[Samba] valid users = +group doesn't work

Gerald (Jerry) Carter jerry at samba.org
Wed Apr 16 21:54:48 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leonid Zeitlin wrote:

>> Is webdev in the local gtroup mapping table ?
> 
> If I understand your question correctly, initally it 
> wasn't. Then I did "net sam mapunixgroup webdev", but
> this didn't seem to have any effect.

Correct.  That was my question.  In 3.0.23 and later
Samba converts the name to a SID internally and then
compares for that SID in the user's NT token.

See below for why this matters.

>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>>> works.
>>>
>>> Maybe I need to configure something? Can I have valid users accept UNIX
>>> groups?
>>
>> yes.  But there's some missing details in your original post.
>> Sounds like your server is configured as a domain member server.
>> is the user logging as a domain user ?  Or a local user?
> 
> I suppose as domain user. I am sitting at my Windows computer, logged in
> to domain as DOMAIN\lz and connecting to a share at the Unix computer.
> The user named "lz" also exists on the Unix computer. I was thinking
> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
> use this user's group membership.

DOMAIN\lz has a different SID and token than the local
user "lz".   Therefore the search for the local group SID
of "webdev" will not be found in the domain user's (DOMAIN\lz)
token.  You can view the user's complete list of SIDs in the NT
token in a level 10 smbd debug log.

>> The domain user will only get domain groups (and possible
>> local nested groups from winbindd) unless you explicitly
>> map the domain\user account to a specific local Unix account.
> 
> I guess I am getting confused here. Are "local nested groups from
> winbindd" the Unix local groups? If yes, this is what I need, but I'm
> failing to grasp how to make them work.

No.  See the "winbind nested groups" option for more details on
local nested groups.  These are the equivalent of Windows NT
4.0 local machine groups.





cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIBnWoIR7qMdg1EfYRAqS6AKCePyOTvq3XmQm5IQIkZzw0y0dXcwCeJzxH
mXijoHfCBnyVvyomNsQyqBk=
=CCjy
-----END PGP SIGNATURE-----

More information about the samba mailing list