[Samba] domain/unix groups and valid users parameter
Ralf Gross
Ralf-Lists at ralfgross.de
Thu Jan 25 12:29:30 GMT 2007
Hi,
I want to switch from 'security = server' to 'security = ADS'.
Kerberos is working and I can login to the server.
With Samba 3.0.22 I was able to restrict access to shares with the
'valid users' directive. ve is local unix group.
valid users = +ve
And force the group ownership with the 'force group' directive.
force group = +ve
[foo]
comment = foo
writable = yes
force create mode = 0660
create mask = 0660
force directory mode = 2770
directory security mask = 2770
force directory security mode = 0000
directory mask = 2770
force security mode = 0000
force group = +ve
security mask = 0770
path = /projekte/foo
valid users = +ve
vfs objects = extd_audit
If I now try to connect to share foo, I get
Domain=[EMEA] OS=[Unix] Server=[Samba 3.0.23d]
tree connect failed: NT_STATUS_ACCESS_DENIED
And in the samba log:
[2007/01/25 13:14:49, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid +ve does not start with 'S-'.
[...]
[2007/01/25 13:14:49, 2] smbd/service.c:make_connection_snum(580)
user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)
I tried differnt settings for 'valid users' that I found in the list archives.
No change.
+"Unix Group"\ve
+"Unix Group\ve"
+"BUILTIN"\ve
...
Then I mapped the Unix group ve to a SID (net groupmap add unixgroup=ve type=local):
$ net groupmap list
ve (S-1-5-21-939576472-3938481725-970578208-1001) -> ve
afs (S-1-5-21-939576472-3938481725-970578208-1003) -> afs
Administrators (S-1-5-32-544) -> 10000
Users (S-1-5-32-545) -> 10001
Still the same error.
[2007/01/25 13:20:14, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid +ve does not start with 'S-'.
[...]
[2007/01/25 13:20:14, 2] smbd/service.c:make_connection_snum(580)
user 'EMEA\ralfgro' (from session setup) not permitted to access this share (foo)
I'm new to winbind and AD, I'm not an AD/Domain/Win Admin, I'm only
responsible for some linux workstations/server.
My goals:
* use AD user/groups for authentication
* use AD user/groups for permissions (valid users/force group...)
* use local unix user/groups for samba authentication and permissions
* later - use AD for ssh/cvs access
In the paste I had to create a local unix account for every user, thus
I already have a bunch of local unix users that also exist in the AD.
They already own many file, so it would be nice if I could map a existing
UID to a SID. For example user ralfgro is in the local /etc/passwd and
in the AD. If I login the first time with smbclient, a new UID<->SID
mapping is created. Thus files that belong to ralfgro have different
ownership (old UID, new UID/SID).
I'm a bit lost a the moment on how to migrate from my old style of config/usage
to the new, hopefully more elegant, winbind/AD style.
Ralf
More information about the samba
mailing list