[Samba] valid users VS users in conf

DNK d.k.emaillists at gmail.com
Tue May 19 15:09:34 GMT 2009

On 18-May-09, at 11:48 PM, Michael Heydon wrote:

> DNK wrote:
>> Why would this happen?
> No idea...
>> Is there any disadvantage or security concern by using the "users =  
>> @group" style?
> Yes, the users option does something completely different to the  
> valid users option. While there may be some similarities in the end  
> result, they are not the same.
> The most obvious issue is where two users happen to have the same  
> password, they will both authenticate as the first user in the list.
> Can you paste your smb.conf?
> *Michael Heydon - IT Administrator *
> michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au>

Here it is.... pretty basic for the most part. I have clipped out all  
my shares, but left in one example. In my below conf, the "main" share  
originally had:

valid users = @main

But just to get it working for this AM, it now has:

users = @main

----- smb.conf -----

workgroup = DOMAIN
netbios name = Fileserver
server string = (%L)
wins support = Yes
name resolve order = wins bcast hosts
passdb backend = tdbsam
username map = /etc/samba/smbusers
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/ 
nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using  
logon script = %U.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path =
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
#mac hacks
follow symlinks = yes
unix extensions = no
veto files = /.DS_Store/._.*/DesktopFolderDB/Network Trash Folder/ 
delete veto files = true
hide dot files = yes

comment = Home Directories
valid users = %S
read only = No
browseable = No

comment = Network Logon Service
path = /shares/netlogon
admin users = root
guest ok = Yes
browseable = No

comment = Share for the users in the baja group
path = /shares/main
users = @main
force group = main
create mask = 0660
directory mask = 0771
writeable = yes

More information about the samba mailing list