[Samba] users via winbind and using @group in smb.conf

Stefan Froehlich samba at Froehlich.Priv.at
Thu Jan 4 12:14:13 GMT 2007


On Thu, Dec 28, 2006 at 11:10:58AM -0600, James A. Dinkel wrote:
> > I have two samba servers, A is configured as a PDC, B offers some
> > additional shares. B is getting usernames and passwords via winbind
> > from A [...]

> > This is basically working fine, local ssh login is ok, getent shows
> > all remote users and passwords.

> > Now B needs to define some additional, local groups containing the
> > names of remote users. In /etc/group the usernames have been added
> > (without the DOMAIN\ prefix, as "use default domain" is set). On the
> > command line, this is working as well ("groups" does show the local
> > group for the remote users).

> > But what das NOT work is to assign a samba share on B to this local
> > group. I tried

> > | valid users = @group

> > as well as
 
> > | valid users = @DOMAIN\group
 
> > but both ways all I get is NT_STATUS_ACCESS_DENIED.

> > How do I have to write this in order to get access for remote group
> > members in a locally defined group?
 
> I don't see anything wrong with the little bit you've posted.  You
> might post your entire smb.conf.


No problem, here you are:

| hosts allow = 192.168.1. 127.
| interfaces = eth0
| security = domain
| socket options = TCP_NODELAY
| remote announce = 192.168.1.255
| netbios name = SERVERB
| workgroup = DOMAIN
| os level = 0
| preferred master = no
| domain master = no
| local master = no
| 
| idmap uid = 100-999
| idmap gid = 100-999
| template homedir = /home/%U
| template shell = /bin/bash
| winbind enum users = yes
| winbind enum groups = yes
| wins server = servera.domain.intern
| wins support = no
| password server = servera.synth.intern
| passdb backend = tdbsam
| winbind use default domain = yes
| 
| dns proxy = yes
| encrypt passwords = yes
| null passwords = no
| password level = 0
| deadtime = 0
| nt acl support = no
| 
| [private]
|         path = /var/smb/backupset/private
|         read only = No
|         guest ok = No
| 	# valid users = @private 
|         valid users = DOMAIN\pt, DOMAIN\rl, jr 
|         hosts allow = 192.168.1.0/24

The active "valid users" line is working perfectly fine, but not what
we actually want. The commented "valid users" line does not work
however. @private is defined in /etc/group:

| private:x:504:rl,pt,jr


Ciao,
   Stefan

-- 
http://kontaktinser.at/
Kontaktbörse für Österreich - kostenlos und unkommerziell


More information about the samba mailing list