[Samba] User not permitted to access this share

Marc Muehlfeld Marc.Muehlfeld at medizinische-genetik.de
Mon Sep 10 10:28:27 GMT 2007 

Hi,

I have two samba domains. On one member of DOMAIN1 I set up a share "intranet" 
with

valid users = +"DOMAIN1+webmaster" +"DOMAIN2+TestGroup"

Winbindd is running. When I try to access the share from a DOMAIN2 workstation 
permission is denied. When I look at the logfile, I see that the server tries 
to find the group of DOMAIN2 (TestGroup) in ldap of the local DOMAIN1:



[2007/09/10 10:24:08, 3] lib/util_sid.c:string_to_sid(223)
   string_to_sid: Sid +DOMAIN2+TestGroup does not start with 'S-'.
[2007/09/10 10:24:08, 10] passdb/lookup_sid.c:lookup_name(64)
   lookup_name: DOMAIN2\TestGroup => DOMAIN2 (domain), TestGroup (name)
[2007/09/10 10:24:08, 10] passdb/util_wellknown.c:lookup_wellknown_name(154)
   map_name_to_wellknown_sid: looking up TestGroup
[2007/09/10 10:24:08, 3] smbd/sec_ctx.c:push_sec_ctx(208)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/09/10 10:24:08, 3] smbd/uid.c:push_conn_ctx(358)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/09/10 10:24:08, 3] smbd/sec_ctx.c:set_sec_ctx(241)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/09/10 10:24:08, 5] auth/auth_util.c:debug_nt_user_token(448)
   NT user token: (NULL)
[2007/09/10 10:24:08, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2007/09/10 10:24:08, 5] lib/smbldap.c:smbldap_search_ext(1182)
   smbldap_search_ext: base => [ou=Groups,dc=domain1,dc=de], filter => 
[(&(objectClass=sambaGroupMapping)(|(displayName=TestGroup)(cn=TestGroup)))], 
scope => [2]
[2007/09/10 10:24:08, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2235)
   ldapsam_getgroup: Did not find group
[2007/09/10 10:24:08, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/09/10 10:24:08, 5] smbd/share_access.c:token_contains_name(118)
   lookup_name DOMAIN2+TestGroup failed
[2007/09/10 10:24:08, 10] smbd/share_access.c:user_ok_token(211)
   User muehlfeld not in 'valid users'
[2007/09/10 10:24:08, 2] smbd/service.c:make_connection_snum(616)
   user 'muehlfeld' (from session setup) not permitted to access this share 
(intranet)
[2007/09/10 10:24:08, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED



When I write

valid users = +"DOMAIN1+webmaster" S-1-5-21-1183370737-3874734740-1589004535-16001

then it's working and I can access the share from workstations of both 
domains. The SID is the one from "DOMAIN2+TestGroup".


Any idea what could be wrong?


Regards
Marc

More information about the samba mailing list