samba - Dec 2007 - Winbind and groups

Hello Friendly Samba People,

I have a working samba install that allows my AD users access to files on my
linux box.  The linux box is configured via Winbind as a domain member and uses
Winbind as the local NSS.  I can successfully resolve both users and groups from
the AD.  Users are currently able to access the samba shares without trouble.

I am running into trouble when trying to use groups defined in the AD as
"valid users" or ACLs on the linux box.

Smb.conf:
[global]
  security = ADS
  realm = CORP.CALLGLOBALCOM.COM
  workgroup = CORP
  log file = /var/log/samba/%m
  log level = 2

  #winbind / AD stuff
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind expand groups = 2
  winbind nss info = rfc2307
  winbind nested groups = Yes
  idmap uid range = 1000 - 30000000
  idmap gid range = 100 - 30000000
  idmap domains = CORP
  idmap config CORP:backend = ad
  idmap config CORP:default = yes
  idmap config CORP:readonly = yes

[homes]

[sysadmins]
   path = /tmp
   writeable = yes
   comment = Globalcom Sysadmins share
   valid users = @gc_sysadmins
   create mask = 0775
   directory mask = 0775

# getent group gc_sysadmins
gc_sysadmins:*:10001:bvaughan

# getent passwd bvaughan
bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash

When trying to access the [sysadmins] share defined as above, samba logging says
this:

user 'CORP\bvaughan' (from session setup) not permitted to access this
share (sysadmins)


I see the disconnect, the "CORP\bvaughan" that samba sees here, vs the
"bvaughan" seen in the group entry.  Is there a way to make these two
come together so the "valid users=" line works?

I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.

Any help would be appreciated.

Ben



Ben Vaughan
Globalcom IT Infrastructure Support Team
bvaughan@global-com.com
312 673 4116

And the correct answer is...

Using a valid users line that looks like this:

 Valid users = +DOMAIN\group

Many thanks to "irda" on the #samba IRC channel.

Ben


Ben Vaughan
Globalcom IT Infrastructure Support Team
bvaughan@global-com.com
312 673 4116


-----Original Message-----
From: samba-bounces+bvaughan=global-com.com@lists.samba.org
[mailto:samba-bounces+bvaughan=global-com.com@lists.samba.org] On Behalf Of Ben
Vaughan
Sent: Tuesday, December 11, 2007 10:30 AM
To: samba@lists.samba.org
Subject: [Samba] Winbind and groups

Hello Friendly Samba People,

I have a working samba install that allows my AD users access to files on my
linux box.  The linux box is configured via Winbind as a domain member and uses
Winbind as the local NSS.  I can successfully resolve both users and groups from
the AD.  Users are currently able to access the samba shares without trouble.

I am running into trouble when trying to use groups defined in the AD as
"valid users" or ACLs on the linux box.

Smb.conf:
[global]
  security = ADS
  realm = CORP.CALLGLOBALCOM.COM
  workgroup = CORP
  log file = /var/log/samba/%m
  log level = 2

  #winbind / AD stuff
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind expand groups = 2
  winbind nss info = rfc2307
  winbind nested groups = Yes
  idmap uid range = 1000 - 30000000
  idmap gid range = 100 - 30000000
  idmap domains = CORP
  idmap config CORP:backend = ad
  idmap config CORP:default = yes
  idmap config CORP:readonly = yes

[homes]

[sysadmins]
   path = /tmp
   writeable = yes
   comment = Globalcom Sysadmins share
   valid users = @gc_sysadmins
   create mask = 0775
   directory mask = 0775

# getent group gc_sysadmins
gc_sysadmins:*:10001:bvaughan

# getent passwd bvaughan
bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash

When trying to access the [sysadmins] share defined as above, samba logging says
this:

user 'CORP\bvaughan' (from session setup) not permitted to access this
share (sysadmins)


I see the disconnect, the "CORP\bvaughan" that samba sees here, vs the
"bvaughan" seen in the group entry.  Is there a way to make these two
come together so the "valid users=" line works?

I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.

Any help would be appreciated.

Ben



Ben Vaughan
Globalcom IT Infrastructure Support Team
bvaughan@global-com.com
312 673 4116

--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba