Hi all, I seem to be having a problem identical to this bug: https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the bug is supposed to be fixed by now. I have a Fedora 7 box joined as a member to Windows 2003 domain. All my Windows users have accounts on the Samba machine, with the same user name in Windows and in Unix. I have a share with valid users = +group, where group is a Unix group. Yet, when a user who is a member of that Unix group connects, access is denied. The messages in the log are as follows: [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service www [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +webdev does not start with 'S-'. [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name) [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) User lz not in 'valid users' [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) user 'lz' (from session setup) not permitted to access this share (www) Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. Maybe I need to configure something? Can I have valid users accept UNIX groups? Thanks, Leonid
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leonid Zeitlin wrote:> Hi all, > I seem to be having a problem identical to this bug: > https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however the > bug is supposed to be fixed by now. > > I have a Fedora 7 box joined as a member to Windows 2003 domain. All my > Windows users have accounts on the Samba machine, with the same user name in > Windows and in Unix. I have a share with valid users = +group, where group > is a Unix group. Yet, when a user who is a member of that Unix group > connects, access is denied. The messages in the log are as follows: > > [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) > making a connection to 'normal' service www > [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) > string_to_sid: Sid +webdev does not start with 'S-'. > [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) > lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name)Is webdev in the local gtroup mapping table ?> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) > User lz not in 'valid users' > [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) > user 'lz' (from session setup) not permitted to access this share (www) > > Interestingly, if I specify valid users = +DOMAIN\windows_group, it works. > > Maybe I need to configure something? Can I have valid users accept UNIX > groups?yes. But there's some missing details in your original post. Sounds like your server is configured as a domain member server. is the user logging as a domain user ? Or a local user? The domain user will only get domain groups (and possible local nested groups from winbindd) unless you explicitly map the domain\user account to a specific local Unix account. cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR ETDDOlBflWi7oonxqQ2ptro=35qf -----END PGP SIGNATURE-----