[Samba] Winbind and groups

simo idra at samba.org
Tue Dec 11 17:53:10 GMT 2007 

You are welcome :-)

On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote:
> And the correct answer is...
> 
> Using a valid users line that looks like this:
> 
>  Valid users = +DOMAIN\group
> 
> Many thanks to "irda" on the #samba IRC channel.
> 
> Ben
> 
> 
> Ben Vaughan
> Globalcom IT Infrastructure Support Team
> bvaughan at global-com.com
> 312 673 4116
> 
> 
> -----Original Message-----
> From: samba-bounces+bvaughan=global-com.com at lists.samba.org [mailto:samba-bounces+bvaughan=global-com.com at lists.samba.org] On Behalf Of Ben Vaughan
> Sent: Tuesday, December 11, 2007 10:30 AM
> To: samba at lists.samba.org
> Subject: [Samba] Winbind and groups
> 
> Hello Friendly Samba People,
> 
> I have a working samba install that allows my AD users access to files on my linux box.  The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS.  I can successfully resolve both users and groups from the AD.  Users are currently able to access the samba shares without trouble.
> 
> I am running into trouble when trying to use groups defined in the AD as "valid users" or ACLs on the linux box.
> 
> Smb.conf:
> [global]
>   security = ADS
>   realm = CORP.CALLGLOBALCOM.COM
>   workgroup = CORP
>   log file = /var/log/samba/%m
>   log level = 2
> 
>   #winbind / AD stuff
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind use default domain = Yes
>   winbind expand groups = 2
>   winbind nss info = rfc2307
>   winbind nested groups = Yes
>   idmap uid range = 1000 - 30000000
>   idmap gid range = 100 - 30000000
>   idmap domains = CORP
>   idmap config CORP:backend = ad
>   idmap config CORP:default = yes
>   idmap config CORP:readonly = yes
> 
> [homes]
> 
> [sysadmins]
>    path = /tmp
>    writeable = yes
>    comment = Globalcom Sysadmins share
>    valid users = @gc_sysadmins
>    create mask = 0775
>    directory mask = 0775
> 
> # getent group gc_sysadmins
> gc_sysadmins:*:10001:bvaughan
> 
> # getent passwd bvaughan
> bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash
> 
> When trying to access the [sysadmins] share defined as above, samba logging says this:
> 
> user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins)
> 
> 
> I see the disconnect, the "CORP\bvaughan" that samba sees here, vs the "bvaughan" seen in the group entry.  Is there a way to make these two come together so the "valid users=" line works?
> 
> I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.
> 
> Any help would be appreciated.
> 
> Ben
> 
> 
> 
> Ben Vaughan
> Globalcom IT Infrastructure Support Team
> bvaughan at global-com.com
> 312 673 4116
> 
> --
> 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>

More information about the samba mailing list