Hi, I have Samba 3.0.4 on Solaris 9, recent patches applied. Samba is integrated in domain (security = domain). I have compiled and configured winbind, but not pam and no ldap. Ncsd is stopped. Winbind works OK, I can connect to share and users get mapped on-the-fly to UNIX uids and gids in the ranges specified in smb.conf. My config is included below with some tweaks to protect the innocent. --- My goal : I want to create a share and restrict its access based on the membership of a Windows group. I have successfuly used : valid users = DOM+user1 DOM+user2 DOM+user3 but when I try : valid users = @DOM+wingroup or : valid users = +DOM+wingroup It refuses me access to the share, even if I'm member of the Windows group. What do I do wrong ? How should I write the groupnames ? Help wanted... ======================# smb.conf [global] server string = Samba %v on %h security = domain domain logons = no domain master = no local master = no preferred master = no os level = 0 dns proxy = no wins support = no load printers = no workgroup = DOM encrypt passwords = yes wins server = IP1 IP2 password server = * debug level = 4 log file = /var/samba/log.%m max log size = 1024 # for winbind : winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes # share definitions [myshare] comment = mycomment path = /data/mystuff browseable = yes writeable = Yes # things I have tried to restrict share access # # works : # valid users = DOM+user1 DOM+user2 DOM+user3 # # broken : # valid users = +zik # valid users = @10000 # valid users = @DOM+GROUP1-R # valid users = +"DOM+Z-GROUP2-W" ====================== -- Charles Bueche <bueche@netnea.com> www.netnea.com : your best source for ultra-geeks !
Charles, I've just done this here on Solaris 8. I have found slightly odd behaviour in that wbinfo -u and wbinfo -g only return the actual usernames and groups rather than "DOMAIN+Username" and "DOMAIN+Groupname". So in my smb.conf file I needed:- valid users = @Groupname without the DOMAIN+ part. And yes I've set winbind seperator = + as well. Just a thought. Steve Charles Bueche wrote:>Hi, > >I have Samba 3.0.4 on Solaris 9, recent patches applied. Samba is >integrated in domain (security = domain). I have compiled and >configured winbind, but not pam and no ldap. Ncsd is stopped. > >Winbind works OK, I can connect to share and users get mapped on-the-fly >to UNIX uids and gids in the ranges specified in smb.conf. My config is >included below with some tweaks to protect the innocent. > >--- > >My goal : I want to create a share and restrict its access based on the >membership of a Windows group. > >I have successfuly used : > > valid users = DOM+user1 DOM+user2 DOM+user3 > >but when I try : > > valid users = @DOM+wingroup > >or : > > valid users = +DOM+wingroup > >It refuses me access to the share, even if I'm member of the Windows >group. > >What do I do wrong ? How should I write the groupnames ? Help wanted... > > > > >