[Samba] Re: valid users = +group doesn't work

Leonid Zeitlin lz at csltd.com.ua
Wed Apr 16 13:59:05 GMT 2008


Hi Jerry,
Thanks a lot for your quick reply. Please see below.

>> Hi all,
>> I seem to be having a problem identical to this bug:
>> https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however
>> the
>> bug is supposed to be fixed by now.
>>
>> I have a Fedora 7 box joined as a member to Windows 2003 domain. All my
>> Windows users have accounts on the Samba machine, with the same user name
>> in
>> Windows and in Unix. I have a share with valid users = +group, where
>> group
>> is a Unix group. Yet, when a user who is a member of that Unix group
>> connects, access is denied. The messages in the log are as follows:
>>
>> [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205)
>>   making a connection to 'normal' service www
>> [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223)
>>   string_to_sid: Sid +webdev does not start with 'S-'.
>> [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64)
>>   lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name)
>
> Is webdev in the local gtroup mapping table ?

If I understand your question correctly, initally it wasn't. Then I did "net
sam mapunixgroup webdev", but this didn't seem to have any effect.


>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358)
>>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448)
>>   NT user token: (NULL)
>> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474)
>>   UNIX token of user 0
>>   Primary group is 0 and contains 0 supplementary groups
>> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211)
>>   User lz not in 'valid users'
>> [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616)
>>   user 'lz' (from session setup) not permitted to access this share (www)
>>
>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>> works.
>>
>> Maybe I need to configure something? Can I have valid users accept UNIX
>> groups?
>
> yes.  But there's some missing details in your original post.
> Sounds like your server is configured as a domain member server.
> is the user logging as a domain user ?  Or a local user?

I suppose as domain user. I am sitting at my Windows computer, logged in to
domain as DOMAIN\lz and connecting to a share at the Unix computer. The user
named "lz" also exists on the Unix computer. I was thinking that Samba would
map DOMAIN\lz the Windows user to lz the Unix user and use this user's group
membership.

> The domain user will only get domain groups (and possible
> local nested groups from winbindd) unless you explicitly
> map the domain\user account to a specific local Unix account.

I guess I am getting confused here. Are "local nested groups from winbindd"
the Unix local groups? If yes, this is what I need, but I'm failing to grasp
how to make them work.

Thanks,
  Leonid


>
>
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Likewise Software          ---------  http://www.likewisesoftware.com
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR
> ETDDOlBflWi7oonxqQ2ptro=
> =35qf
> -----END PGP SIGNATURE-----
>





More information about the samba mailing list