FW: PRIVATE: Samba not following AD groups? (PR#25737)

James Braid james.braid at peace.com
Mon Oct 21 20:55:01 GMT 2002 

This is a bug report I logged in the bug tracking system and it was
suggested I forward it on to samba-technical. So here it is. Basically
it looks like AD groups don't work in the valid users list with Winbind
and Samba.

On Mon, 2002-10-21 at 12:17, jamesb at peace.com wrote:
Full_Name: James Braid
Samba_Version: 2.999+3.0.alpha20-3 for Debian
Server_OS: Debian unstable
Client_OS: Debian unstable with smbclient, Windows XP SP1
Submission from: (NULL) (203.97.97.130)


Hi,

There seems to be a problem with Samba and/or Winbind and AD groups. I
have a Samba 3.0a20 box setup as a member of an AD domain (very, very
cool, thanks for all the work you guys have done with this).

The groups seems to be getting correctly enummerated by Winbind:

# getent group | grep dsksupp

PEACEDOM\akl-dsksupp:x:10133:PEACEDOM\tpataben,PEACEDOM\cpeterke,PEACEDO
M\jamesb,PEACEDOM\bevans

in my samba config I have the following lines;

valid users = +PEACEDOM\akl-dsksupp
admin users = +PEACEDOM\akl-dsksupp

So, in theory if I connect as a user in the akl-dsksupp 
group I should be able to access the server right? Nope.

# smbclient -L '\\disko' -U 'PEACEDOM\jamesb'
added interface ip=10.0.1.18 bcast=10.0.255.255 nmask=255.255.0.0
added interface ip=10.0.1.100 bcast=10.0.255.255 nmask=255.255.0.0
Password:
Doing spnego session setup (blob length=97)
OS=[Unix] Server=[Samba]
tree connect failed: NT_STATUS_ACCESS_DENIED

The log.smbd file on the server has the following (at log level 2);

---
  check_password:  authentication for user [jamesb] -[jamesb] ->
[PEACEDOM\jamesb] suceeded
  user 'PEACEDOM\jamesb' (from session setup) not permitted to access
this share
(IPC$)Closing connection
---

The weird thing is, if I put my username (i.e. PEACEDOM\jamesb) into the
valid
users list as well, it works fine. Just not if the group is in there by
itself.

It used to work fine with mixtures of groups and users in the valid
users list with 2.2.x against an NT4 domain (yeah, i know thats pretty
much a useless statement, considering how much has changed, but anyway).
Perhaps this isnt a bug, perhaps a config directive has changed. I'd be
grateful for any help you can give me.

Please let me know if you need further details. Thanks.

More information about the samba-technical mailing list