[Samba] BUG? 'valid users' doesn't allow groups from trusted domains
Jonathan Johnson
jon at sutinen.com
Thu Jul 12 19:40:08 GMT 2007
It appears that you cannot include groups from trusted domains in the
'valid users =' directive on a share.
Here is the scenario as I experienced it (names have been changed to
protect the innocent):
Configuration:
- Samba 3.0.21b as a member server in a real NT4 domain (security =
domain) called 'NTDOMAIN'
- NTDOMAIN has a two-way trust with Windows 2003 Active Directory
domain 'ADSDOMAIN'
- User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a
member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
- User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a
member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)
If the share 'salesforce' has a 'valid users =' line in it, members of
the trusting domain have no access by group; they can only access it if
their accounts are specified explicitly. For example:
[salesforce]
path = /data/salesforce
valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales
then fred will have access to the salesforce share, but wilma will not,
even though her group has been granted access to the share. If I specify
wilma's account explicitly:
[salesforce]
path = /data/salesforce
valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma
then wilma will be able to access the share. It appears that adding a
group from a trusted domain doesn't achieve what I hope to accomplish.
Now, I have not tried this with all possible combinations: both domains
NT, both domains ADS, etc. ad infinitum. I just don't have the
resources. Is this a bug or is it by design? If you folks think it's a
bug, then I'll submit it as a bug report. If I'm misunderstanding
something, please enlighten me or point me to the appropriate docs.
-Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com
More information about the samba
mailing list