[Samba] Winbind and groups

Ben Vaughan bvaughan at global-com.com
Tue Dec 11 17:51:32 GMT 2007

And the correct answer is...

Using a valid users line that looks like this:

 Valid users = +DOMAIN\group

Many thanks to "irda" on the #samba IRC channel.


Ben Vaughan
Globalcom IT Infrastructure Support Team
bvaughan at global-com.com
312 673 4116

-----Original Message-----
From: samba-bounces+bvaughan=global-com.com at lists.samba.org [mailto:samba-bounces+bvaughan=global-com.com at lists.samba.org] On Behalf Of Ben Vaughan
Sent: Tuesday, December 11, 2007 10:30 AM
To: samba at lists.samba.org
Subject: [Samba] Winbind and groups

Hello Friendly Samba People,

I have a working samba install that allows my AD users access to files on my linux box.  The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS.  I can successfully resolve both users and groups from the AD.  Users are currently able to access the samba shares without trouble.

I am running into trouble when trying to use groups defined in the AD as "valid users" or ACLs on the linux box.

  security = ADS
  workgroup = CORP
  log file = /var/log/samba/%m
  log level = 2

  #winbind / AD stuff
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind expand groups = 2
  winbind nss info = rfc2307
  winbind nested groups = Yes
  idmap uid range = 1000 - 30000000
  idmap gid range = 100 - 30000000
  idmap domains = CORP
  idmap config CORP:backend = ad
  idmap config CORP:default = yes
  idmap config CORP:readonly = yes


   path = /tmp
   writeable = yes
   comment = Globalcom Sysadmins share
   valid users = @gc_sysadmins
   create mask = 0775
   directory mask = 0775

# getent group gc_sysadmins

# getent passwd bvaughan
bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash

When trying to access the [sysadmins] share defined as above, samba logging says this:

user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins)

I see the disconnect, the "CORP\bvaughan" that samba sees here, vs the "bvaughan" seen in the group entry.  Is there a way to make these two come together so the "valid users=" line works?

I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.

Any help would be appreciated.


Ben Vaughan
Globalcom IT Infrastructure Support Team
bvaughan at global-com.com
312 673 4116


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list