[Samba] Samba as AD member can not validate domain user

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 12 05:49:02 MDT 2015 

On 12/04/15 11:19, jd at ionica.lv wrote:
>
> Citēju jd at ionica.lv:
>
>> Hi!
>>
>> the previous problems were solved (thank you, Rowland!), but few 
>> issues remains:
>>
>> I get such msg in log:
>> 0. Is it possible to tell samba to output messages in logs as one 
>> line per message (even if it is long one?)
>>
>> 1. 2015/04/12 11:32:39.293583,  3] 
>> ../source3/smbd/msdfs.c:971(get_referred_path)
>>  get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root.
>> (seems it is not making problems as access to other shares giving 
>> such error not influences anything)
>>
>>
>> 2. 2015/04/12 11:32:18.852138,  3] 
>> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: 
>> SID @INTERNAL\\group is not in a valid format
>>
>> such messages I get after attempt to open a share (from smb.conf):
>> [shareX]
>>         comment = What it serves
>>         path = /home/shares/data/sharex
>>         browseable = yes
>>         read only = no
>>         valid users = @"INTERNAL\\group"
>>         force group = @"INTERNAL\\group"
>>         force create mode = 0660
>>         force directory mode = 0770
>
> SOLVED:
>
> the line valid users shuold look as such:
> valid users = @INTERNAL\\group
>
> That one remains
>
>> The other issue I have - if the user is not a member of particular 
>> domain group, but has the right to accees the share, it is requested 
>> to enter username/pw, but can not access it anyway:
>>
>> [shareY]
>>         comment = Other share
>>         path=/home/shares/data/shareY
>>         browseable = yes
>>         read only = no
>>         valid users = @INTERNAL\\group1, @INTERNAL\\otheruser
>>         force group = @INTERNAL\\group1
>>         force create mode = 0660
>>         force directory mode = 0770
>
> I found one additional problem - when I request Domain Users group 
> information, no users are listed
>
> gentent group "INTERNAL\\Domain Users" returns plain
> domain_users:x:10000:
> the same goes on DC.
>
> Do I need to create alternative Domain Users group?
>
>
No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you 
probably have 'winbind normalize names = Yes' in smb.conf

Rowland

More information about the samba mailing list