[Samba] ADS groups and 'valid users'

Cory Watson jheephat at gmail.com
Wed Jan 10 20:56:33 GMT 2007

I am attempting to get a Debian box running Samba 3.0.23d (latest from
debian testing) to work with our shiny new Windows 2003 server PDC.

I can join the domain.
windbinds various wbinfo commands return all the groups and users, as does
I can access everything from the PDC.

Effectively, everything works _except_ specifying a group to 'valid users'.
My smb.conf[0] is run of the mill and I see nothing out of the ordinary.
'wbinfo -g' reports[1] all the right stuff.  I made a share (accounting) and
specified that the 'FOO+finance' group should have access by way of:

valid users = +"FOO+finance"

but it doesn't work.  I can remove the valid users entry from smb.conf and
it mounts.  I can specify individual users (e.g. "FOO+cwatson") and it works
when those users connect.  It ONLY FAILS when I use a group.  The users I
test are in the groups.  I can see this on both the PDC and on the Linux box
via id(1).

I've seen mention of this sporadically via google and searching the
archives.  My log files contain the following information that I think may
be pertinent (valid users = +"FOO\finance"):

2007/01/10 14:52:43, 4] smbd/reply.c:reply_tcon_and_X(668)
  Client requested device type [?????] for share [ACCOUNTING]
[2007/01/10 14:52:43, 5] smbd/service.c:make_connection(1125)
  making a connection to 'normal' service accounting
[2007/01/10 14:52:43, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +FOO+finance does not start with 'S-'.
[2007/01/10 14:52:43, 10] passdb/lookup_sid.c:lookup_name(64)
  lookup_name: FOO\finance => FOO (domain), finance (name)
[2007/01/10 14:52:43, 10] smbd/share_access.c:user_ok_token(208)
  User MAGAZINES+cwatson not in 'valid users'
[2007/01/10 14:52:43, 2] smbd/service.c:make_connection_snum(580)
  user 'MAGAZINES+cwatson' (from session setup) not permitted to access this
share (accounting)

It doesn't seem to be checking if MAGAZINES\cwatson is even in a domain.
Any ideas?  I can happily provide more information...

[0] - smb.conf
   unix charset = US-ASCII
   workgroup = FOO
   realm = FOO.COM
   password server = dc1
   server string = %h server (Samba %v)
   encrypt passwords = yes
   log level = 10
   security = ADS
   log level = 1
   syslog = 0
   use spnego = yes

   domain master = no
   local master = no
   preferred master = no
   os level = 0

   logfile = /var/log/samba/log.%m
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind separator = +
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   template homedir = /home/FOO/users/%U
   valid users = +"FOO+finance"
   path = /home/MCI/accounting
   writeable = yes
   read only = No

[1] wbinfo -g output
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
pub relations

Cory 'G' Watson

More information about the samba mailing list