[Samba] Help needed: valid users

Gary Dale garydale at rogers.com
Thu Sep 17 09:30:42 MDT 2009 

Chris Osicki wrote:
> On Wed, 16 Sep 2009 18:03:48 -0400
> Gary Dale <garydale at rogers.com> wrote:
>
>   
>> Chris Osicki wrote:
>>     
>>> Hi 
>>>
>>> I'm using Samba 3.0.33 on Solaris10 and have the following problem.
>>> In the smb.conf I have 
>>>
>>>     workgroup = CORPROOT
>>>     security = domain
>>>
>>> and users authenticated to CORPROOT domain can connect shares
>>> w/o problems, [homes] for example.
>>> Now I would like to create a share and restrict access to it just 
>>> to a dozen of users or so.
>>>
>>> I tried 
>>>   
>>>   valid users = +docs
>>>   force user = usodocs
>>>
>>> where docs is a group in /etc/group and it didn't work.
>>> Looks like Samba is trying to look up the group docs on the domain
>>> controller in the CORPROOT domain.
>>>
>>> So, I tried this
>>>
>>>   valid users = CORPROOT\user
>>>   force user = usodocs
>>>
>>> it works. 
>>> According to man page 
>>>    valid users = +docs
>>> should work.
>>> I must be missing something, but what?
>>>
>>> Is there any better/nicer way to achieve what I'm looking for?
>>> That is, to give a group of users full control over content of 
>>> a share.
>>> I have several Linux Samba servers where I use POSIX ACLs to control
>>> read/write rights on the OS level and it works fine. 
>>>
>>> I tried the same on the Solaris10 box with ZFS and its ACLs and it
>>> didn't work as expected (posted about it few weeks ago, no answers though)
>>>
>>> I would be very thankful for any help.
>>>
>>> BTW, anyone any idea how to attract attention to a post on this list?
>>> Virtual beer as attachment? ;-)
>>> My success rate is by now close to nothing.
>>>
>>> Thanks for your time.
>>>
>>> Regards,
>>> Chris
>>>   
>>>       
>> Further to my earlier response, you need to ensure that the group has 
>> access to the share since Samba permissions cannot override Linux 
>> permissions.  You may want to set the Linux permissions to 777 while 
>> testing.  Leave off the force user and just try the "valid users". Also, 
>> since you are using the + group prefix, this is strictly the Linux group 
>> that you are granting permission to.
>>     
>
> Thanks Gary for your reply.
>
> I followed your suggestions but it didn't work.
> Samba tries to resolve +group on the Domain Controller and not localy on Unix.
> If I put
>
>     valid users = +CORPROOT\OG_ITS-SDL-SO-DXS-USO-BE
>
> where OG_ITS-SDL-SO-DXS-USO-BE is a group my NT account belongs to, it works.
>
> What could be causing Samba not checking +group localy on Unix?
>
> Thanks for your time.
>
> Regards,
> Chris
>
>   
I'm not sure that Samba checks the Linux groups but Linux does. In a 
Windows domain, all the accounts reside in the Domain. It may be 
checking the Linux accounts for shares on the DC, but wouldn't be able 
to on a member server. Perhaps one of the Linux gurus could answer your 
question. However, for operations in the domain, you're best to stick 
with domain entities, such as a domain group or domain user accounts. So 
long as Samba has sufficient privileges to access the local Linux share, 
it should be OK.

More information about the samba mailing list