[Samba] BUG? 'valid users' doesn't allow groups from trusted domains

Jonathan Johnson jon at sutinen.com
Thu Jul 12 19:40:08 GMT 2007

It appears that you cannot include groups from trusted domains in the 
'valid users =' directive on a share.

Here is the scenario as I experienced it (names have been changed to 
protect the innocent):

 - Samba 3.0.21b as a member server in a real NT4 domain (security = 
domain) called 'NTDOMAIN'
 - NTDOMAIN has a two-way trust with Windows 2003 Active Directory 
domain 'ADSDOMAIN'
 - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a 
member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
 - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a 
member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)

If the share 'salesforce' has a 'valid users =' line in it, members of 
the trusting domain have no access by group; they can only access it if 
their accounts are specified explicitly. For example:

    path = /data/salesforce
    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales

then fred will have access to the salesforce share, but wilma will not, 
even though her group has been granted access to the share. If I specify 
wilma's account explicitly:

    path = /data/salesforce
    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma

then wilma will be able to access the share. It appears that adding a 
group from a trusted domain doesn't achieve what I hope to accomplish.

Now, I have not tried this with all possible combinations: both domains 
NT, both domains ADS, etc. ad infinitum. I just don't have the 
resources. Is this a bug or is it by design? If you folks think it's a 
bug, then I'll submit it as a bug report. If I'm misunderstanding 
something, please enlighten me or point me to the appropriate docs.

-Jonathan Johnson
Sutinen Consulting, Inc.

More information about the samba mailing list