Pepe Barbe
2005-Jun-21 22:21 UTC
[Samba] Problems Authetincating users by group in Active Directoy
Hi,
I got a Samba box that is part of an Active Directory. It is working
with the most basic functions, but I want to start customizing the
security a little bit more. For that I want to grant access to
different shares by group using "valid users = @AD+group" in the
smb.conf, but hasn't worked.
I increased the verbosity of the log files and this has caught my attention:
[2005/06/21 18:07:23, 10] lib/username.c:user_in_list(533)
user_in_list: checking user |CONTORG0+aalse001| against
|@CONTORG0+fsswebusers|
[2005/06/21 18:07:23, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2005/06/21 18:07:23, 10] lib/username.c:user_in_list(533)
user_in_list: checking user |CONTORG0+aalse001| against |@CONTORG0+testgroup|
[2005/06/21 18:07:23, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2005/06/21 18:07:23, 2] smbd/service.c:make_connection_snum(321)
user 'CONTORG0+aalse001' (from session setup) not permitted to
access this share (fss_web)
But if I do a getent group | grep aalse001 I get the following:
CONTORG0+testgroup:x:10026:CONTORG0+aalse001
CONTORG0+fsswebusers:x:10027:CONTORG0+aalse001
Is it seems that unix box is getting the group through winbind, so it
is either a bug, or I haven't done something. Any ideas?
I am using Samba 3.0.13-1.4E.2 on a Centos 4 Linux box.
Thank you,
Pepe
This is my smb.conf:
[global]
netbios name = CONTWEB
#socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = CONTORG0
#os level = 20
winbind enum groups = yes
#socket address = contweb
password server = contorg1
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = CONTORG.BUSSERV.MY.REALM
security = ADS
#wins server = contorg1
wins proxy = no
log level = 30
[fss_web]
comment = Controller's Office Webserver
writeable = yes
path = /var/www/html
force group = apache
force user = apache
#write list = @"CONTORG0+fsswebusers"
valid users = @CONTORG0+fsswebusers @CONTORG0+testgroup
Pepe Barbe
2005-Jun-22 16:10 UTC
[Samba] Re: Problems Authetincating users by group in Active Directory
Fiddling a little bit more I got partial success. But it is not what I wanted. Seems that samba is able to authenticate the user if it belongs to a Organization Unit. Below you can see some entries for the log. Samba is not able to autheticate the ubser from the group fsswebusers but it is able to authenticate from the group techstaff. But the Winbind does get the information correctly: LOG FILE: ======[2005/06/22 11:59:18, 10] lib/username.c:user_in_list(533) user_in_list: checking user |CONTORG0+aalse001| against |@CONTORG0+fsswebusers| [2005/06/22 11:59:18, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2005/06/22 11:59:18, 10] lib/username.c:user_in_list(533) user_in_list: checking user |CONTORG0+aalse001| against |@CONTORG0+techstaff| [2005/06/22 11:59:18, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2005/06/22 11:59:18, 5] lib/username.c:Get_Pwnam(293) Finding user CONTORG0+aalse001 [2005/06/22 11:59:18, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is contorg0+aalse001 [2005/06/22 11:59:18, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [CONTORG0+aalse001]! WINBIND GROUPS: ============= CONTORG0+techstaff:x:10008CONTORG0+aalse001 CONTORG0+fsswebusers:x:10027:CONTORG0+aalse001 Any ideas? Thanks! Pepe On 6/21/05, Pepe Barbe <elventear@gmail.com> wrote:> Hi, > > I got a Samba box that is part of an Active Directory. It is working > with the most basic functions, but I want to start customizing the > security a little bit more. For that I want to grant access to > different shares by group using "valid users = @AD+group" in the > smb.conf, but hasn't worked.<snip>