Grzeski.Andreas@SWM.DE
2004-Oct-14 10:39 UTC
[Samba] Samba 3.0.7 / AD Domain Group Resolving
Hello List, currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We?re using the SerNet RPM?s (ftp.sernet.de) Everything works fine so far, we just have a problem with resolving domain groups. wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a "valid users = @AD_DOMAIN_GROUP" statement in the smb.conf we get the following error: smbd/service.c:make_connection_snum(314) user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename) Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name) We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option). I did find several post in the list archives on this topic, but no practical solution yet. Is there a solution? Are more details necessary? One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don?t know, if this is somehow connected. Anyone any ideas? I?m a bit lost here... Greetings Andreas Grzeski Systems Engineer/RHCE Stadtwerke M?nchen GmbH
Hi, I think that you are fomatting the valid users directive incorrectly. Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute for whatever you have chosen) No @ sign necessary It works fine for me like that. Thanks, Mark -----Original Message----- From: samba-bounces+markl=bbd.co.za@lists.samba.org [mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of Grzeski.Andreas@SWM.DE Sent: 14 October 2004 12:38 PM To: samba@lists.samba.org Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hello List, currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We?re using the SerNet RPM?s (ftp.sernet.de) Everything works fine so far, we just have a problem with resolving domain groups. wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a "valid users = @AD_DOMAIN_GROUP" statement in the smb.conf we get the following error: smbd/service.c:make_connection_snum(314) user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename) Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name) We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option). I did find several post in the list archives on this topic, but no practical solution yet. Is there a solution? Are more details necessary? One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don?t know, if this is somehow connected. Anyone any ideas? I?m a bit lost here... Greetings Andreas Grzeski Systems Engineer/RHCE Stadtwerke M?nchen GmbH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Grzeski.Andreas@SWM.DE
2004-Oct-14 12:11 UTC
[Samba] Samba 3.0.7 / AD Domain Group Resolving
Hi Mark, that did not resolve the problem for me. Removing the @ sign produced the same error message (see below)... Greetings Andreas -----Urspr?ngliche Nachricht----- Von: Mark Le Noury [mailto:markl@bbd.co.za] Gesendet: Donnerstag, 14. Oktober 2004 12:43 An: samba@lists.samba.org Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hi, I think that you are fomatting the valid users directive incorrectly. Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute for whatever you have chosen) No @ sign necessary It works fine for me like that. Thanks, Mark -----Original Message----- From: samba-bounces+markl=bbd.co.za@lists.samba.org [mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of Grzeski.Andreas@SWM.DE Sent: 14 October 2004 12:38 PM To: samba@lists.samba.org Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hello List, currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We?re using the SerNet RPM?s (ftp.sernet.de) Everything works fine so far, we just have a problem with resolving domain groups. wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a "valid users = @AD_DOMAIN_GROUP" statement in the smb.conf we get the following error: smbd/service.c:make_connection_snum(314) user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename) Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name) We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option). I did find several post in the list archives on this topic, but no practical solution yet. Is there a solution? Are more details necessary? One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don?t know, if this is somehow connected. Anyone any ideas? I?m a bit lost here... Greetings Andreas Grzeski Systems Engineer/RHCE Stadtwerke M?nchen GmbH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Grzeski.Andreas@SWM.DE
2004-Oct-14 12:45 UTC
[Samba] Samba 3.0.7 / AD Domain Group Resolving
Hi Mark,
this is the Share definition from our smb.conf:
[install]
writeable = yes
path = /Path/to/directory
write list = DOMAIN\Domain_Group
valid users = DOMAIN\Domain_Group
The configuration is pretty straightforward...
Here is the Rest of our smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.DE
security = ADS
netbios name = servername
server string = Installserver
domain master = no
domain logons = no
wins support = no
wins server = ip.of.wins.server
password server = server1 server2 server3
idmap gid = 10000-40000
idmap uid = 10000-40000
winbind enum users = yes
winbind enum groups = yes
os level = 20
interfaces = 127.0.0.1 eth0
encrypt passwords = yes
utmp = yes
passdb backend = tdbsam:/etc/samba/passdb.tdb
smbpasswd:/etc/samba/smbpasswd
preferred master = no
unix charset = LOCALE
bind interfaces only = true
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
local master = no
I hope that helps...
Greetings
Andreas
-----Urspr?ngliche Nachricht-----
Von: samba-bounces+grzeski.andreas=swm.de@lists.samba.org
[mailto:samba-bounces+grzeski.andreas=swm.de@lists.samba.org] Im Auftrag von
Mark Le Noury
Gesendet: Donnerstag, 14. Oktober 2004 14:31
An: samba@lists.samba.org
Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Could you post the share definition from your smb.conf file?
-----Original Message-----
From: samba-bounces+markl=bbd.co.za@lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of
Grzeski.Andreas@SWM.DE
Sent: 14 October 2004 02:10 PM
To: samba@lists.samba.org
Subject: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Hi Mark,
that did not resolve the problem for me. Removing the @ sign produced the same
error message (see below)...
Greetings
Andreas
-----Urspr?ngliche Nachricht-----
Von: Mark Le Noury [mailto:markl@bbd.co.za]
Gesendet: Donnerstag, 14. Oktober 2004 12:43
An: samba@lists.samba.org
Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Hi,
I think that you are fomatting the valid users directive incorrectly.
Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute
for whatever you have chosen) No @ sign necessary
It works fine for me like that.
Thanks,
Mark
-----Original Message-----
From: samba-bounces+markl=bbd.co.za@lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of
Grzeski.Andreas@SWM.DE
Sent: 14 October 2004 12:38 PM
To: samba@lists.samba.org
Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Hello List,
currently we have Samba 3.0.7 running on SLES8 systems with AD integration.
We?re using the SerNet RPM?s (ftp.sernet.de)
Everything works fine so far, we just have a problem with resolving domain
groups.
wbinfo -g works fine, the domain groups are correctly resolved. But when
inserting a "valid users = @AD_DOMAIN_GROUP" statement in the smb.conf
we get the following error:
smbd/service.c:make_connection_snum(314)
user 'DOMAIN\User.Name' (from session setup) not permitted to access
this share (sharename)
Inserting the user with his normal accountname does work (e.g. valid users =
DOMAIN\User.Name)
We do have a lot of AD Groups, some users are member of more than 200 groups
(and no, we cannot fix that, reducing the number of groups is unfortunately not
an option).
I did find several post in the list archives on this topic, but no practical
solution yet.
Is there a solution? Are more details necessary?
One more thing: we also have the problem that once in a while winbind dies when
executing wbinfo -g or -u. I don?t know, if this is somehow connected.
Anyone any ideas? I?m a bit lost here...
Greetings
Andreas Grzeski
Systems Engineer/RHCE
Stadtwerke M?nchen GmbH
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba