samba - Mar 2002 - Winbind + Space in Group Name = Not working

Using Samba 2.2.3a, w/ winbind on Debian woody, and Solaris 8.  

A share configured to only allow users within a group is not working
because the group name has a space in it.  I have tried the syntax
posted here a while back:

http://lists.samba.org/pipermail/samba/2001-October/059612.html
     Try->   valid users = " "@Domain Users" "

But that does not work.  A group such as "Domain Users" in domain
"Domain" returns an error in log.smbd:

user_in_winbind_group_list: winbind_lookup_name for group DOMAIN+Domain
failed.

wbinfo -t returns: Secret is good
getent passwd: Returns user list
getent group: Returns group list

smb.conf looks like:

[global]
	workgroup = DOMAIN
	netbios name = SAMBATEST
	server string = Samba Test Server (Samba %v)
	security = domain
	encrypt passwords = Yes
	update encrypted = Yes
	obey pam restrictions = no
        password server = *
	unix password sync = no
	invalid users = root
	syslog = 0
	max log size = 1000
	name resolve order = wins bcast host lmhosts
	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
	load printers = No
	add user script = /usr/sbin/useradd -p %u %u
	preferred master = False
	local master = No
	domain master = False
	dns proxy = No
	wins server = 10.10.20.20
# Winbind Options
	winbind uid = 10000-20000
	winbind gid = 10000-20000
        winbind separator = +
	template shell = /bin/false
        template homedir = /export/home/samba/%D/%U

[homes]
	comment = Home Directories
	create mask = 0700
	directory mask = 0700
	browseable = yes
        writeable = yes

[files]
	comment = User1 writes, everyone else reads
	path = /export/home/samba/files
	force user = DOMAIN+user1
	force group = DOMAIN+Domain Users
	read only = No
	create mask = 0750
	force create mode = 0750
        directory mask = 0750
        inherit permissions = yes
        write list = Domain+user1
	browseable = yes
        
#  ***** PROBLEM HERE ******  
        valid users = " "@DOMAIN+Domain Users" "

Perhaps I am missing something..

What is the order of operations for specifing access control to a share
when using winbind?  Since Samba is using pam and winbind is simpily
providing an interface from pam to the NT Domain, it would suggest that
access definitions would need to be defined as:

valid users = DOMAIN+username, @DOMAIN+groupname, 

-instead of-

valid users = username, @groupname

Am I off base?  Any suggestions on the groups w/ spaces issues?

Matt Pavlovich

On Wed, 2002-03-13 at 15:57, Matt Pavlovich wrote:
> Using Samba 2.2.3a, w/ winbind on Debian woody, and Solaris 8.  
> 
> A share configured to only allow users within a group is not working
> because the group name has a space in it.  I have tried the syntax
> posted here a while back:
> 
> http://lists.samba.org/pipermail/samba/2001-October/059612.html
>      Try->   valid users = " "@Domain Users" "
> 
> But that does not work.  A group such as "Domain Users" in domain
> "Domain" returns an error in log.smbd:
> 
> user_in_winbind_group_list: winbind_lookup_name for group DOMAIN+Domain
> failed.
> 
> wbinfo -t returns: Secret is good
> getent passwd: Returns user list
> getent group: Returns group list
> 
> smb.conf looks like:
> 
> [global]
> 	workgroup = DOMAIN
> 	netbios name = SAMBATEST
> 	server string = Samba Test Server (Samba %v)
> 	security = domain
> 	encrypt passwords = Yes
> 	update encrypted = Yes
> 	obey pam restrictions = no
>         password server = *
> 	unix password sync = no
> 	invalid users = root
> 	syslog = 0
> 	max log size = 1000
> 	name resolve order = wins bcast host lmhosts
> 	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
> SO_RCVBUF=4096
> 	load printers = No
> 	add user script = /usr/sbin/useradd -p %u %u
> 	preferred master = False
> 	local master = No
> 	domain master = False
> 	dns proxy = No
> 	wins server = 10.10.20.20
> # Winbind Options
> 	winbind uid = 10000-20000
> 	winbind gid = 10000-20000
>         winbind separator = +
> 	template shell = /bin/false
>         template homedir = /export/home/samba/%D/%U
> 
> [homes]
> 	comment = Home Directories
> 	create mask = 0700
> 	directory mask = 0700
> 	browseable = yes
>         writeable = yes
> 
> [files]
> 	comment = User1 writes, everyone else reads
> 	path = /export/home/samba/files
> 	force user = DOMAIN+user1
> 	force group = DOMAIN+Domain Users
> 	read only = No
> 	create mask = 0750
> 	force create mode = 0750
>         directory mask = 0750
>         inherit permissions = yes
>         write list = Domain+user1
> 	browseable = yes
>         
> #  ***** PROBLEM HERE ******  
>         valid users = " "@DOMAIN+Domain Users" " 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

----- Original Message -----
From: "Matt Pavlovich" <mpav@algx.net>
To: <samba@lists.samba.org>
Sent: Wednesday, March 13, 2002 10:57 PM
Subject: [Samba] Winbind + Space in Group Name = Not working

> Using Samba 2.2.3a, w/ winbind on Debian woody, and Solaris 8.
>
> A share configured to only allow users within a group is not working
> because the group name has a space in it.  I have tried the syntax
> posted here a while back:
>
> http://lists.samba.org/pipermail/samba/2001-October/059612.html
>      Try->   valid users = " "@Domain Users" "
>
> But that does not work.  A group such as "Domain Users" in domain
> "Domain" returns an error in log.smbd:
>
> user_in_winbind_group_list: winbind_lookup_name for group DOMAIN+Domain
> failed.
>
> wbinfo -t returns: Secret is good
> getent passwd: Returns user list
> getent group: Returns group list
>
> smb.conf looks like:
>
> [global]
> workgroup = DOMAIN
> netbios name = SAMBATEST
> server string = Samba Test Server (Samba %v)
> security = domain
> encrypt passwords = Yes
> update encrypted = Yes
> obey pam restrictions = no
>         password server = *
> unix password sync = no
> invalid users = root
> syslog = 0
> max log size = 1000
> name resolve order = wins bcast host lmhosts
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
> SO_RCVBUF=4096
> load printers = No
> add user script = /usr/sbin/useradd -p %u %u
> preferred master = False
> local master = No
> domain master = False
> dns proxy = No
> wins server = 10.10.20.20
> # Winbind Options
> winbind uid = 10000-20000
> winbind gid = 10000-20000
>         winbind separator = +
> template shell = /bin/false
>         template homedir = /export/home/samba/%D/%U
>
> [homes]
> comment = Home Directories
> create mask = 0700
> directory mask = 0700
> browseable = yes
>         writeable = yes
>
> [files]
> comment = User1 writes, everyone else reads
> path = /export/home/samba/files
> force user = DOMAIN+user1
> force group = DOMAIN+Domain Users
> read only = No
> create mask = 0750
> force create mode = 0750
>         directory mask = 0750
>         inherit permissions = yes
>         write list = Domain+user1
> browseable = yes
>
> #  ***** PROBLEM HERE ******
>         valid users = " "@DOMAIN+Domain Users" "
I had the same problem and allowed the access with

       valid users = @'DOMAIN+Domain Users'

Now it works fine but in the log messages i always obtain:

user_in_winbind_group_list: winbind_lookup_name for group DOMAIN+Domain
failed.



Why?

                    Bye all

                                /\lessandro




--
Prendi GRATIS l'email universale che... risparmia: http://www.email.it/f

Sponsor:
Notizie, Rumors, Approfondimenti, Quotazioni?
L'informazione finanziaria in tempo pi? che reale: 

Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=242&d=17-3