[Samba] How to grant access to file shares by AD groups that have spaces in their name?

JD Daniels jd at internetguys.ca
Tue Jun 3 17:36:23 MDT 2014 

I believe the strongest aspect of samba4 domains is the windows style acls.
I define my shares like this:

[Software]
         path = /tank/Software
         read only = No

Then use the remote system administration tools to add users. (Active 
directory User and Computers->Right click the server->manage, Right 
click the share and set permissions/ownership)

  I have had no issues adding INFINITY\Domain Users this way.

And if you add the sediskoperator privilege, you can simply browse to 
the share and manage access from the security tab.

This is my favorite feature so far...

-- 
JD Daniels

On 6/3/2014 1:05 PM, Jon Detert wrote:
> Hi,
>
> I hava a Samba4 file server joined to a Samba4 domain.
>
> I made a share for all members of the INFINITY domain 'Domain Users' group to access:
> [demoshare]
>      comment = Test share
>      path = /usr/local/samba/demoshare
>      read only = no
>      valid users = @"INFINITY+Domain Users"
>
> but no group member can access it.  Any ideas what is wrong?
>
> It works if I change the group to one with no spaces in the name:
> [demoshare]
>      comment = Test share
>      path = /usr/local/samba/demoshare
>      read only = no
>      valid users = @INFINITY+jontest
>
> When the group is specified as 'Domain Users', this is what smclient says when trying to connect:
> $ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
> Password for [INFINITY\jdetert]:
> Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
> $
>
> and this is what the samba log file (at log level 3) says for the IP that smbclient was run from:
>
> [2014/06/03 15:02:21.810055,  3] ../source3/smbd/process.c:1795(process_smb)
>    Transaction 3 of length 96 (0 toread)
> [2014/06/03 15:02:21.810863,  3] ../source3/smbd/process.c:1398(switch_message)
>    switch message SMBtconX (pid 15310) conn 0x0
> [2014/06/03 15:02:21.811941,  3] ../source3/lib/access.c:338(allow_access)
>    Allowed connection from 192.168.168.99 (192.168.168.99)
> [2014/06/03 15:02:21.812679,  3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> [2014/06/03 15:02:21.823678,  3] ../source3/smbd/service.c:375(find_forced_group)
>    Forced group Domain Users
> [2014/06/03 15:02:21.824421,  3] ../source3/smbd/service.c:612(make_connection_snum)
>    Connect path is '/usr/local/samba/demoshare' for service [demoshare]
> [2014/06/03 15:02:21.825045,  3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> [2014/06/03 15:02:21.825997,  3] ../source3/smbd/error.c:82(error_packet_set)
>    NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
> [2014/06/03 15:02:21.835782,  3] ../source3/smbd/server_exit.c:212(exit_server_common)
>    Server exit (failed to receive smb request)
>
> Lastly, here's a snippet from the smb.conf global section, that might be helpful:
>
> [global]
>      workgroup = INFINITY
>      server string = %h server (Samba, Ubuntu)
>      security = ads
>      realm = infinity.local
>      domain master = no
>      local master = no
>      preferred master = no
>      server role = member server
>
>      netbios name = mkejdev1
>      map to guest = bad user
>      idmap config *:range = 70001-80000
>      idmap config * : backend = tdb
>      idmap config INFINITY : backend = rid
>      idmap config INFINITY : range = 60000-70000
>
>      winbind separator = +
>      winbind enum users  = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind nested groups = yes
>      winbind refresh tickets = yes
>      winbind trusted domains only = no
>
> Thanks,
>
> Jon Detert

More information about the samba mailing list