samba - Sep 2006 - 'username = @group' not working correctly

Hello

I am running a Samba file server (Version 3.0.22) with 'security share'.
Here is one of my share definitions:

[archive]
        path = /var/smb/archive
        writeable = Yes
        username = @staff
        valid users = @staff

First question: In the manpage for smb.conf, it is mentioned that
'+group' expands to the Unix group named 'group'. But that does
not work
for me. Using the '@group' syntax works. Is this an error in the
documentation?

However, my actual problem is this:

I need the 'username = @group' mechanism because some of my clients do
not supply a correct username. The problem is that it does not seem to
work for most user accounts. It does work for exactly two users.

After experimenting and looking at the debug logs, I concluded that
Samba only checks the supplied password against the first two users who
are listed as members of the group 'staff' in /etc/group. After checking
the second user, it aborts. These first two users can connect to the
service fine, but all others can not.

If the relevant line in /etc/group looks like this:

staff:x:1034:foo,bar,baz

Then foo and bar can connect, baz can not. If I swap bar and baz in
/etc/group, then baz can connect and bar can not.

Is this a known problem? How do I fix this?

-- 
Ren?
OpenPGP key id: 0x63B1F5DB
JID: rene.fleschenberg@jabber.ccc.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url :
http://lists.samba.org/archive/samba/attachments/20060904/11b4d894/signature.bin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rene,
> I am running a Samba file server (Version 3.0.22) with 'security >
share'. Here is one of my share definitions:
> 
> [archive]
>         path = /var/smb/archive
>         writeable = Yes
>         username = @staff
>         valid users = @staff
> 
> First question: In the manpage for smb.conf, it is mentioned that
> '+group' expands to the Unix group named 'group'. But that
does not work
> for me. Using the '@group' syntax works. Is this an error in the
> documentation?
That makes no sense unless you are using NIS netgroups.
> However, my actual problem is this:
> 
> I need the 'username = @group' mechanism because some of 
> my clients do not supply a correct username. The
> problem is that it does not seem to work for most
> user accounts. It does work for exactly two users.
I'd suggest moving to security = user unless you can
explain exactly why you need security = share.  Security = share
is just not well suited for cases where you want to
provide authorization based on username/password pairs.






jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/MOkIR7qMdg1EfYRAm5WAJ9mljhK1uS8sqUkBZ6E+B10wgUaqACff2tn
j6yNGi+IMnf4hQObUX8S83U=U1lc
-----END PGP SIGNATURE-----