[Samba] ADS groups and 'valid users'

Амиров Дмитрий amirov at infinet.ru
Thu Jan 11 05:41:15 GMT 2007 

I have the same problem.
But if on this domain member define the options for ldap connection 
(direct connection, not via PDC), then all will work fine. But i can't 
find correct solution, when "valid users" must work with authentication 
via PDC.

PS. Sorry for my english.

Cory Watson wrote:
> I am attempting to get a Debian box running Samba 3.0.23d (latest from
> debian testing) to work with our shiny new Windows 2003 server PDC.
>
> I can join the domain.
> windbinds various wbinfo commands return all the groups and users, as 
> does
> getent.
> I can access everything from the PDC.
>
> Effectively, everything works _except_ specifying a group to 'valid 
> users'.
> My smb.conf[0] is run of the mill and I see nothing out of the ordinary.
> 'wbinfo -g' reports[1] all the right stuff.  I made a share 
> (accounting) and
> specified that the 'FOO+finance' group should have access by way of:
>
> valid users = +"FOO+finance"
>
> but it doesn't work.  I can remove the valid users entry from smb.conf 
> and
> it mounts.  I can specify individual users (e.g. "FOO+cwatson") and it 
> works
> when those users connect.  It ONLY FAILS when I use a group.  The users I
> test are in the groups.  I can see this on both the PDC and on the 
> Linux box
> via id(1).
>
> I've seen mention of this sporadically via google and searching the
> archives.  My log files contain the following information that I think 
> may
> be pertinent (valid users = +"FOO\finance"):
>
> 2007/01/10 14:52:43, 4] smbd/reply.c:reply_tcon_and_X(668)
>  Client requested device type [?????] for share [ACCOUNTING]
> [2007/01/10 14:52:43, 5] smbd/service.c:make_connection(1125)
>  making a connection to 'normal' service accounting
> [2007/01/10 14:52:43, 3] lib/util_sid.c:string_to_sid(223)
>  string_to_sid: Sid +FOO+finance does not start with 'S-'.
> [2007/01/10 14:52:43, 10] passdb/lookup_sid.c:lookup_name(64)
>  lookup_name: FOO\finance => FOO (domain), finance (name)
> [2007/01/10 14:52:43, 10] smbd/share_access.c:user_ok_token(208)
>  User MAGAZINES+cwatson not in 'valid users'
> [2007/01/10 14:52:43, 2] smbd/service.c:make_connection_snum(580)
>  user 'MAGAZINES+cwatson' (from session setup) not permitted to access 
> this
> share (accounting)
>
> It doesn't seem to be checking if MAGAZINES\cwatson is even in a domain.
> Any ideas?  I can happily provide more information...
>
> [0] - smb.conf
> [global]
>   unix charset = US-ASCII
>   workgroup = FOO
>   realm = FOO.COM
>   password server = dc1
>   server string = %h server (Samba %v)
>   encrypt passwords = yes
>   log level = 10
>   security = ADS
>   log level = 1
>   syslog = 0
>   use spnego = yes
>
>   domain master = no
>   local master = no
>   preferred master = no
>   os level = 0
>
>   logfile = /var/log/samba/log.%m
>   ldap ssl = no
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template shell = /bin/bash
>   winbind separator = +
>   winbind nested groups = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind use default domain = yes
>   template homedir = /home/FOO/users/%U
> [accounting]
>   valid users = +"FOO+finance"
>   path = /home/MCI/accounting
>   writeable = yes
>   read only = No
>
> [1] wbinfo -g output
> BUILTIN+administrators
> BUILTIN+users
> domain computers
> domain controllers
> schema admins
> enterprise admins
> domain admins
> domain users
> domain guests
> group policy creator owners
> dnsupdateproxy
> technology
> finance
> pub relations
> marketing
> executives
>

More information about the samba mailing list