[Samba] BUG? 'valid users' doesn't allow groups from trusted
domains
Jonathan Johnson
jon at sutinen.com
Mon Jul 23 17:48:16 GMT 2007
Additional information below.
Jonathan Johnson wrote:
> It appears that you cannot include groups from trusted domains in the
> 'valid users =' directive on a share.
>
> Here is the scenario as I experienced it (names have been changed to
> protect the innocent):
>
> Configuration:
> - Samba 3.0.21b as a member server in a real NT4 domain (security =
> domain) called 'NTDOMAIN'
> - NTDOMAIN has a two-way trust with Windows 2003 Active Directory
> domain 'ADSDOMAIN'
> - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a
> member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
> - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a
> member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)
>
> If the share 'salesforce' has a 'valid users =' line in it, members of
> the trusting domain have no access by group; they can only access it
> if their accounts are specified explicitly. For example:
>
> [salesforce]
> path = /data/salesforce
> valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales
>
> then fred will have access to the salesforce share, but wilma will
> not, even though her group has been granted access to the share. If I
> specify wilma's account explicitly:
>
> [salesforce]
> path = /data/salesforce
> valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma
>
> then wilma will be able to access the share. It appears that adding a
> group from a trusted domain doesn't achieve what I hope to accomplish.
>
> Now, I have not tried this with all possible combinations: both
> domains NT, both domains ADS, etc. ad infinitum. I just don't have the
> resources. Is this a bug or is it by design? If you folks think it's a
> bug, then I'll submit it as a bug report. If I'm misunderstanding
> something, please enlighten me or point me to the appropriate docs.
>
> -Jonathan Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
More information:
wbinfo -u -g --domain=NTDOMAIN
reveals the list of domain users & groups from NTDOMAIN.
wbinfo -u -g --domain=ADSDOMAIN
returns the error 'Error looking up domain users' (or groups, if only -g
is spec'd)
wbinfo --getdcname=ADSDOMAIN
returns 'ADSDOMAIN+ADSSERVER', the domain and name of the ADS server. If
I specify credentials (either in NTDOMAIN or ADSDOMAIN) using
--set-auth-user, the results are exactly the same. The 'getent' command
returns similar results, but IS able to resolve users in ADSDOMAIN but
not groups:
getent group NTDOMAIN+sales
will return the list of users in that group. However, the similar command:
getent group ADSDOMAIN+sales
returns nothing, not even an error. Interestingly, the command
getent passwd ADSDOMAIN+wilma
will return a result such as this:
ADSDOMAIN+wilma:x:10213:10034::/home/ADSDOMAIN/wilma:/bin/false
Interesting. Does this indicate a bug in wbinfo, getent, some Samba bug,
or a combination of all three? Oh, yes, this is on Ubuntu 5.10 "Breezy
Badger." Yes, I know it's old.
-Jon Johnson
Sutinen Consulting, Inc.
jon at sutinen.com
More information about the samba
mailing list