[Samba] valid users = +group doesn't work
Gerald (Jerry) Carter
jerry at samba.org
Mon Apr 21 14:09:12 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Leonid Zeitlin wrote:
>> DOMAIN\lz has a different SID and token than the local
>> user "lz". Therefore the search for the local group SID
>> of "webdev" will not be found in the domain user's (DOMAIN\lz)
>> token. You can view the user's complete list of SIDs in the NT
>> token in a level 10 smbd debug log.
> I see. I observe an interesting picture here. If I specify
> valid users = +DOMAIN\windows_group, then I am able
> to access the share, and in this case I see the following
> in the log:
> [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
> NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
> contains 19 SIDs
> SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010
> (... 18 more SIDs follow ... )
> SE_PRIV 0x0 0x0 0x0 0x0
> [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
> UNIX token of user 500
> Primary group is 500 and contains 0 supplementary groups
> [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
> change_to_user uid=(500,500) gid=(0,500)
> The list of SIDs actually includes the SID to which the local group
> webdev was mapped with "net sam mapunixgroup"! The only thing that is
> somewhat strange here is "contains 0 supplementary groups", since my
> user actually has a number of supplementary groups, however, so far so
> good. Now, if I specify valid users = +webdev, I cannot access the share
> and when I try the log has something quite different:
The supplementary groups are determined by mapping the Windows group
to a gid. I'm having to remember what we already convered so apoligies
fotr asking again. Are you running winbindd? or just manually
mapping groups to SIDs ? Seems to be the former.
If so, I think I remember we made a change that group mapping
really only honored groups in the local SAM domain of the machine
which would explain why mapping to the domain group didn't work.
But I'm a little fuzzy on when (or if we really made that change).
>>> I guess I am getting confused here. Are "local nested groups from
>>> winbindd" the Unix local groups? If yes, this is what I need, but I'm
>>> failing to grasp how to make them work.
>> No. See the "winbind nested groups" option for more details on
>> local nested groups. These are the equivalent of Windows NT
>> 4.0 local machine groups.
> I see. But it appears to me (correct me if I'm wrong) that
> if a local Unix group is mapped with "net sam mapunixgroup", then
> it becomes a local nested group and Samba could use
> it in "valid users" - but apparently it doesn't, which confuses me.
No. The nested group functionality is only served by Winbind.
> BTW, I didn't mention this before, maybe it is relevant: I
> am using NIS on the Samba machine. So, local user lz
> and group webdev are not inlocal passwd and group files,
> but come from NIS. I don't expect it to make a difference,
> but mentioning this just in case.
No difference. "Local" in this discussion is in relation to who
is authoriative for the account: e.g. either Samba (local machine)
or the Domain controller.
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba