[Samba] How to grant access to file shares by AD groups that have spaces in their name?

Jon Detert jdetert at infinityhealthcare.com
Thu Jun 5 07:55:54 MDT 2014 

Thanks, I didn't realize I could allow the AD admin tools to set the share access and permission rights.

I also didn't know about the sediskoperator privilege.

This has greatly simplified the samba setup.  Thank you!

----- Original Message -----
> From: "JD Daniels" <jd at internetguys.ca>
> To: "Jon Detert" <jdetert at infinityhealthcare.com>, samba at lists.samba.org
> Sent: Tuesday, June 3, 2014 6:36:23 PM
> Subject: Re: [Samba] How to grant access to file shares by AD groups that have spaces in their name?
> 
> I believe the strongest aspect of samba4 domains is the windows style acls.
> I define my shares like this:
> 
> [Software]
>          path = /tank/Software
>          read only = No
> 
> Then use the remote system administration tools to add users. (Active
> directory User and Computers->Right click the server->manage, Right
> click the share and set permissions/ownership)
> 
>   I have had no issues adding INFINITY\Domain Users this way.
> 
> And if you add the sediskoperator privilege, you can simply browse to
> the share and manage access from the security tab.
> 
> This is my favorite feature so far...
> 
> --
> JD Daniels
> 
> On 6/3/2014 1:05 PM, Jon Detert wrote:
> > Hi,
> >
> > I hava a Samba4 file server joined to a Samba4 domain.
> >
> > I made a share for all members of the INFINITY domain 'Domain Users' group
> > to access:
> > [demoshare]
> >      comment = Test share
> >      path = /usr/local/samba/demoshare
> >      read only = no
> >      valid users = @"INFINITY+Domain Users"
> >
> > but no group member can access it.  Any ideas what is wrong?
> >
> > It works if I change the group to one with no spaces in the name:
> > [demoshare]
> >      comment = Test share
> >      path = /usr/local/samba/demoshare
> >      read only = no
> >      valid users = @INFINITY+jontest
> >
> > When the group is specified as 'Domain Users', this is what smclient says
> > when trying to connect:
> > $ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
> > Password for [INFINITY\jdetert]:
> > Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
> > $
> >
> > and this is what the samba log file (at log level 3) says for the IP that
> > smbclient was run from:
> >
> > [2014/06/03 15:02:21.810055,  3]
> > ../source3/smbd/process.c:1795(process_smb)
> >    Transaction 3 of length 96 (0 toread)
> > [2014/06/03 15:02:21.810863,  3]
> > ../source3/smbd/process.c:1398(switch_message)
> >    switch message SMBtconX (pid 15310) conn 0x0
> > [2014/06/03 15:02:21.811941,  3] ../source3/lib/access.c:338(allow_access)
> >    Allowed connection from 192.168.168.99 (192.168.168.99)
> > [2014/06/03 15:02:21.812679,  3]
> > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> >    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> > [2014/06/03 15:02:21.823678,  3]
> > ../source3/smbd/service.c:375(find_forced_group)
> >    Forced group Domain Users
> > [2014/06/03 15:02:21.824421,  3]
> > ../source3/smbd/service.c:612(make_connection_snum)
> >    Connect path is '/usr/local/samba/demoshare' for service [demoshare]
> > [2014/06/03 15:02:21.825045,  3]
> > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
> >    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> > [2014/06/03 15:02:21.825997,  3]
> > ../source3/smbd/error.c:82(error_packet_set)
> >    NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX)
> >    NT_STATUS_ACCESS_DENIED
> > [2014/06/03 15:02:21.835782,  3]
> > ../source3/smbd/server_exit.c:212(exit_server_common)
> >    Server exit (failed to receive smb request)
> >
> > Lastly, here's a snippet from the smb.conf global section, that might be
> > helpful:
> >
> > [global]
> >      workgroup = INFINITY
> >      server string = %h server (Samba, Ubuntu)
> >      security = ads
> >      realm = infinity.local
> >      domain master = no
> >      local master = no
> >      preferred master = no
> >      server role = member server
> >
> >      netbios name = mkejdev1
> >      map to guest = bad user
> >      idmap config *:range = 70001-80000
> >      idmap config * : backend = tdb
> >      idmap config INFINITY : backend = rid
> >      idmap config INFINITY : range = 60000-70000
> >
> >      winbind separator = +
> >      winbind enum users  = yes
> >      winbind enum groups = yes
> >      winbind use default domain = yes
> >      winbind nested groups = yes
> >      winbind refresh tickets = yes
> >      winbind trusted domains only = no
> >
> > Thanks,
> >
> > Jon Detert
> 
> 

-- 
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759

More information about the samba mailing list