[Samba] How to grant access to file shares by AD groups that have spaces in their name?
Jon Detert
jdetert at infinityhealthcare.com
Thu Jun 5 07:55:54 MDT 2014
Thanks, I didn't realize I could allow the AD admin tools to set the share access and permission rights.
I also didn't know about the sediskoperator privilege.
This has greatly simplified the samba setup. Thank you!
----- Original Message -----
> From: "JD Daniels" <jd at internetguys.ca>
> To: "Jon Detert" <jdetert at infinityhealthcare.com>, samba at lists.samba.org
> Sent: Tuesday, June 3, 2014 6:36:23 PM
> Subject: Re: [Samba] How to grant access to file shares by AD groups that have spaces in their name?
>
> I believe the strongest aspect of samba4 domains is the windows style acls.
> I define my shares like this:
>
> [Software]
> path = /tank/Software
> read only = No
>
> Then use the remote system administration tools to add users. (Active
> directory User and Computers->Right click the server->manage, Right
> click the share and set permissions/ownership)
>
> I have had no issues adding INFINITY\Domain Users this way.
>
> And if you add the sediskoperator privilege, you can simply browse to
> the share and manage access from the security tab.
>
> This is my favorite feature so far...
>
> --
> JD Daniels
>
> On 6/3/2014 1:05 PM, Jon Detert wrote:
> > Hi,
> >
> > I hava a Samba4 file server joined to a Samba4 domain.
> >
> > I made a share for all members of the INFINITY domain 'Domain Users' group
> > to access:
> > [demoshare]
> > comment = Test share
> > path = /usr/local/samba/demoshare
> > read only = no
> > valid users = @"INFINITY+Domain Users"
> >
> > but no group member can access it. Any ideas what is wrong?
> >
> > It works if I change the group to one with no spaces in the name:
> > [demoshare]
> > comment = Test share
> > path = /usr/local/samba/demoshare
> > read only = no
> > valid users = @INFINITY+jontest
> >
> > When the group is specified as 'Domain Users', this is what smclient says
> > when trying to connect:
> > $ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
> > Password for [INFINITY\jdetert]:
> > Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
> > $
> >
> > and this is what the samba log file (at log level 3) says for the IP that
> > smbclient was run from:
> >
> > [2014/06/03 15:02:21.810055, 3]
> > ../source3/smbd/process.c:1795(process_smb)
> > Transaction 3 of length 96 (0 toread)
> > [2014/06/03 15:02:21.810863, 3]
> > ../source3/smbd/process.c:1398(switch_message)
> > switch message SMBtconX (pid 15310) conn 0x0
> > [2014/06/03 15:02:21.811941, 3] ../source3/lib/access.c:338(allow_access)
> > Allowed connection from 192.168.168.99 (192.168.168.99)
> > [2014/06/03 15:02:21.812679, 3]
> > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> > string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> > [2014/06/03 15:02:21.823678, 3]
> > ../source3/smbd/service.c:375(find_forced_group)
> > Forced group Domain Users
> > [2014/06/03 15:02:21.824421, 3]
> > ../source3/smbd/service.c:612(make_connection_snum)
> > Connect path is '/usr/local/samba/demoshare' for service [demoshare]
> > [2014/06/03 15:02:21.825045, 3]
> > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> > string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> > [2014/06/03 15:02:21.825997, 3]
> > ../source3/smbd/error.c:82(error_packet_set)
> > NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX)
> > NT_STATUS_ACCESS_DENIED
> > [2014/06/03 15:02:21.835782, 3]
> > ../source3/smbd/server_exit.c:212(exit_server_common)
> > Server exit (failed to receive smb request)
> >
> > Lastly, here's a snippet from the smb.conf global section, that might be
> > helpful:
> >
> > [global]
> > workgroup = INFINITY
> > server string = %h server (Samba, Ubuntu)
> > security = ads
> > realm = infinity.local
> > domain master = no
> > local master = no
> > preferred master = no
> > server role = member server
> >
> > netbios name = mkejdev1
> > map to guest = bad user
> > idmap config *:range = 70001-80000
> > idmap config * : backend = tdb
> > idmap config INFINITY : backend = rid
> > idmap config INFINITY : range = 60000-70000
> >
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > winbind nested groups = yes
> > winbind refresh tickets = yes
> > winbind trusted domains only = no
> >
> > Thanks,
> >
> > Jon Detert
>
>
--
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759
More information about the samba
mailing list