samba - Jul 2004 - valid users %g and %u not behaving properly...

Hello.

I have samba working with ADS and winbind (upgrading from nt4/samba-2.0.7 to 
w2k3/samba-3.0.4).  Everything seems cool, but for one thing.

My old homes share used to look like this:

[homes]
path=%H/sam
valid users = +%G,%U
force user = %U
force group = %G
write list = +%U
create mask = 0770
directory mask = 0770
browseable=no
read only = no

It worked beautifully.  But the whold valid users thing isn't working on the
new system.  To help troubleshoot, I used "root prexec" to dump the
contents
of %U, %u, %G, and %g to a file.  

The values of these variables when connecting to the [homes] share as me:

<>%U = username without domain  (e.g. chris)
<>%u = username with domain name and domain seperator (e.g. DOMAIN+chris)
<>%G = "users"  --- always equal to the group "users"
-- I have no clue why!
	  Sometimes, however, %G = "%G" instead of "users".  I
think this is true for
	  users who don't have a local unix account on the system.
<>%g = groupname with domain name and domain seperator (e.g.
DOMAIN+chris_)

Here is where it gets weird.

Because %u = DOMAIN+chris it seems I should be able to do this:
	valid users = %u

But it doesn't work!  Once I add that line, it denies me access to the
share.
If I comment it out, I once again have access.

So, because %g = DOMAIN+primary_group I tried this:

valid users = +%g  (also tried valid users = @%g)

Same thing.  Doesn't grant me access.   This makes absolutely no sense to
me.



The use of these variables are critical to maintaining the security of the 
server shares.  Has this changed between versions?  Is this a bug?  Or am I 
missing something all together?  How can I do this?  I can't find anything
on
this in the books (I have 4 samba books...) or on line.  It used to work...

I appreciate any help.

Thanks!

Chris

Okay...

I guess I can find ways around that then...

My thanks to those who read.

Chris


On Friday 23 July 2004 02:02 pm, Chris wrote:
> Hello.
>
> I have samba working with ADS and winbind (upgrading from nt4/samba-2.0.7
> to w2k3/samba-3.0.4).  Everything seems cool, but for one thing.
>
> My old homes share used to look like this:
>
> [homes]
> path=%H/sam
> valid users = +%G,%U
> force user = %U
> force group = %G
> write list = +%U
> create mask = 0770
> directory mask = 0770
> browseable=no
> read only = no
>
> It worked beautifully.  But the whold valid users thing isn't working
on
> the new system.  To help troubleshoot, I used "root prexec" to
dump the
> contents of %U, %u, %G, and %g to a file.
>
> The values of these variables when connecting to the [homes] share as me:
>
> <>%U = username without domain  (e.g. chris)
> <>%u = username with domain name and domain seperator (e.g.
DOMAIN+chris)
> <>%G = "users"  --- always equal to the group
"users" -- I have no clue
> why! Sometimes, however, %G = "%G" instead of "users". 
I think this is
> true for users who don't have a local unix account on the system.
> <>%g = groupname with domain name and domain seperator (e.g.
DOMAIN+chris_)
>
> Here is where it gets weird.
>
> Because %u = DOMAIN+chris it seems I should be able to do this:
> 	valid users = %u
>
> But it doesn't work!  Once I add that line, it denies me access to the
> share. If I comment it out, I once again have access.
>
> So, because %g = DOMAIN+primary_group I tried this:
>
> valid users = +%g  (also tried valid users = @%g)
>
> Same thing.  Doesn't grant me access.   This makes absolutely no sense
to
> me.
>
>
>
> The use of these variables are critical to maintaining the security of the
> server shares.  Has this changed between versions?  Is this a bug?  Or am I
> missing something all together?  How can I do this?  I can't find
anything
> on this in the books (I have 4 samba books...) or on line.  It used to
> work...
>
> I appreciate any help.
>
> Thanks!
>
> Chris

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris wrote:
| Hello.
|
| I have samba working with ADS and winbind (upgrading from
nt4/samba-2.0.7 to
| w2k3/samba-3.0.4).  Everything seems cool, but for one thing.
|
| My old homes share used to look like this:
|
| [homes]
| path=%H/sam
| valid users = +%G,%U
| force user = %U
| force group = %G
| write list = +%U

These settings don't really mean anything here.  You are saying that
you want to force the user to be someone who they already are ?
'valid user = %S' will prevent people from connecting to home
directories they don't own.






cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBFi+aIR7qMdg1EfYRAt6oAJwNG3AaEeaW3knBurq6dtWU5xwlsACg2GIz
CZ5ECkyFzWCJmSrJML+PaDM=3k7Y
-----END PGP SIGNATURE-----