[Samba] valid users = +group doesn't work
Leonid Zeitlin
lz at csltd.com.ua
Tue Apr 22 13:01:12 GMT 2008
Hi Jerry,
>> I guess my question now boils down to the following: when I access a
>> share as domain user DOMAIN\lz, is there a way to apply "valid users"
>> check based on the Unix group membership of the Unix user "lz". From
>> what you are saying I am getting the impression that the asnwer is no;
>> is this really so?
>
> If you setup a "username map" and define "lz = DOMAIN\lz", then
> when you login as DOMAIN\lz you should only be assigned the
> groups belonging to the local user "lz". But you will not
> get the domain user's group membership.
This doesn't seem to work. The log shows:
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
contains 4 SIDs
SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-32-546
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 99
Primary group is 99 and contains 0 supplementary groups
The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend
= nss.
Actually, even if this works, it would be inconvenient to map every user
that needs to access the share.
I hoped Samba would treat local Unix group similar to how Windows treat
local groups. I wouldn't mind if a Unix group needed some "blessing" before
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?
Thanks,
Leonid
>
>
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/
> u8DONjtZc1zf+wXNTuCFHgM=
> =ti50
> -----END PGP SIGNATURE-----
>
More information about the samba
mailing list