[Samba] users via winbind and using @group in smb.conf

Michael Gasch gasch at eva.mpg.de
Fri Jan 5 18:42:52 GMT 2007 

since i'm not the samba expert, my last attempt: could you please try

valid users = +NAME_OF_FILESERVER\private

?

may be samba then accepts the domain of the file server (local SAM) as a 
lookup into local groups.

it must work since samba also works correctly with nested groups which 
can IMHO be compared to this scenario...can't it?

greez

Stefan Froehlich wrote:
> On Fri, Jan 05, 2007 at 03:50:07PM +0100, Michael Gasch wrote:
>> if "private" is a group, you have to add @ in front of the "valid
>> users" entry. according to a post of jerry the syntax with ticks and
>> spaces is correct.
> 
> Ok, with the right keywords I now found some old threads in the archive
> as well as the corresponding piece of samba source code. The correct syntax
> should be:
> 
> | valid users = +"Unix Group"\private
> 
> with the "+" being preferred over the "@". I have changed this in
> smb.conf (without any change in the outcome).
> 
>> please also increase the debug level on the server side to see why it fails
>  
> Increased log level to 4 on both sides (with two important level-10 messages
> inserted).  PDC side should be easy, as only the user name is validated there.
> I think that:
> 
> | [2007/01/05 16:37:20, 2] auth/auth.c:check_ntlm_password(305)
> |  check_ntlm_password:  authentication for user [sfroehli] -> [sfroehli] -> [sfroehli] succeeded
> 
> ...is enough. There is _lot_ of rubbish afterwards, with LSA_LOOKUPSIDS,
> SAMR_OPEN_USER and other commands (which are far beyond my scope of
> understanding). If this could be helpful, I can post it as well.
> 
> The Samba-Server side at first succeeds in authenticating the user name and
> then fails to resolve the group:
> 
>  1| [2007/01/05 16:37:21, 3] smbd/password.c:register_vuid(301)
>  2|   UNIX uid 100 is UNIX user SYNTH\sfroehli, and will be vuid 101
>  3| [2007/01/05 16:37:21, 3] smbd/password.c:register_vuid(332)
>  4|   Adding homes service for user 'SYNTH\sfroehli' using home directory: '/home/sfroehli'
>  5| [2007/01/05 16:37:21, 3] smbd/process.c:process_smb(1110)
>  6|   Transaction 3 of length 94
>  7| [2007/01/05 16:37:21, 3] smbd/process.c:switch_message(914)
>  8|   switch message SMBtconX (pid 24649) conn 0x0
>  9| [2007/01/05 16:37:21, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> 10|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> 11| [2007/01/05 16:37:21, 4] smbd/reply.c:reply_tcon_and_X(668)
> 12|   Client requested device type [?????] for share [PRIVATE]
> 13| [2007/01/05 16:37:21, 3] lib/access.c:check_access(312)
> 14|   check_access: no hostnames in host allow/deny list.
> 15| [2007/01/05 16:37:21, 2] lib/access.c:check_access(323)
> 16|   Allowed connection from  (192.168.1.250)
> 17| [2007/01/05 16:37:21, 3] lib/util_sid.c:string_to_sid(223)
> 18|   string_to_sid: Sid +Unix Group\private does not start with 'S-'.
> 19| [2007/01/05 16:54:23, 10] passdb/lookup_sid.c:lookup_name(64)
> 20|   lookup_name: Unix Group\private => Unix Group (domain), private (name)
> 21| [2007/01/05 16:54:23, 10] smbd/share_access.c:user_ok_token(208)
> 22|   User SYNTH\sfroehli not in 'valid users'
> 23| [2007/01/05 16:37:21, 2] smbd/service.c:make_connection_snum(571)
> 24|   user 'SYNTH\sfroehli' (from session setup) not permitted to access this share (private)
> 25| [2007/01/05 16:37:21, 3] smbd/error.c:error_packet(146)
> 26|   error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
> 
> I'd guess that line 20 is still doing what I want to: the group is identified
> as a unix group and the name is correct. Unfortunately there is no more
> debug message (not even with level 10) until the denial message in line 22. If
> I issue groups(1) on the command line then "private" is found - but I
> can only guess what samba is doing (or expecting) to resolve the group
> membership: log line 20 is contained in passdb/lookup_sid.c, afterwards there
> are some tests against domain name etc, which - in my opinion - should succeed
> here:
> 
> [passdb/lookup_sid.c:110]
> |        if (strequal(domain, unix_groups_domain_name())) {
> |                if (lookup_unix_group_name(name, &sid)) {
> |                        type = SID_NAME_DOM_GRP; 
> |                        goto ok;
> |                }
> |                goto failed;
> |        }
> 
> lookup_unix_group_name() is not much more than a call to getgrnam(5) after all,
> which is what I have successfully done on the cmd line by calling groups(1).
> 
> Bye,
>   Stefan
>

More information about the samba mailing list