[Samba] ADS groups and 'valid users'
amirov at infinet.ru
Thu Jan 11 05:41:15 GMT 2007
I have the same problem.
But if on this domain member define the options for ldap connection
(direct connection, not via PDC), then all will work fine. But i can't
find correct solution, when "valid users" must work with authentication
PS. Sorry for my english.
Cory Watson wrote:
> I am attempting to get a Debian box running Samba 3.0.23d (latest from
> debian testing) to work with our shiny new Windows 2003 server PDC.
> I can join the domain.
> windbinds various wbinfo commands return all the groups and users, as
> I can access everything from the PDC.
> Effectively, everything works _except_ specifying a group to 'valid
> My smb.conf is run of the mill and I see nothing out of the ordinary.
> 'wbinfo -g' reports all the right stuff. I made a share
> (accounting) and
> specified that the 'FOO+finance' group should have access by way of:
> valid users = +"FOO+finance"
> but it doesn't work. I can remove the valid users entry from smb.conf
> it mounts. I can specify individual users (e.g. "FOO+cwatson") and it
> when those users connect. It ONLY FAILS when I use a group. The users I
> test are in the groups. I can see this on both the PDC and on the
> Linux box
> via id(1).
> I've seen mention of this sporadically via google and searching the
> archives. My log files contain the following information that I think
> be pertinent (valid users = +"FOO\finance"):
> 2007/01/10 14:52:43, 4] smbd/reply.c:reply_tcon_and_X(668)
> Client requested device type [?????] for share [ACCOUNTING]
> [2007/01/10 14:52:43, 5] smbd/service.c:make_connection(1125)
> making a connection to 'normal' service accounting
> [2007/01/10 14:52:43, 3] lib/util_sid.c:string_to_sid(223)
> string_to_sid: Sid +FOO+finance does not start with 'S-'.
> [2007/01/10 14:52:43, 10] passdb/lookup_sid.c:lookup_name(64)
> lookup_name: FOO\finance => FOO (domain), finance (name)
> [2007/01/10 14:52:43, 10] smbd/share_access.c:user_ok_token(208)
> User MAGAZINES+cwatson not in 'valid users'
> [2007/01/10 14:52:43, 2] smbd/service.c:make_connection_snum(580)
> user 'MAGAZINES+cwatson' (from session setup) not permitted to access
> share (accounting)
> It doesn't seem to be checking if MAGAZINES\cwatson is even in a domain.
> Any ideas? I can happily provide more information...
>  - smb.conf
> unix charset = US-ASCII
> workgroup = FOO
> realm = FOO.COM
> password server = dc1
> server string = %h server (Samba %v)
> encrypt passwords = yes
> log level = 10
> security = ADS
> log level = 1
> syslog = 0
> use spnego = yes
> domain master = no
> local master = no
> preferred master = no
> os level = 0
> logfile = /var/log/samba/log.%m
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind separator = +
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> template homedir = /home/FOO/users/%U
> valid users = +"FOO+finance"
> path = /home/MCI/accounting
> writeable = yes
> read only = No
>  wbinfo -g output
> domain computers
> domain controllers
> schema admins
> enterprise admins
> domain admins
> domain users
> domain guests
> group policy creator owners
> pub relations
More information about the samba