[Samba] Valid Users Does Not Like My AD Group or Syntax
Rowland Penny
rpenny at samba.org
Sat Jan 28 07:28:23 UTC 2023
On 28/01/2023 00:07, E R via samba wrote:
> I am working on replacing an undocumented Samba server with one I have
> setup after very helpful wiki. I am just having an issue with using an
> Active Directory security group with the setting "valid users" to limit
> access to the share. I would like to use an existing security group on the
> Windows side to control access to the share, if possible. Server 2012 R2
> forest and OS on Windows side. I have taken pains to only use WinBind on
> RHEL as Red Hat weenies will point you to using tools like "realm" that
> introduce SSSD that I do not want to use.
>
> valid user = MYDOMAIN\myuserid
> If I use the above syntax for my user account I can gain access to the
> share just as I expect.
>
> valid user = +MYDOMAIN\"MySecurityGroup"
> The above syntax does not work (I am a member of the group). I also tried
> omitting the quotes around the group name since I do not have a space in
> the name. I also tried using the alternate syntax that you can use on
> Windows like MySecurityGroup at domain.com.
>
> getent group MYDOMAIN\\MySecurityGroup
> The above command does return my group from AD.
>
> chown root:MySecurityGroup somefile.txt
> This above command does update the permissions so that the group is used
> and displays on the ls command.
>
> SID +MYDOMAIN\MySecurityGroup is not in a valid format
> I upped the log level to 3 and I see the above message.
>
> IDMAP Setting:
> idmap config * : backend = autorid
> idmap config * : range = 100000-19999999
> idmap config * : rangesize = 1000000
Can we please see the output of 'testparm -s'.
Can you also tell us what version of Samba you are using and the RHEL
version.
Rowland
More information about the samba
mailing list