[Samba] valid users = +group doesn't work

Leonid Zeitlin lz at csltd.com.ua
Tue Apr 22 13:01:12 GMT 2008

Hi Jerry,

>> I guess my question now boils down to the following: when I access a
>> share as domain user DOMAIN\lz, is there a way to apply "valid users"
>> check based on the Unix group membership of the Unix user "lz". From
>> what you are saying I am getting the impression that the asnwer is no;
>> is this really so?
> If you setup a "username map" and define "lz = DOMAIN\lz", then
> when you login as DOMAIN\lz you should only be assigned the
> groups belonging to the local user "lz".  But you will not
> get the domain user's group membership.

This doesn't seem to work. The log shows:

[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
  NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
  contains 4 SIDs
  SID[  0]: S-1-5-21-3395643079-1670520419-2869919353-501
  SID[  1]: S-1-1-0
  SID[  2]: S-1-5-2
  SID[  3]: S-1-5-32-546
  SE_PRIV  0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 99
  Primary group is 99 and contains 0 supplementary groups

The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend 
= nss.

Actually, even if this works, it would be inconvenient to map every user 
that needs to access the share.

I hoped Samba would treat local Unix group similar to how Windows treat 
local groups. I wouldn't mind if a Unix group needed some "blessing" before 
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?


> cheers, jerry
> - --
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Likewise Software          ---------  http://www.likewisesoftware.com
> "What man is a man who does not make the world better?"      --Balian
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/
> u8DONjtZc1zf+wXNTuCFHgM=
> =ti50

More information about the samba mailing list