[Samba] Help needed: valid users

Chris Osicki osk at admin.swisscom-mobile.ch
Thu Sep 17 05:57:02 MDT 2009 

On Wed, 16 Sep 2009 18:03:48 -0400
Gary Dale <garydale at rogers.com> wrote:

> Chris Osicki wrote:
> > Hi 
> >
> > I'm using Samba 3.0.33 on Solaris10 and have the following problem.
> > In the smb.conf I have 
> >
> >     workgroup = CORPROOT
> >     security = domain
> >
> > and users authenticated to CORPROOT domain can connect shares
> > w/o problems, [homes] for example.
> > Now I would like to create a share and restrict access to it just 
> > to a dozen of users or so.
> >
> > I tried 
> >   
> >   valid users = +docs
> >   force user = usodocs
> >
> > where docs is a group in /etc/group and it didn't work.
> > Looks like Samba is trying to look up the group docs on the domain
> > controller in the CORPROOT domain.
> >
> > So, I tried this
> >
> >   valid users = CORPROOT\user
> >   force user = usodocs
> >
> > it works. 
> > According to man page 
> >    valid users = +docs
> > should work.
> > I must be missing something, but what?
> >
> > Is there any better/nicer way to achieve what I'm looking for?
> > That is, to give a group of users full control over content of 
> > a share.
> > I have several Linux Samba servers where I use POSIX ACLs to control
> > read/write rights on the OS level and it works fine. 
> >
> > I tried the same on the Solaris10 box with ZFS and its ACLs and it
> > didn't work as expected (posted about it few weeks ago, no answers though)
> >
> > I would be very thankful for any help.
> >
> > BTW, anyone any idea how to attract attention to a post on this list?
> > Virtual beer as attachment? ;-)
> > My success rate is by now close to nothing.
> >
> > Thanks for your time.
> >
> > Regards,
> > Chris
> >   
> Further to my earlier response, you need to ensure that the group has 
> access to the share since Samba permissions cannot override Linux 
> permissions.  You may want to set the Linux permissions to 777 while 
> testing.  Leave off the force user and just try the "valid users". Also, 
> since you are using the + group prefix, this is strictly the Linux group 
> that you are granting permission to.

Thanks Gary for your reply.

I followed your suggestions but it didn't work.
Samba tries to resolve +group on the Domain Controller and not localy on Unix.
If I put

    valid users = +CORPROOT\OG_ITS-SDL-SO-DXS-USO-BE

where OG_ITS-SDL-SO-DXS-USO-BE is a group my NT account belongs to, it works.

What could be causing Samba not checking +group localy on Unix?

Thanks for your time.

Regards,
Chris

> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list