[Samba] Can't get permission on a share to work problem with groups

Horace mailinglist at lhplan.tk
Sun Feb 9 07:23:09 MST 2014 

On 2014-02-09 09:10, Horace wrote:
> On 2014-02-09 07:08, Leander S. wrote:
>> Am 09.02.14 12:46, schrieb Horace:
>>> On 2014-02-09 06:39, Leander S. wrote:
>>>> Am 09.02.14 12:25, schrieb Horace:
>>>>> On 2014-02-09 06:11, Horace wrote:
>>>>>> On 2014-02-09 05:59, Leander S. wrote:
>>>>>>> Am 09.02.14 11:51, schrieb Horace:
>>>>>>>> On 2014-02-09 05:31, Leander S. wrote:
>>>>>>>>> Am 09.02.14 10:01, schrieb Horace:
>>>>>>>>>> I have also tried valid users = ACCOUNTSAD\"Domain Admins" but 
>>>>>>>>>> I still get 'is none, expected a group'? What is the correct 
>>>>>>>>>> syntax to providing groups in valid users field??
>>>>>>>>> I also wonder ;/
>>>>>>>> 
>>>>>>>> I have already scoured the Internet and only found similar 
>>>>>>>> questions without any defined solutions. So I wonder myself. :/
>>>>>>> That was one of my best research results, yet it didn't help. 
>>>>>>> Goggle
>>>>>>> translate may help wit hlanguage compatibility ;)
>>>>>>> 
>>>>>>> http://forge.univention.org/bugzilla/show_bug.cgi?id=29553
>>>>>> 
>>>>>> Thanks but not to helpful, for whatever reason (that Google has
>>>>>> changed lately), I can't translate that page :/
>>>>> 
>>>>> Although, the few English comments that I glance at that I could 
>>>>> decipher, is to try with sid. Although this does work, what I can't 
>>>>> I understand is what Group Names do not work ?
>>>>> 
>>>>> [2014/02/09 06:17:22.927279,  3] 
>>>>> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
>>>>>   string_to_sid: SID @Domain Admins is not in a valid format
>>>> 
>>>> 
>>>> 
>>>> Well as funny as it may sound, BUT *drumroll*
>>>> 
>>>> Following combination seems working just fine:
>>>> 
>>>> write list  = @Groupname
>>>> force user  =  Username
>>>> 
>>>> So, Samba is ABLE to resolve my groupname - it's just not able with
>>>> the attribute *valid users* and *force group*. they seem broke?!
>>> 
>>> I have been working on this for quite awhile now, should a bug report 
>>> be reported? In any case, this would probably be a good reference in 
>>> case anyone happens to run into this problem.
>> Thanks for offering. I would say so, since there is many people
>> affected. This is seriuosly affecting the quality of production
>> environments where share permissions are set based on group
>> memberships.
>> 
>> Best regards
>> Leander S.
> 
> No luck with write list = @Groupname, I have to assume it's probably
> because write list don't like group names with spaces. Neither of the
> below work:
> 
> write list = @"ACCOUNTSAD\Domain Admins"
> write list = @ACCOUNTSAD\"Domain Admins"
> write list = @"Domain Admins"
> 
> I am going to try:
> 
> write list = @"\\ACCOUNTSAD\Domain Admins"

Interestingly, this share works as expected. Since I am in the 'Domain 
Admins' group, I will create a plain user later and see if continue to 
work as expected:

[Public Applications]
	valid users = "\\ACCOUNTSAD\Domain Admins","\\ACCOUNTSAD\Domain Users"
	comment = Publicly Shared Applications for Intranet Users
	path = /srv/samba4/Public_Applications
	write list = "\\ACCOUNTSAD\Domain Admins"

Maybe something wonky with '@groupname'? Don't know...

More information about the samba mailing list