[Samba] Problem when "valid users" is used
Arnaud BLONDEL - Alter Way Solutions
arnaud.blondel at alterway.fr
Wed Sep 29 09:38:35 MDT 2010
Hi,
When I use "valid users" in smb.conf to limit access on my share, I have
this message with smbclient :
[global]
workgroup = MYDOM
domain master = no
local master = no
security = user
passdb backend = ldapsam:ldap://x.x.x.x:389
ldap admin dn = cn=admin,dc=company,dc=com
ldap suffix = dc=company,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
...
[Images]
...
valid users = @Developpeurs
...
# smbclient //x.x.x.x/Images -U test
Enter test's password:
Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
I have this log :
2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid @Developpeurs does not start with 'S-'.
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425)
Unable to get default yp domain, let's try without specifying it
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429)
looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445)
looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: flags = 0x077
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522)
NT user token: (NULL)
[2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205)
smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))],
scope => [2]
[2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
init_group_from_ldap: Entry found for group: 1005
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
Found group Developpeurs
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --
ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain),
Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: flags = 0x077
[2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
User test not in 'valid users'
[2010/09/29 16:19:03, 2] smbd/service.c:create_connection_server_info(663)
user 'test' (from session setup) not permitted to access this share
(Images)
[2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
I use /etc/nsswitch to get users and groups from LDAP
User "test" is in Developpeurs group :
# id anisimov
uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain
Users),1005(Developpeurs)
In LDAP :
cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101
...
memberUid: test
...
and :
uid=test,ou=People,dc=company,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
...
givenName: anisimov
uid: anisimov
uidNumber: 1009
gidNumber: 513
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009
...
Where is the problem ?
SAMBA : Version 3.3.2
More information about the samba
mailing list