Stefan Froehlich
2006-Dec-28 15:50 UTC
[Samba] users via winbind and using @group in smb.conf
Hello, I have two samba servers, A is configured as a PDC, B offers some additional shares. B is getting usernames and passwords via winbind from a, using the following configuration directives: | idmap uid = 100-999 | idmap gid = 100-999 | winbind enum users = yes | winbind enum groups = yes | winbind use default domain = yes This is basically working fine, local ssh login is ok, getent shows all remote users and passwords. Now B needs to define some additional, local groups containing the names of remote users. In /etc/group the usernames have been added (without the DOMAIN\ prefix, as "use default domain" is set). On the command line, this is working as well ("groups" does show the local group for the remote users). But what das NOT work is to assign a samba share on B to this local group. I tried | valid users = @group as well as | valid users = @DOMAIN\group but both ways all I get is NT_STATUS_ACCESS_DENIED. How do I have to write this in order to get access for remote group members in a locally defined group? Ciao, Stefan -- http://kontaktinser.at/ Die Kontaktboerse fuer Oesterreich - kostenlos und unkommerziell
James A. Dinkel
2006-Dec-28 17:11 UTC
[Samba] users via winbind and using @group in smb.conf
> -----Original Message----- > From: Stefan Froehlich > Sent: Thursday, December 28, 2006 9:43 AM > > Hello, > > I have two samba servers, A is configured as a PDC, B offers some > additional shares. B is getting usernames and passwords via winbind > from a, using the following configuration directives: > > | idmap uid = 100-999 > | idmap gid = 100-999 > | winbind enum users = yes > | winbind enum groups = yes > | winbind use default domain = yes > > This is basically working fine, local ssh login is ok, getent shows > all remote users and passwords. > > Now B needs to define some additional, local groups containing the > names of remote users. In /etc/group the usernames have been added > (without the DOMAIN\ prefix, as "use default domain" is set). On the > command line, this is working as well ("groups" does show the local > group for the remote users). > > But what das NOT work is to assign a samba share on B to this local > group. I tried > > | valid users = @group > > as well as > > | valid users = @DOMAIN\group > > but both ways all I get is NT_STATUS_ACCESS_DENIED. > > How do I have to write this in order to get access for remote group > members in a locally defined group? > > Ciao, > Stefan >I don't see anything wrong with the little bit you've posted. You might post your entire smb.conf.
Stefan Froehlich
2007-Jan-04 20:32 UTC
[Samba] users via winbind and using @group in smb.conf
On Thu, Jan 04, 2007 at 02:35:30PM +0100, Voelz Alexander wrote:> > > [...] what das NOT work is to assign a samba share on B to this > > > local group. I tried> > > | valid users = @group> > > as well as> > > | valid users = @DOMAIN\group> > > but both ways all I get is NT_STATUS_ACCESS_DENIED.> Does wbinfo work? > e.g. does wbinfo -g list the private group?No, it does not - but should/must this be the case? AFAIK wbinfo only lists group, which are known in the DOMAIN context. However, @private is a local unix group which is only relevant to the samba process on server B. If I use any other local group (without users imported via winbind) they are not listed by "wbinfo -g" as well, but still they behave like expected.> Did you try "valid users = DOMAIN\private"?I tried "valid users = @DOMAIN\private", (with the @ to indicate a group) but it did not work either - which I expected because it is not a group defined in the DOMAIN context. Bye, Stefan -- http://kontaktinser.at/ Kontaktb?rse f?r ?sterreich - kostenlos und unkommerziell
Michael Gasch
2007-Jan-05 11:27 UTC
[Samba] users via winbind and using @group in smb.conf
could you please try the latest samba (or at least 3.0.23c) and use valid users = "Unix Group"\your_local_group ??? thx Stefan Froehlich wrote:> On Thu, Jan 04, 2007 at 02:35:30PM +0100, Voelz Alexander wrote: >>>> [...] what das NOT work is to assign a samba share on B to this >>>> local group. I tried > >>>> | valid users = @group > >>>> as well as > >>>> | valid users = @DOMAIN\group > >>>> but both ways all I get is NT_STATUS_ACCESS_DENIED. > >> Does wbinfo work? >> e.g. does wbinfo -g list the private group? > > No, it does not - but should/must this be the case? AFAIK wbinfo only > lists group, which are known in the DOMAIN context. However, @private > is a local unix group which is only relevant to the samba process on > server B. If I use any other local group (without users imported via > winbind) they are not listed by "wbinfo -g" as well, but still they > behave like expected. > >> Did you try "valid users = DOMAIN\private"? > > I tried "valid users = @DOMAIN\private", (with the @ to indicate a > group) but it did not work either - which I expected because it is > not a group defined in the DOMAIN context. > > Bye, > Stefan >
Stefan Froehlich
2007-Jan-05 14:42 UTC
[Samba] users via winbind and using @group in smb.conf
On Fri, Jan 05, 2007 at 12:25:35PM +0100, Michael Gasch wrote:> could you please try the latest samba (or at least 3.0.23c) and use > valid users = "Unix Group"\your_local_groupThis does not change very much: | [Server B] | # smbd -V | Version 3.0.23c-2 | # cat /etc/samba/smb.conf |grep "valid users" | valid users = "Unix Group"\private | | [Client] | $ smbclient //serverb/private -U user1 | added interface ip=192.168.1.250 bcast=192.168.1.255 nmask=255.255.255.0 | added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 | Password: | Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.23c-2] | tree connect failed: NT_STATUS_ACCESS_DENIED Is the syntax correct, i.e. "Unix Group" has to be written as is and in quotes? Server B is not under my control, but I _could_ trigger an update to 3.023d if there is a somewhat realistic chance this would help. The release notes say: | * Fix primary group lookup failures. Use the Get_Pwnam_alloc() | call to ensure it finds the Unix user first. Could this be an issue here? Bye, Stefan -- http://kontaktinser.at/ Kontaktb?rse f?r ?sterreich - kostenlos und unkommerziell
Michael Gasch
2007-Jan-05 14:50 UTC
[Samba] users via winbind and using @group in smb.conf
if "private" is a group, you have to add @ in front of the "valid users" entry. according to a post of jerry the syntax with ticks and spaces is correct. please also increase the debug level on the server side to see why it fails greez Stefan Froehlich wrote:> On Fri, Jan 05, 2007 at 12:25:35PM +0100, Michael Gasch wrote: >> could you please try the latest samba (or at least 3.0.23c) and use >> valid users = "Unix Group"\your_local_group > > This does not change very much: > > | [Server B] > | # smbd -V > | Version 3.0.23c-2 > | # cat /etc/samba/smb.conf |grep "valid users" > | valid users = "Unix Group"\private > | > | [Client] > | $ smbclient //serverb/private -U user1 > | added interface ip=192.168.1.250 bcast=192.168.1.255 nmask=255.255.255.0 > | added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 > | Password: > | Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.23c-2] > | tree connect failed: NT_STATUS_ACCESS_DENIED > > Is the syntax correct, i.e. "Unix Group" has to be written as is and in > quotes? > > Server B is not under my control, but I _could_ trigger an update to > 3.023d if there is a somewhat realistic chance this would help. The > release notes say: > > | * Fix primary group lookup failures. Use the Get_Pwnam_alloc() > | call to ensure it finds the Unix user first. > > Could this be an issue here? > > Bye, > Stefan >