[Samba] ADS groups and 'valid users'
Cory Watson
jheephat at gmail.com
Wed Jan 10 20:56:33 GMT 2007
I am attempting to get a Debian box running Samba 3.0.23d (latest from
debian testing) to work with our shiny new Windows 2003 server PDC.
I can join the domain.
windbinds various wbinfo commands return all the groups and users, as does
getent.
I can access everything from the PDC.
Effectively, everything works _except_ specifying a group to 'valid users'.
My smb.conf[0] is run of the mill and I see nothing out of the ordinary.
'wbinfo -g' reports[1] all the right stuff. I made a share (accounting) and
specified that the 'FOO+finance' group should have access by way of:
valid users = +"FOO+finance"
but it doesn't work. I can remove the valid users entry from smb.conf and
it mounts. I can specify individual users (e.g. "FOO+cwatson") and it works
when those users connect. It ONLY FAILS when I use a group. The users I
test are in the groups. I can see this on both the PDC and on the Linux box
via id(1).
I've seen mention of this sporadically via google and searching the
archives. My log files contain the following information that I think may
be pertinent (valid users = +"FOO\finance"):
2007/01/10 14:52:43, 4] smbd/reply.c:reply_tcon_and_X(668)
Client requested device type [?????] for share [ACCOUNTING]
[2007/01/10 14:52:43, 5] smbd/service.c:make_connection(1125)
making a connection to 'normal' service accounting
[2007/01/10 14:52:43, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid +FOO+finance does not start with 'S-'.
[2007/01/10 14:52:43, 10] passdb/lookup_sid.c:lookup_name(64)
lookup_name: FOO\finance => FOO (domain), finance (name)
[2007/01/10 14:52:43, 10] smbd/share_access.c:user_ok_token(208)
User MAGAZINES+cwatson not in 'valid users'
[2007/01/10 14:52:43, 2] smbd/service.c:make_connection_snum(580)
user 'MAGAZINES+cwatson' (from session setup) not permitted to access this
share (accounting)
It doesn't seem to be checking if MAGAZINES\cwatson is even in a domain.
Any ideas? I can happily provide more information...
[0] - smb.conf
[global]
unix charset = US-ASCII
workgroup = FOO
realm = FOO.COM
password server = dc1
server string = %h server (Samba %v)
encrypt passwords = yes
log level = 10
security = ADS
log level = 1
syslog = 0
use spnego = yes
domain master = no
local master = no
preferred master = no
os level = 0
logfile = /var/log/samba/log.%m
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/FOO/users/%U
[accounting]
valid users = +"FOO+finance"
path = /home/MCI/accounting
writeable = yes
read only = No
[1] wbinfo -g output
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
technology
finance
pub relations
marketing
executives
--
Cory 'G' Watson
http://www.onemogin.com
More information about the samba
mailing list