[Samba] valid users = +group doesn't work

Leonid Zeitlin lz at csltd.com.ua
Thu Apr 17 10:52:35 GMT 2008

Hi Jerry,
Please see below.

> Hash: SHA1
> Leonid Zeitlin wrote:
>>> Is webdev in the local gtroup mapping table ?
>> If I understand your question correctly, initally it
>> wasn't. Then I did "net sam mapunixgroup webdev", but
>> this didn't seem to have any effect.
> Correct.  That was my question.  In 3.0.23 and later
> Samba converts the name to a SID internally and then
> compares for that SID in the user's NT token.
> See below for why this matters.

Got you on this one, thanks.

>>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it
>>>> works.
>>>> Maybe I need to configure something? Can I have valid users accept UNIX
>>>> groups?
>>> yes.  But there's some missing details in your original post.
>>> Sounds like your server is configured as a domain member server.
>>> is the user logging as a domain user ?  Or a local user?
>> I suppose as domain user. I am sitting at my Windows computer, logged in
>> to domain as DOMAIN\lz and connecting to a share at the Unix computer.
>> The user named "lz" also exists on the Unix computer. I was thinking
>> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
>> use this user's group membership.
> DOMAIN\lz has a different SID and token than the local
> user "lz".   Therefore the search for the local group SID
> of "webdev" will not be found in the domain user's (DOMAIN\lz)
> token.  You can view the user's complete list of SIDs in the NT
> token in a level 10 smbd debug log.

I see. I observe an interesting picture here. If I specify valid users = 
+DOMAIN\windows_group, then I am able to access the share, and in this case 
I see the following in the log:

[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
  NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
  contains 19 SIDs
  SID[  0]: S-1-5-21-800801294-1190493330-1361462980-1010
 (... 18 more SIDs follow ... )
  SE_PRIV  0x0 0x0 0x0 0x0
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 500
  Primary group is 500 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
  change_to_user uid=(500,500) gid=(0,500)

The list of SIDs actually includes the SID to which the local group webdev 
was mapped with "net sam mapunixgroup"! The only thing that is somewhat 
strange here is "contains 0 supplementary groups", since my user actually 
has a number of supplementary groups, however, so far so good. Now, if I 
specify valid users = +webdev, I cannot access the share and when I try the 
log has something quite different:

[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288)
  change_to_root_user: now uid=(0,0) gid=(0,0)

Maybe I'm off base here, and this is normal, but this looks strange: 
apparently Samba knows my user is a member of local webdev group, yet it 
won't let me in based on this membership.

>>> The domain user will only get domain groups (and possible
>>> local nested groups from winbindd) unless you explicitly
>>> map the domain\user account to a specific local Unix account.
>> I guess I am getting confused here. Are "local nested groups from
>> winbindd" the Unix local groups? If yes, this is what I need, but I'm
>> failing to grasp how to make them work.
> No.  See the "winbind nested groups" option for more details on
> local nested groups.  These are the equivalent of Windows NT
> 4.0 local machine groups.

I see. But it appears to me (correct me if I'm wrong) that if a local Unix 
group is mapped with "net sam mapunixgroup", then it becomes a local nested 
group and Samba could use it in "valid users" - but apparently it doesn't, 
which confuses me.

BTW, I didn't mention this before, maybe it is relevant: I am using NIS on 
the Samba machine. So, local user lz and group webdev are not in local 
passwd and group files, but come from NIS. I don't expect it to make a 
difference, but mentioning this just in case.

Thanks a lot,

More information about the samba mailing list