[Samba] Problems with group assignments

F. David del Campo Hill delcampo at stats.ox.ac.uk
Wed May 25 09:50:28 MDT 2011


Dear All,

	We finally managed to find out what was wrong: winbind was running!

	It seems that the SaMBa package we had from SUN/Oracle installed and started winbind (unlike in the old server and the Linux server). Once we disabled winbind (why did it think it was necessary to run winbind in the first place?), it all started working again: usernames and passwords are authenticated against AD, and group membership is checked against the local /etc/group file.

	Thank you all for your help.

	Yours,

		David del Campo


PS: Maybe someone should amend the smb.conf man page to the effect that if you run winbind, the system will ignore the "@", "+" and "&" symbols under the "(in)valid users" and "write list" tags.



> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of F. David del Campo Hill
> Sent: 23 May 2011 17:16
> To: mueller at tropenklinik.de; samba at lists.samba.org
> Subject: Re: [Samba] Problems with group assignments
> 
> Dear Daniel,
> 
> 	The usernames and passwords are already authenticating against
> ADS; the problem is the groups. We want the groups to "authenticate"
> against the local UNIX groups, NOT ADS (like the original server did,
> and the documentation states); having the groups work through ADS will
> make us have to keep the local and ADS groups synchronized manually,
> which we do not want to do (the new server is also a NFS server, so we
> cannot have the two types of groups drift apart).
> 
> 		David
> 
> 
> 
> > -----Original Message-----
> > From: Daniel Müller [mailto:mueller at tropenklinik.de]
> > Sent: 23 May 2011 07:52
> > To: F. David del Campo Hill; samba at lists.samba.org
> > Subject: AW: [Samba] Problems with group assignments
> >
> > What about your ADS? You are authenticate against your ADS?!
> > Why don't use winbind?
> > http://wiki.samba.org/index.php/Samba_&_Active_Directory
> >
> > Good Luck
> > Daniel
> >
> > -----------------------------------------------
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> >
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > eMail: mueller at tropenklinik.de
> > Internet: www.tropenklinik.de
> > -----------------------------------------------
> > -----Ursprüngliche Nachricht-----
> > Von: samba-bounces at lists.samba.org [mailto:samba-
> > bounces at lists.samba.org] Im
> > Auftrag von F. David del Campo Hill
> > Gesendet: Freitag, 20. Mai 2011 14:44
> > An: samba at lists.samba.org
> > Betreff: [Samba] Problems with group assignments
> >
> > Dear All,
> >
> > 	We are trying to transfer a SaMBa installation from an old server
> > to
> > a newer more up-to-date one. The original server was sharing files to
> > Windows XP systems in Active Directory (Windows Server 2003 R2
> > version), but
> > as we move to Windows 7 and Active Directory (Windows Server 2008 R2
> > version) we need to upgrade the service.
> >
> > 	The old server was part of a NIS domain, with the "valid users",
> > "write list", etc entries in its smb.conf referring to the NIS groups
> > using
> > the "@" sign (which the documentation says it means "is interpreted
> as
> > an
> > NIS netgroup first (if your system supports NIS), and then as a UNIX
> > group
> > if the name was not found in the NIS netgroup database"; see
> > http://samba.org/samba/docs/man/manpages-
> > 3/smb.conf.5.html#INVALIDUSERS). It
> > all worked fine as it picked users' group membership from NIS.
> >
> > 	The new server is a Solaris 10 box running SaMBa 3.5.5, and we
> > are
> > having problems with it picking up the group memberships. The old
> > server's
> > smb.conf was transplanted to the new server (with a few path
> changes),
> > and
> > the new server was successfully added to our Active Directory domain.
> > As the
> > new server is NOT a member of NIS, we made a copy of all the
> > smb.conf-relevant groups to its local /etc/group and added all the
> > users to
> > the /etc/passwd file. With these changes we can access the shares
> using
> > the
> > AD usernames and passwords as long as they are not access-limited by
> > "valid
> > users", so the integration of the server into AD is working. But if
> we
> > add a
> > "valid users = @group" line to the share in smb.conf, it will
> > completely
> > refuse access to all users, even the ones belonging to the group.
> > Leaving
> > the share accessible to all, but adding a "write list = @group" line
> to
> > smb.conf, will allow access, but no one will be able to write to it,
> > even
> > the members of the group. If we chan
> >  ge the "write list" and "valid users" lines to list the usernames
> > directly
> > instead of through a group membership, it works. To avoid even
> > attempting to
> > talk to NIS, we changed the "@" signs for "+", but it still kept
> > refusing to
> > recognize group memberships (NIS or local UNIX ones). So it seems our
> > new
> > SaMBa is having problems recognizing group memberships.
> >
> > 	What am I doing wrong? Have SUN/Oracle done something to stop
> > SaMBa
> > accessing its local UNIX groups?
> >
> > 	Thank you for your help.
> >
> > 	Yours,
> >
> > 		David del Campo
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list