba.org>
Sent: Monday, April 30, 2007 5:49:13 AM
Subject: Re: [Samba] Option valid user not expanded for groups


You do need to create the ldap group for samba using the built-in SIDs
for these internal groups or creating a new one for others and set the
group mappings.


On 4/29/07, Tiucra-Popa Florin Catalin <popa_c at yahoo.com> wrote:
> Hi again,
>
> Command net groupam shows:
>
> root at node05 /samba/var/log #/samba/bin/net groupmap list
> Administrators (S-1-5-32-544) -> BUILTIN+administrators
> Users (S-1-5-32-545) -> BUILTIN+users
>
> The browsing is working ok for users, but is not workig for groups.
>
> FlorinT
>
>  ----- Original Message ----
> From: Cleber P. de Souza <cleberps at gmail.com>
> To: Tiucra-Popa Florin Catalin <popa_c at yahoo.com>
> Cc: sambalist <samba at lists.samba.org>
> Sent: Saturday, April 28, 2007 6:15:55 PM
> Subject: Re: [Samba] Option valid user not expanded for groups
>
>
> Is your 'net groupmap' set properly for this domain?
>
>
> On 4/27/07, Tiucra-Popa Florin Catalin <popa_c at yahoo.com> wrote:
> > Hi,
> >
> > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK.
> > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap).
> >
> > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password.
> >
> > In the log of the samba for that machine I found:
> >
> > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319)
> >   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_ST                                                                              ATUS_NO_SUCH_USER
> > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319)
> >   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_ST                                                                              ATUS_NO_SUCH_USER
> > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                               resources.
> > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                               resources.
> > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309)
> >   check_ntlm_password:  authentication for user [node05] -> [node05] -> [TPDCBR+                                                                              node05] succeeded
> > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580)
> >   user 'TPDCBR+node05' (from session setup) not permitted to access this share (                                                                              brom)
> > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319)
> >   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
> > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309)
> >   check_ntlm_password:  authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded
> > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580)
> >   user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom)
> >
> > My smb.conf looks like:
> >
> > [global]
> > unix charset = LOCALE
> > workgroup = TPDCBR
> > realm = TPDCBR.ROM
> > netbios name = NODE05
> > dns proxy = No
> > server string = NODE05 AIX
> > security = ads
> > password server = 10.99.0.4
> > encrypt passwords = yes
> > name resolve order = host
> > log level = 10
> > syslog = 0
> > username map = /samba/private/smbusers
> > log file = /samba/var/log/%m
> > max log size = 5000
> > ldap ssl = no
> > winbind uid = 10000-59999
> > winbind gid = 10000-59999
> > idmap uid = 10000-60000
> > idmap gid = 10000-60000
> > template shell = /bin/ksh
> > winbind use default domain = Yes
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind nested groups = Yes
> > winbind separator = +
> > auth methods = winbind
> > acl compatibility = win2k
> > winbind cache time = 10
> > bind interfaces only = yes
> > client use spnego = no
> > socket address = 10.99.0.201
> > allow trusted domains = no
> > #use kerberos keytab = yes
> > socket options = TCP_NODELAY
> > #map acl inherit = Yes
> > [brom]
> > comment = inhouse brom
> > path = /u09/inhouse/brom
> > read only = No
> > browseable = yes
> > #valid users =@"Computers", @"domain users"
> > valid users = @"domain users"
> > create mask = 0777
> > directory mask = 0777
> > force create mode = 0777
> > force directory mode = 0777
> >
> >
> > I also made a test with only one user valid like this:
> > valid users = TPDCBR.ROM+node05
> > and this is working ok.
> >
> > Thank you.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
>
>
> --
> ***
> Cleber P. de Souza
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>


-- 
***
Cleber P. de Souza

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the samba mailing list