Wim Bakker
2004-Apr-17 18:22 UTC
[Samba] Bug in "force group" parameter, or group membership checking?
Hello, I have the following situation: Samba with ldap passdb backend. In my setup I have a group called exact: ------------ dn: cn=exact,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup,sambaGroupMapping cn: exact gidNumber: 1000 sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001 sambaGroupType: 4 memberUid: gerrit,piet,hornie ------------ maps to the unix group exact: exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact /etc/group: exact:x:1000: Users gerrit,piet and hornie can't use the share exact unless I specify the parameter : force group = exact : (smb.conf entry): [exact] path = /shares/exact browseable = no read only = no force group = exact If I don't specify force group = exact , apparently the authorized users (gerrit, piet and hornie) connect as members of their default group, being "Domain Users" and they aren't allowed anyhting on the share exact. permissions on this share exact: # file: shares/exact # owner: root # group: exact user::rwx group::rwx group:exact:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:exact:rwx default:mask::rwx default:other::--- So I take it that there is no checking whether a user that tries to connect to a share is , besides it's default group, the user connects with, allso member of the group that is auhorized to connect to that share, in this case being the group exact, so I have to set force group = exact , so a user that connects to that share, connects with default group exact , and is allowed to access the share and do it's thing. But apparently there is no checking whether that user is actually a member of that group , because when I connect as a completely different user, not at all listed in the group exact as a member , I get full access allso. Now I add the parameter : valid users = @exact to that entry in the smb.conf, but than not one user can connect anymore, allso not the users that are listed in the groupparameters as being a member of that group. Where is it going wrong? When I make the default group of the users that are allowed to access the share exact , members of the group exact, there is no problem, than they are recognized as being members of the group exact and get access, when exact is not their default group , but just one of the groups they are allso a member of, there is no way to grant them access , without granting evryone access. TIA Wim bakker
Wim Bakker
2004-Apr-17 19:26 UTC
[Samba] Bug in "force group" parameter, or group membership checking?
On Saturday 17 April 2004 20:21, Wim Bakker wrote:> So I take it that there is no checking whether a user that tries to > connect to a share is , besides it's default group, the user connects > with, allso member of the group that is auhorized to connect to > that share, in this case being the group exact, so I have to set > force group = exact , so a user that connects to that share, > connects with default group exact , and is allowed to access the > share and do it's thing. But apparently there is no checking whether > that user is actually a member of that group , because when I connect > as a completely different user, not at all listed in the group exact as a > member , I get full access allso. Now I add the parameter : > valid users = @exactWrong , it is being checked but what is being checked? Output from log: [2004/04/17 21:08:35, 2] lib/access.c:check_access(324) Allowed connection from (10.0.0.10) [2004/04/17 21:08:35, 10] lib/username.c:user_in_list(521) user_in_list: checking user gerrit in list [2004/04/17 21:08:35, 10] lib/username.c:user_in_list(525) user_in_list: checking user |gerrit| against |@exact| [2004/04/17 21:08:35, 5] lib/username.c:user_in_netgroup_list(310) Unable to get default yp domain [2004/04/17 21:08:35, 2] smbd/service.c:make_connection_snum(391) user 'gerrit' (from session setup) not permitted to access this share (exact) [2004/04/17 21:08:35, 3] smbd/error.c:error_packet(134) What is this "Unable to get default yp domain" doing? TIA Wim Bakker