[Samba] domain/unix groups and valid users parameter

Ralf Gross Ralf-Lists at ralfgross.de
Thu Jan 25 12:29:30 GMT 2007


Hi,

I want to switch from 'security = server' to 'security = ADS'.
Kerberos is working and I can login to the server.

With Samba 3.0.22 I was able to restrict access to shares with the
'valid users' directive. ve is local unix group.

valid users = +ve

And force the group ownership with the 'force group' directive.

force group = +ve


[foo]
        comment = foo
        writable = yes
        force create mode = 0660
        create mask = 0660
        force directory mode = 2770
        directory security mask = 2770
        force directory security mode = 0000
        directory mask = 2770
        force security mode = 0000
        force group = +ve
        security mask = 0770
        path = /projekte/foo
        valid users = +ve
        vfs objects = extd_audit


If I now try to connect to share foo, I get

Domain=[EMEA] OS=[Unix] Server=[Samba 3.0.23d]
tree connect failed: NT_STATUS_ACCESS_DENIED

And in the samba log:

[2007/01/25 13:14:49, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +ve does not start with 'S-'.
[...]
[2007/01/25 13:14:49, 2] smbd/service.c:make_connection_snum(580)
  user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)


I tried differnt settings for 'valid users' that I found in the list archives.
No change.

+"Unix Group"\ve
+"Unix Group\ve"
+"BUILTIN"\ve
...

Then I mapped the Unix group ve to a SID (net groupmap add unixgroup=ve type=local):

$ net groupmap list
ve (S-1-5-21-939576472-3938481725-970578208-1001) -> ve
afs (S-1-5-21-939576472-3938481725-970578208-1003) -> afs
Administrators (S-1-5-32-544) -> 10000
Users (S-1-5-32-545) -> 10001

Still the same error.

[2007/01/25 13:20:14, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid +ve does not start with 'S-'.
[...]
[2007/01/25 13:20:14, 2] smbd/service.c:make_connection_snum(580)
  user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)


I'm new to winbind and AD, I'm not an AD/Domain/Win Admin, I'm only
responsible for some linux workstations/server.

My goals:

* use AD user/groups for authentication
* use AD user/groups for permissions (valid users/force group...)
* use local unix user/groups for samba authentication and permissions
* later -  use AD for ssh/cvs access

In the paste I had to create a local unix account for every user, thus
I already have a bunch of local unix users that also exist in the AD.
They already own many file, so it would be nice if I could map a existing
UID to a SID. For example user ralfgro is in the local /etc/passwd and
in the AD. If I login the first time with smbclient, a new UID<->SID
mapping is created. Thus files that belong to ralfgro have different
ownership (old UID, new UID/SID).

I'm a bit lost a the moment on how to migrate from my old style of config/usage
to the new, hopefully more elegant, winbind/AD style.

Ralf


More information about the samba mailing list