[Samba] BUG? 'valid users' doesn't allow groups from trusted domains

Jonathan Johnson jon at sutinen.com
Mon Jul 23 17:48:16 GMT 2007 

Additional information below.

Jonathan Johnson wrote:
> It appears that you cannot include groups from trusted domains in the 
> 'valid users =' directive on a share.
>
> Here is the scenario as I experienced it (names have been changed to 
> protect the innocent):
>
> Configuration:
> - Samba 3.0.21b as a member server in a real NT4 domain (security = 
> domain) called 'NTDOMAIN'
> - NTDOMAIN has a two-way trust with Windows 2003 Active Directory 
> domain 'ADSDOMAIN'
> - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a 
> member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
> - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a 
> member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)
>
> If the share 'salesforce' has a 'valid users =' line in it, members of 
> the trusting domain have no access by group; they can only access it 
> if their accounts are specified explicitly. For example:
>
> [salesforce]
>    path = /data/salesforce
>    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales
>
> then fred will have access to the salesforce share, but wilma will 
> not, even though her group has been granted access to the share. If I 
> specify wilma's account explicitly:
>
> [salesforce]
>    path = /data/salesforce
>    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma
>
> then wilma will be able to access the share. It appears that adding a 
> group from a trusted domain doesn't achieve what I hope to accomplish.
>
> Now, I have not tried this with all possible combinations: both 
> domains NT, both domains ADS, etc. ad infinitum. I just don't have the 
> resources. Is this a bug or is it by design? If you folks think it's a 
> bug, then I'll submit it as a bug report. If I'm misunderstanding 
> something, please enlighten me or point me to the appropriate docs.
>
> -Jonathan Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
More information:

    wbinfo -u -g --domain=NTDOMAIN

reveals the list of domain users & groups from NTDOMAIN.

    wbinfo -u -g --domain=ADSDOMAIN

returns the error 'Error looking up domain users' (or groups, if only -g 
is spec'd)

    wbinfo --getdcname=ADSDOMAIN

returns 'ADSDOMAIN+ADSSERVER', the domain and name of the ADS server. If 
I specify credentials (either in NTDOMAIN or ADSDOMAIN) using 
--set-auth-user, the results are exactly the same. The 'getent' command 
returns similar results, but IS able to resolve users in ADSDOMAIN but 
not groups:

    getent group NTDOMAIN+sales

will return the list of users in that group. However, the similar command:

    getent group ADSDOMAIN+sales

returns nothing, not even an error. Interestingly, the command

    getent passwd ADSDOMAIN+wilma

will return a result such as this:

    ADSDOMAIN+wilma:x:10213:10034::/home/ADSDOMAIN/wilma:/bin/false

Interesting. Does this indicate a bug in wbinfo, getent, some Samba bug, 
or a combination of all three? Oh, yes, this is on Ubuntu 5.10 "Breezy 
Badger." Yes, I know it's old.

-Jon Johnson
Sutinen Consulting, Inc.
jon at sutinen.com

More information about the samba mailing list