thr3ads.net - samba - [Samba] How to grant access to file shares by AD groups that have spaces in their name? [Jun 2014]

If this information is useful, please help other people find it:
Share via:

Jon Detert

2014-Jun-03 20:05 UTC

[Samba] How to grant access to file shares by AD groups that have spaces in their name?

Hi,

I hava a Samba4 file server joined to a Samba4 domain.

I made a share for all members of the INFINITY domain 'Domain Users'
group to access:
[demoshare]
    comment = Test share
    path = /usr/local/samba/demoshare
    read only = no
    valid users = @"INFINITY+Domain Users"

but no group member can access it.  Any ideas what is wrong?

It works if I change the group to one with no spaces in the name:
[demoshare]
    comment = Test share
    path = /usr/local/samba/demoshare
    read only = no
    valid users = @INFINITY+jontest

When the group is specified as 'Domain Users', this is what smclient
says when trying to connect:
$ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
Password for [INFINITY\jdetert]:
Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
$

and this is what the samba log file (at log level 3) says for the IP that
smbclient was run from:

[2014/06/03 15:02:21.810055,  3] ../source3/smbd/process.c:1795(process_smb)
  Transaction 3 of length 96 (0 toread)
[2014/06/03 15:02:21.810863,  3] ../source3/smbd/process.c:1398(switch_message)
  switch message SMBtconX (pid 15310) conn 0x0
[2014/06/03 15:02:21.811941,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.168.99 (192.168.168.99)
[2014/06/03 15:02:21.812679,  3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.823678,  3]
../source3/smbd/service.c:375(find_forced_group)
  Forced group Domain Users
[2014/06/03 15:02:21.824421,  3]
../source3/smbd/service.c:612(make_connection_snum)
  Connect path is '/usr/local/samba/demoshare' for service [demoshare]
[2014/06/03 15:02:21.825045,  3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID @INFINITY+Domain Users is not in a valid format
[2014/06/03 15:02:21.825997,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2014/06/03 15:02:21.835782,  3]
../source3/smbd/server_exit.c:212(exit_server_common)
  Server exit (failed to receive smb request)

Lastly, here's a snippet from the smb.conf global section, that might be
helpful:

[global]
    workgroup = INFINITY
    server string = %h server (Samba, Ubuntu)
    security = ads
    realm = infinity.local
    domain master = no
    local master = no
    preferred master = no
    server role = member server

    netbios name = mkejdev1
    map to guest = bad user
    idmap config *:range = 70001-80000
    idmap config * : backend = tdb
    idmap config INFINITY : backend = rid
    idmap config INFINITY : range = 60000-70000

    winbind separator = +
    winbind enum users  = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind trusted domains only = no

Thanks,

Jon Detert

JD Daniels

2014-Jun-03 23:36 UTC

head link

[Samba] How to grant access to file shares by AD groups that have spaces in their name?

I believe the strongest aspect of samba4 domains is the windows style acls.
I define my shares like this:

[Software]
         path = /tank/Software
         read only = No

Then use the remote system administration tools to add users. (Active 
directory User and Computers->Right click the server->manage, Right 
click the share and set permissions/ownership)

  I have had no issues adding INFINITY\Domain Users this way.

And if you add the sediskoperator privilege, you can simply browse to 
the share and manage access from the security tab.

This is my favorite feature so far...

-- 
JD Daniels

On 6/3/2014 1:05 PM, Jon Detert wrote:> Hi,
>
> I hava a Samba4 file server joined to a Samba4 domain.
>
> I made a share for all members of the INFINITY domain 'Domain
Users' group to access:
> [demoshare]
>      comment = Test share
>      path = /usr/local/samba/demoshare
>      read only = no
>      valid users = @"INFINITY+Domain Users"
>
> but no group member can access it.  Any ideas what is wrong?
>
> It works if I change the group to one with no spaces in the name:
> [demoshare]
>      comment = Test share
>      path = /usr/local/samba/demoshare
>      read only = no
>      valid users = @INFINITY+jontest
>
> When the group is specified as 'Domain Users', this is what
smclient says when trying to connect:
> $ smbclient -U INFINITY\\jdetert //mkejdev1/demoshare
> Password for [INFINITY\jdetert]:
> Connection to \\mkejdev1\demoshare failed - NT_STATUS_ACCESS_DENIED
> $
>
> and this is what the samba log file (at log level 3) says for the IP that
smbclient was run from:
>
> [2014/06/03 15:02:21.810055,  3]
../source3/smbd/process.c:1795(process_smb)
>    Transaction 3 of length 96 (0 toread)
> [2014/06/03 15:02:21.810863,  3]
../source3/smbd/process.c:1398(switch_message)
>    switch message SMBtconX (pid 15310) conn 0x0
> [2014/06/03 15:02:21.811941,  3] ../source3/lib/access.c:338(allow_access)
>    Allowed connection from 192.168.168.99 (192.168.168.99)
> [2014/06/03 15:02:21.812679,  3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> [2014/06/03 15:02:21.823678,  3]
../source3/smbd/service.c:375(find_forced_group)
>    Forced group Domain Users
> [2014/06/03 15:02:21.824421,  3]
../source3/smbd/service.c:612(make_connection_snum)
>    Connect path is '/usr/local/samba/demoshare' for service
[demoshare]
> [2014/06/03 15:02:21.825045,  3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>    string_to_sid: SID @INFINITY+Domain Users is not in a valid format
> [2014/06/03 15:02:21.825997,  3]
../source3/smbd/error.c:82(error_packet_set)
>    NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
> [2014/06/03 15:02:21.835782,  3]
../source3/smbd/server_exit.c:212(exit_server_common)
>    Server exit (failed to receive smb request)
>
> Lastly, here's a snippet from the smb.conf global section, that might
be helpful:
>
> [global]
>      workgroup = INFINITY
>      server string = %h server (Samba, Ubuntu)
>      security = ads
>      realm = infinity.local
>      domain master = no
>      local master = no
>      preferred master = no
>      server role = member server
>
>      netbios name = mkejdev1
>      map to guest = bad user
>      idmap config *:range = 70001-80000
>      idmap config * : backend = tdb
>      idmap config INFINITY : backend = rid
>      idmap config INFINITY : range = 60000-70000
>
>      winbind separator = +
>      winbind enum users  = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind nested groups = yes
>      winbind refresh tickets = yes
>      winbind trusted domains only = no
>
> Thanks,
>
> Jon Detert

Reasonably Related Threads

Search for more seemingly similar threads

samba - Jun 2014 - How to grant access to file shares by AD groups that have spaces in their name?

[Samba] How to grant access to file shares by AD groups that have spaces in their name?

[Samba] How to grant access to file shares by AD groups that have spaces in their name?

Reasonably Related Threads