samba - Feb 2003 - domain users in local groups with Winbind/Samba/Redhat

Hi,

I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For authentication
I am using the domainusers.This is done by Winbind 2.2.7a which verifies the
existens of the users on the PDC. So I dont't have to create local users
(/etc/passwd) for users who want to connect to the shares in the smb.conf.
I authorise them by adding valid users = domain+domainuser to the smb.conf.
This works very well.
Now my problem:
By writing valid users = @localgroup or +localgroup 
I can authorise local groups (/etc/group) to connect to the shares.
Now I want to add the domainusers to some local groups.Putting the
domainusers in groups should save much time because otherwise I have to add each
domainuser for every share seperatly.
E.g. valid users = domain1+domainuser domain2+domainuser2....
I have tried it with: usermod -g localgroup domain+domainuser
which ends in this message: usermod: domain+domainuser not found /etc/passwd
I know this is message is right because there is no domainuser in
/etc/passwd. But how can I assort the domainusers?
Is there a way to use groups of domainusers who are verified by winbind in
the smb.conf?

Thank you for your efforts.

Greetings

Matthias 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte l?cheln! Fotogalerie online mit GMX ohne eigene Homepage!

> Date: Fri, 14 Feb 2003 11:37:53 +0100 (MET)
> From: Matthias Rutzki <mrutzki@gmx.de>
> To: samba@lists.samba.org
> Subject: [Samba] domain users in local groups with Winbind/Samba/Redhat
> Message-ID: <11937.1045219073@www64.gmx.net>
> Content-Type: text/plain; charset="iso-8859-1"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> Precedence: list
> Message: 8
> 
> Hi,
> 
> I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For
authentication
> I am using the domainusers.This is done by Winbind 2.2.7a which verifies
the
> existens of the users on the PDC. So I dont't have to create local
users
> (/etc/passwd) for users who want to connect to the shares in the smb.conf.
> I authorise them by adding valid users = domain+domainuser to the smb.conf.
> This works very well.
> Now my problem:
> By writing valid users = @localgroup or +localgroup 
> I can authorise local groups (/etc/group) to connect to the shares.
> Now I want to add the domainusers to some local groups.Putting the
> domainusers in groups should save much time because otherwise I have to add
each
> domainuser for every share seperatly.
> E.g. valid users = domain1+domainuser domain2+domainuser2....
> I have tried it with: usermod -g localgroup domain+domainuser
> which ends in this message: usermod: domain+domainuser not found
/etc/passwd
> I know this is message is right because there is no domainuser in
> /etc/passwd. But how can I assort the domainusers?
> Is there a way to use groups of domainusers who are verified by winbind in
> the smb.conf?
> 
valid users = @localgroup @'Domain1+group1'



-- 
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

Well, I got this to work once by manually editing the /etc/group file, like 
adding the line:

localgroup:x:<gid>: domain+user1,domain+user2,etc

I don't know if this is a safe thing to do, however. :)


Dave


On Friday 14 February 2003 03:37 am, Matthias Rutzki
wrote:
> Hi,
>
> I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For
> authentication I am using the domainusers.This is done by Winbind 2.2.7a
> which verifies the existens of the users on the PDC. So I dont't have
to
> create local users (/etc/passwd) for users who want to connect to the
> shares in the smb.conf. I authorise them by adding valid users >
domain+domainuser to the smb.conf. This works very well.
> Now my problem:
> By writing valid users = @localgroup or +localgroup
> I can authorise local groups (/etc/group) to connect to the shares.
> Now I want to add the domainusers to some local groups.Putting the
> domainusers in groups should save much time because otherwise I have to add
> each domainuser for every share seperatly.
> E.g. valid users = domain1+domainuser domain2+domainuser2....
> I have tried it with: usermod -g localgroup domain+domainuser
> which ends in this message: usermod: domain+domainuser not found
> /etc/passwd I know this is message is right because there is no domainuser
> in
> /etc/passwd. But how can I assort the domainusers?
> Is there a way to use groups of domainusers who are verified by winbind in
> the smb.conf?
>
> Thank you for your efforts.
>
> Greetings
>
> Matthias

Hello again,

at the beginning thank you for your support.Today I had the time to test the
various proposals.Finally the "gpasswd thing" works in that way that I
can
add any user to local groups.Even domain users...
Unfortunately the group members still can not access the shares. 

I have done it in this way:
1. stop smbd & nmbd 
2. add "winbind use default domain = yes" to the smb.conf 
3. create a testgroup with "groupadd test1" 
4. add my domain user (without the domain (domain+)) to this group with
"gpasswd -a rutzki.matthias test1" 
5. create a share called testshare with "valid users = @test1" in smb
6. start smbd nmbd
7. logged in domain on a WIN98 System
8. try to access the testshare
9. System asks me for a password.....

So, it seems that the samba does not find my user.Same failure when I add my
user with 
"gpasswd -a west3+rutzki.matthias test1" to the local group.
Here is my winbind log:

#access to testshare with "valid users = west3+rutzki.matthias" (this
works
perfect):
...
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: gid to sid 10250
[ 8690]: gid to sid 11001
[ 8690]: gid to sid 11255
[ 8690]: gid to sid 11257 
...

#access to testshare with "valid users = @test1" or "valid users
+test1"(ends in password request):
...
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: gid to sid 10250
[ 8690]: gid to sid 11001
[ 8690]: gid to sid 11255
[ 8690]: gid to sid 11257 
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: getgroups west3+rutzki.matthias...(approx.: 30 times this message)
...

Has anyone an idea what winbind is doing there? Perhaps you need some other
winbind related configuration data:

/etc/nsswitch.conf:

passwd:     files winbind 
shadow:     files winbind
group:      files winbind 

/etc/samba/smb.conf:
...
security = domain 
...
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind cache time = 10
winbind enum users = no #(large domain)
winbind enum groups = no #(large domain)
template shell = /bin/bash
...
[testshare]
    path = /1
    guest ok = no 
    writable = no 
    browseable = yes
    valid users = @test1 
    write list = @test1 

/etc/pam.d/system-auth:
auth         required       /lib/security/pam_env.so
auth         sufficient	  /lib/security/pam_winbind.so
auth         sufficient      /lib/security/pam_unix.so likeauth
use_first_pass nullok
auth         required       /lib/security/pam_deny.so
account    required       /lib/security/pam_winbind.so
password  required      /lib/security/pam_cracklib.so retry=3 typepassword 
sufficient     /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

I hope that will help you.Thank you for your help.

Greetings

Matthias 
>--- David Boynton <david.boynton2 at asu.edu> wrote:
>> Well, I got this to work once by manually editing
>> the /etc/group file, like 
>> adding the line:
>> 
>> localgroup:x:<gid>: domain+user1,domain+user2,etc
>> 
>> I don't know if this is a safe thing to do, however.
>> :)
>
>I don't believe you can safely manually edit this
>file, as you would probably also have to edit
>/etc/gshadow to match.  Unix/Linux has a tool called
>gpasswd that will do this for you:
>gpasswd -a <user> <group>
>
>It lets you add users to a group without them existing
>in /etc/passwd (they don't even have to exist at all).
>Combine this with "winbind use default domain = yes"
>in smb.conf and you're ready to go.
>
>For example, in the domain ABC for the user john, do
>this to add him to a 'local' Unix group called
>smbusers:
>
>gpasswd -a john smbusers
>
>With "winbind use default domain = yes" you don't need
>to prefix it with your domain.  Slick, huh?  (:
>
>Good luck,
>/dev/idal
-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte l?cheln! Fotogalerie online mit GMX ohne eigene Homepage!

Hi all,
>Sorry to mislead you, but I hope you're on the right
>track now.
No problem.Your answer was the first thing which really helps me on my
project.
>>My problem is, my server is in an NT 4 resource domain and I can't
create
>>domain global groups with members from account domains in it.  
I have the same problem....


Probably it works with NT global groups. But I don't have access to any PDC
in my domain. I can't assimilate the domain or even one global group in this
domain so that it suit my requirements.
I am working on a project which rebuilds an Windows NT Dataserver. Because
of cost and stability reasons we had the idea to migrate from Windows NT to
Linux/Samba.
Unfortunately the guidelines of this project contain things like comfortable
administration and a smoothly change between the systems. So after finishing
this project non-unix experts have to administrate this system. Without
local groups it doesn't seems to be very practical to accomplish this
migration.
Probably we have to retain Windows NT. 
Hopefully the local group feature will be available on Samba 3.0 at any
time.

Thank you very much for your help. 
This saved me a lot of time.


Greetings

Matthias

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte l?cheln! Fotogalerie online mit GMX ohne eigene Homepage!