[Samba] How to grant access to file shares by AD groups that have spaces in their name?

Jon Detert jdetert at infinityhealthcare.com
Tue Jun 3 14:05:58 MDT 2014


I hava a Samba4 file server joined to a Samba4 domain.

I made a share for all members of the INFINITY domain 'Domain Users' group to access:
    comment = Test share
    path = /usr/local/samba/demoshare
    read only = no
    valid users = @"INFINITY+Domain Users"

but no group member can access it.  Any ideas what is wrong?

It works if I change the group to one with no spaces in the name:
    comment = Test share
    path = /usr/local/samba/demoshare
    read only = no
    valid users = @INFINITY+jontest

When the group is specified as 'Domain Users', this is what smclient says when trying to connect:
$ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
Password for [INFINITY\jdetert]:
Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED

and this is what the samba log file (at log level 3) says for the IP that smbclient was run from:

[2014/06/03 15:02:21.810055,  3] ../source3/smbd/process.c:1795(process_smb)
  Transaction 3 of length 96 (0 toread)
[2014/06/03 15:02:21.810863,  3] ../source3/smbd/process.c:1398(switch_message)
  switch message SMBtconX (pid 15310) conn 0x0
[2014/06/03 15:02:21.811941,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from (
[2014/06/03 15:02:21.812679,  3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.823678,  3] ../source3/smbd/service.c:375(find_forced_group)
  Forced group Domain Users
[2014/06/03 15:02:21.824421,  3] ../source3/smbd/service.c:612(make_connection_snum)
  Connect path is '/usr/local/samba/demoshare' for service [demoshare]
[2014/06/03 15:02:21.825045,  3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.825997,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2014/06/03 15:02:21.835782,  3] ../source3/smbd/server_exit.c:212(exit_server_common)
  Server exit (failed to receive smb request)

Lastly, here's a snippet from the smb.conf global section, that might be helpful:

    workgroup = INFINITY
    server string = %h server (Samba, Ubuntu)
    security = ads
    realm = infinity.local
    domain master = no
    local master = no
    preferred master = no
    server role = member server

    netbios name = mkejdev1
    map to guest = bad user
    idmap config *:range = 70001-80000
    idmap config * : backend = tdb
    idmap config INFINITY : backend = rid
    idmap config INFINITY : range = 60000-70000

    winbind separator = +
    winbind enum users  = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind trusted domains only = no


Jon Detert

More information about the samba mailing list