[Samba] valid users = +group doesn't work

Gerald (Jerry) Carter jerry at samba.org
Mon Apr 21 14:09:12 GMT 2008

Hash: SHA1

Leonid Zeitlin wrote:

>> DOMAIN\lz has a different SID and token than the local
>> user "lz".   Therefore the search for the local group SID
>> of "webdev" will not be found in the domain user's (DOMAIN\lz)
>> token.  You can view the user's complete list of SIDs in the NT
>> token in a level 10 smbd debug log.
> I see. I observe an interesting picture here. If I specify 
> valid users = +DOMAIN\windows_group, then I am able
> to access the share, and in this case I see the following
> in the log:
> [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
>  NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
>  contains 19 SIDs
>  SID[  0]: S-1-5-21-800801294-1190493330-1361462980-1010
> (... 18 more SIDs follow ... )
>  SE_PRIV  0x0 0x0 0x0 0x0
> [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
>  UNIX token of user 500
>  Primary group is 500 and contains 0 supplementary groups
> [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
>  change_to_user uid=(500,500) gid=(0,500)
> The list of SIDs actually includes the SID to which the local group
> webdev was mapped with "net sam mapunixgroup"! The only thing that is
> somewhat strange here is "contains 0 supplementary groups", since my
> user actually has a number of supplementary groups, however, so far so
> good. Now, if I specify valid users = +webdev, I cannot access the share
> and when I try the log has something quite different:

The supplementary groups are determined by mapping the Windows group
to a gid.  I'm having to remember what we already convered so apoligies
fotr asking again.  Are you running winbindd?  or just manually
mapping groups to SIDs ?  Seems to be the former.

If so, I think I remember we made a change that group mapping
really only honored groups in the local SAM domain of the machine
which would explain why mapping to the domain group didn't work.
But I'm a little fuzzy on when (or if we really made that change).

>>> I guess I am getting confused here. Are "local nested groups from
>>> winbindd" the Unix local groups? If yes, this is what I need, but I'm
>>> failing to grasp how to make them work.
>> No.  See the "winbind nested groups" option for more details on
>> local nested groups.  These are the equivalent of Windows NT
>> 4.0 local machine groups.
> I see. But it appears to me (correct me if I'm wrong) that 
> if a local Unix group is mapped with "net sam mapunixgroup", then
> it becomes a local nested group and Samba could use
> it in "valid users" - but apparently it doesn't, which confuses me.

No.  The nested group functionality is only served by Winbind.

> BTW, I didn't mention this before, maybe it is relevant: I 
> am using NIS on the Samba machine. So, local user lz
> and group webdev are not inlocal passwd and group files,
> but come from NIS. I don't expect it to make a difference,
> but mentioning this just in case.

No difference.  "Local" in this discussion is in relation to who
is authoriative for the account: e.g. either Samba (local machine)
or the Domain controller.

cheers, jerry
- --
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list