samba - Jul 2007 - BUG? 'valid users' doesn't allow groups from trusted domains

It appears that you cannot include groups from trusted domains in the 
'valid users =' directive on a share.

Here is the scenario as I experienced it (names have been changed to 
protect the innocent):

Configuration:
 - Samba 3.0.21b as a member server in a real NT4 domain (security = 
domain) called 'NTDOMAIN'
 - NTDOMAIN has a two-way trust with Windows 2003 Active Directory 
domain 'ADSDOMAIN'
 - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a 
member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
 - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a 
member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)

If the share 'salesforce' has a 'valid users =' line in it,
members of
the trusting domain have no access by group; they can only access it if 
their accounts are specified explicitly. For example:

[salesforce]
    path = /data/salesforce
    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales

then fred will have access to the salesforce share, but wilma will not, 
even though her group has been granted access to the share. If I specify 
wilma's account explicitly:

[salesforce]
    path = /data/salesforce
    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma

then wilma will be able to access the share. It appears that adding a 
group from a trusted domain doesn't achieve what I hope to accomplish.

Now, I have not tried this with all possible combinations: both domains 
NT, both domains ADS, etc. ad infinitum. I just don't have the 
resources. Is this a bug or is it by design? If you folks think it's a 
bug, then I'll submit it as a bug report. If I'm misunderstanding 
something, please enlighten me or point me to the appropriate docs.

-Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com

Additional information below.

Jonathan Johnson wrote:
> It appears that you cannot include groups from trusted domains in the 
> 'valid users =' directive on a share.
>
> Here is the scenario as I experienced it (names have been changed to 
> protect the innocent):
>
> Configuration:
> - Samba 3.0.21b as a member server in a real NT4 domain (security = 
> domain) called 'NTDOMAIN'
> - NTDOMAIN has a two-way trust with Windows 2003 Active Directory 
> domain 'ADSDOMAIN'
> - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a 
> member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales)
> - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is
a
> member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales)
>
> If the share 'salesforce' has a 'valid users =' line in it,
members of
> the trusting domain have no access by group; they can only access it 
> if their accounts are specified explicitly. For example:
>
> [salesforce]
>    path = /data/salesforce
>    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales
>
> then fred will have access to the salesforce share, but wilma will 
> not, even though her group has been granted access to the share. If I 
> specify wilma's account explicitly:
>
> [salesforce]
>    path = /data/salesforce
>    valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma
>
> then wilma will be able to access the share. It appears that adding a 
> group from a trusted domain doesn't achieve what I hope to accomplish.
>
> Now, I have not tried this with all possible combinations: both 
> domains NT, both domains ADS, etc. ad infinitum. I just don't have the 
> resources. Is this a bug or is it by design? If you folks think it's a 
> bug, then I'll submit it as a bug report. If I'm misunderstanding 
> something, please enlighten me or point me to the appropriate docs.
>
> -Jonathan Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
More information:

    wbinfo -u -g --domain=NTDOMAIN

reveals the list of domain users & groups from NTDOMAIN.

    wbinfo -u -g --domain=ADSDOMAIN

returns the error 'Error looking up domain users' (or groups, if only -g
is spec'd)

    wbinfo --getdcname=ADSDOMAIN

returns 'ADSDOMAIN+ADSSERVER', the domain and name of the ADS server. If
I specify credentials (either in NTDOMAIN or ADSDOMAIN) using 
--set-auth-user, the results are exactly the same. The 'getent' command 
returns similar results, but IS able to resolve users in ADSDOMAIN but 
not groups:

    getent group NTDOMAIN+sales

will return the list of users in that group. However, the similar command:

    getent group ADSDOMAIN+sales

returns nothing, not even an error. Interestingly, the command

    getent passwd ADSDOMAIN+wilma

will return a result such as this:

    ADSDOMAIN+wilma:x:10213:10034::/home/ADSDOMAIN/wilma:/bin/false

Interesting. Does this indicate a bug in wbinfo, getent, some Samba bug, 
or a combination of all three? Oh, yes, this is on Ubuntu 5.10 "Breezy 
Badger." Yes, I know it's old.

-Jon Johnson
Sutinen Consulting, Inc.
jon@sutinen.com