samba - Dec 2003 - Valid Users in Samba 3

All -
  I'm having a problem with the "valid users" directive working. 
I have an Accounting share that only the Accounting department should have
access to.  However, I am unable to lock the directory down so only they can
access it.  I am running samba-3.0.0-2 from an RPM on RedHat 9.0.  Below are
details of my trials.  This is a pretty urgent need, please.  Thank you!
 
smb.conf
[global]
        workgroup = SCHEMMER
        server string = Project File Server
        security = DOMAIN
        password server = quicksilver.schemmer.com, fs2omaha.schemmer.com
        log level = 10
        log file = /var/log/samba/log.%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
        preferred master = No
        dns proxy = No
        wins server = 192.168.100.210
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind use default domain = Yes
        oplocks = No
        level2 oplocks = No
 
[Accounting]
        comment = Accounting Files
        path = /shares/acct
        valid users = "@Domain Admins", @Acct
        read only = No
        create mask = 0777
        directory mask = 0777

Output of "wbinfo -r smicheels"
10047
10024
10009
10040

Output of "getent group"
Acct:x:10047:platham,smicheels,gstoddard,cplum

Jeremy,

Please try the following. If you still have trouble let me know.

- John T.

On Tue, 30 Dec 2003, Lahners, Jeremy wrote:
> All -
>   I'm having a problem with the "valid users" directive
working.  I have
>   an Accounting share that only the Accounting department should have
>   access to.  However, I am unable to lock the directory down so only
>   they can access it.  I am running samba-3.0.0-2 from an RPM on RedHat
>   9.0.  Below are details of my trials.  This is a pretty urgent need,
>   please.  Thank you!
>
> smb.conf
> [global]
>         workgroup = SCHEMMER
>         server string = Project File Server
>         security = DOMAIN
>         password server = quicksilver.schemmer.com, fs2omaha.schemmer.com
>         log level = 10
>         log file = /var/log/samba/log.%m
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_KEEPALIVE
>         preferred master = No
>         dns proxy = No
>         wins server = 192.168.100.210
>         ldap ssl = no
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/bash
>         winbind use default domain = Yes
>         oplocks = No
>         level2 oplocks = No
>
> [Accounting]
>         comment = Accounting Files
>         path = /shares/acct
Set the following:
          valid users = @"SCHEMMER\Acct", @"SHEMMER\Domain
Admins"
>         read only = No
Comment these two entries out.
>         create mask = 0777
>         directory mask = 0777
Execute:
	chgrp -R Acct /shares/acct
	chmod -R ug+rwx,g+s,o-rwx /shares/acct
>
> Output of "wbinfo -r smicheels"
> 10047
> 10024
> 10009
> 10040
>
> Output of "getent group"
> Acct:x:10047:platham,smicheels,gstoddard,cplum
>
>
>
-- 
John H Terpstra
Email: jht@samba.org
-------------- next part --------------
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

No joy.  In looking thorugh the log, it appears the primary/supplemntary groups
may be the problem.
 
[2004/01/01 10:07:32, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10054
  Primary group is 10009 and contains 2 supplementary groups
  Group[  0]: 10009
  Group[  1]: 10009
 
Group 10009 is "Domain Users" which is everyone's primary group.  
 
I can change the primary group to "Acct" however this will cause
problems with other shares exhibiting the same problems.
 
Any other suggestions?


	-----Original Message----- 
	From: John H Terpstra [mailto:jht@samba.org] 
	Sent: Wed 12/31/2003 12:07 AM 
	To: Lahners, Jeremy 
	Cc: samba@lists.samba.org 
	Subject: Re: [Samba] Valid Users in Samba 3
	
	



	Jeremy,
	
	Please try the following. If you still have trouble let me know.
	
	- John T.
	
	On Tue, 30 Dec 2003, Lahners, Jeremy wrote:
	
	> All -
	>   I'm having a problem with the "valid users" directive
working.  I have
	>   an Accounting share that only the Accounting department should have
	>   access to.  However, I am unable to lock the directory down so only
	>   they can access it.  I am running samba-3.0.0-2 from an RPM on RedHat
	>   9.0.  Below are details of my trials.  This is a pretty urgent need,
	>   please.  Thank you!
	>
	> smb.conf
	> [global]
	>         workgroup = SCHEMMER
	>         server string = Project File Server
	>         security = DOMAIN
	>         password server = quicksilver.schemmer.com, fs2omaha.schemmer.com
	>         log level = 10
	>         log file = /var/log/samba/log.%m
	>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_KEEPALIVE
	>         preferred master = No
	>         dns proxy = No
	>         wins server = 192.168.100.210
	>         ldap ssl = no
	>         idmap uid = 10000-20000
	>         idmap gid = 10000-20000
	>         template shell = /bin/bash
	>         winbind use default domain = Yes
	>         oplocks = No
	>         level2 oplocks = No
	>
	> [Accounting]
	>         comment = Accounting Files
	>         path = /shares/acct
	
	Set the following:
	          valid users = @"SCHEMMER\Acct", @"SHEMMER\Domain
Admins"
	
	>         read only = No
	
	Comment these two entries out.
	>         create mask = 0777
	>         directory mask = 0777
	
	Execute:
	        chgrp -R Acct /shares/acct
	        chmod -R ug+rwx,g+s,o-rwx /shares/acct
	
	>
	> Output of "wbinfo -r smicheels"
	> 10047
	> 10024
	> 10009
	> 10040
	>
	> Output of "getent group"
	> Acct:x:10047:platham,smicheels,gstoddard,cplum
	>
	>
	>
	
	--
	John H Terpstra
	Email: jht@samba.org