[Samba] users via winbind and using @group in smb.conf
Stefan Froehlich
samba at Froehlich.Priv.at
Fri Jan 5 16:25:20 GMT 2007
On Fri, Jan 05, 2007 at 03:50:07PM +0100, Michael Gasch wrote:
> if "private" is a group, you have to add @ in front of the "valid
> users" entry. according to a post of jerry the syntax with ticks and
> spaces is correct.
Ok, with the right keywords I now found some old threads in the archive
as well as the corresponding piece of samba source code. The correct syntax
should be:
| valid users = +"Unix Group"\private
with the "+" being preferred over the "@". I have changed this in
smb.conf (without any change in the outcome).
> please also increase the debug level on the server side to see why it fails
Increased log level to 4 on both sides (with two important level-10 messages
inserted). PDC side should be easy, as only the user name is validated there.
I think that:
| [2007/01/05 16:37:20, 2] auth/auth.c:check_ntlm_password(305)
| check_ntlm_password: authentication for user [sfroehli] -> [sfroehli] -> [sfroehli] succeeded
...is enough. There is _lot_ of rubbish afterwards, with LSA_LOOKUPSIDS,
SAMR_OPEN_USER and other commands (which are far beyond my scope of
understanding). If this could be helpful, I can post it as well.
The Samba-Server side at first succeeds in authenticating the user name and
then fails to resolve the group:
1| [2007/01/05 16:37:21, 3] smbd/password.c:register_vuid(301)
2| UNIX uid 100 is UNIX user SYNTH\sfroehli, and will be vuid 101
3| [2007/01/05 16:37:21, 3] smbd/password.c:register_vuid(332)
4| Adding homes service for user 'SYNTH\sfroehli' using home directory: '/home/sfroehli'
5| [2007/01/05 16:37:21, 3] smbd/process.c:process_smb(1110)
6| Transaction 3 of length 94
7| [2007/01/05 16:37:21, 3] smbd/process.c:switch_message(914)
8| switch message SMBtconX (pid 24649) conn 0x0
9| [2007/01/05 16:37:21, 3] smbd/sec_ctx.c:set_sec_ctx(241)
10| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
11| [2007/01/05 16:37:21, 4] smbd/reply.c:reply_tcon_and_X(668)
12| Client requested device type [?????] for share [PRIVATE]
13| [2007/01/05 16:37:21, 3] lib/access.c:check_access(312)
14| check_access: no hostnames in host allow/deny list.
15| [2007/01/05 16:37:21, 2] lib/access.c:check_access(323)
16| Allowed connection from (192.168.1.250)
17| [2007/01/05 16:37:21, 3] lib/util_sid.c:string_to_sid(223)
18| string_to_sid: Sid +Unix Group\private does not start with 'S-'.
19| [2007/01/05 16:54:23, 10] passdb/lookup_sid.c:lookup_name(64)
20| lookup_name: Unix Group\private => Unix Group (domain), private (name)
21| [2007/01/05 16:54:23, 10] smbd/share_access.c:user_ok_token(208)
22| User SYNTH\sfroehli not in 'valid users'
23| [2007/01/05 16:37:21, 2] smbd/service.c:make_connection_snum(571)
24| user 'SYNTH\sfroehli' (from session setup) not permitted to access this share (private)
25| [2007/01/05 16:37:21, 3] smbd/error.c:error_packet(146)
26| error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
I'd guess that line 20 is still doing what I want to: the group is identified
as a unix group and the name is correct. Unfortunately there is no more
debug message (not even with level 10) until the denial message in line 22. If
I issue groups(1) on the command line then "private" is found - but I
can only guess what samba is doing (or expecting) to resolve the group
membership: log line 20 is contained in passdb/lookup_sid.c, afterwards there
are some tests against domain name etc, which - in my opinion - should succeed
here:
[passdb/lookup_sid.c:110]
| if (strequal(domain, unix_groups_domain_name())) {
| if (lookup_unix_group_name(name, &sid)) {
| type = SID_NAME_DOM_GRP;
| goto ok;
| }
| goto failed;
| }
lookup_unix_group_name() is not much more than a call to getgrnam(5) after all,
which is what I have successfully done on the cmd line by calling groups(1).
Bye,
Stefan
--
http://kontaktinser.at/
Kontaktbörse für Österreich - kostenlos und unkommerziell
More information about the samba
mailing list