[Samba] Problems with group assignments
F. David del Campo Hill
delcampo at stats.ox.ac.uk
Fri May 20 08:42:30 MDT 2011
Dear Michal,
The user authentication must be being handled by AD; the local accounts on the new server have been added to the /etc/passwd and /etc/shadow files, but the passwords in the /etc/shadow file are set to locked (which means that though the account exists and can own files, people cannot actually log in to the system; root can "su" to them though). As a result AD must be providing the authentication. The usernames in AD and the local files are the same.
The /etc/nsswitch.conf file is as follows (comments removed):
passwd: files
group: files
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
As you can see anything should be handled by the local files.
The /etc/samba/smb.conf file is as follows (comments and private removed):
[global]
workgroup = <removed>
server string = Samba Server on %h
netbios name = <removed>
security = ADS
hosts allow = <removed>
guest account = nobody
log file = /var/samba/log/log.%m
max log size = 500
password server = <removed>, <removed>
realm = <removed>
passdb backend = smbpasswd
interfaces = <removed>
local master = no
os level = 33
domain master = no
preferred master= no
dns proxy = no
[transit]
comment = Temporary Backup for Windows 7 Upgrades
path = <removed>
browseable = no
read only = yes
valid users = user1, user2, user3, user4
# valid users = @group
write list = users1, user2, user3, user4
# write list = +sysman
As is, the share works, but as you can see I have to specify the usernames and cannot use +group or @group notation as I did on the old server. The old server was also part of the AD domain, so as far as I can see the only differences between the two setups is the SaMBa version and the fact the new server is not part of NIS; that is why I tried the +group notation, to no avail.
I also have a Linux (Fedora 14) machine acting as a temporary SaMBa server (version 3.5.8); it is part of the NIS and AD domains and the @group assignments work fine from NIS.
Thank you for your help.
Yours,
David
> -----Original Message-----
> From: Michal Belica [mailto:beli+smb at beli.sk]
> Sent: 20 May 2011 14:46
> To: F. David del Campo Hill
> Subject: Re: [Samba] Problems with group assignments
>
> Hi,
>
> ----- Original Message -----
> > From: "F. David del Campo Hill" <delcampo at stats.ox.ac.uk>
> > Sent: Friday, May 20, 2011 2:43:49 PM
> [...snip...]
> > path changes), and the new server was successfully added to our
> > Active Directory domain. As the new server is NOT a member of
> NIS,
> > we made a copy of all the smb.conf-relevant groups to its local
> > /etc/group and added all the users to the /etc/passwd file. With
> > these changes we can access the shares using the AD usernames and
> > passwords as long as they are not access-limited by "valid
> users",
> > so the integration of the server into AD is working. But if we
> add
> > a "valid users = @group" line to the share in smb.conf, it will
>
> Are you using local or AD users and groups or are you mixing them? You
> say you have joined the server to AD and also added users and groups to
> /etc/passwd and /etc/group. But when a user connects to the Samba
> server from Win, (probably) his AD account is used, but in /etc/group,
> the members are the local users, which need not be the same (depends on
> more factors, like your NS switch settings for example).
> Try to check that you're using the AD/local users/groups consistently,
> or give more info related to this (e.g. from /etc/nsswitch.conf,
> /etc/smb.conf ...).
>
> --
> Michal Belica - IT consultant
> beli+smb at beli.sk | www.beli.sk
More information about the samba
mailing list