thr3ads.net - samba - [Samba] Version 3.0.33-3.29.el5_5 + Winbind: UNIX group as valid users [Sep 2010]

If this information is useful, please help other people find it:
Share via:

Alberto Zigoni

2010-Sep-11 12:29 UTC

[Samba] Version 3.0.33-3.29.el5_5 + Winbind: UNIX group as valid users

I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active
Directory integration, using GUI tools.

Authentication works flawlessly, with automatic home directory creation.

What I want to achieve now is using local UNIX groups to controll access to
shared folders.

smb.conf global section:

workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
; template homedir = /home/%D/%U
winbind use default domain = true
winbind offline logon = true


The share:

[finance]
comment = Storage condiviso per gruppo finance
path = /repositories/shared/finance
public = no
writable = yes
browseable = yes
valid users = +finance
;valid users = COGITANS\alberto
;force group = finance

'finance' is a local UNIX group where I added user
'COGITANS\alberto' (I also tried with 'alberto') as a secondary
group (primary group is 'domain users' and it cannot be changed).
If I specify user COGITANS\alberto in valid users it works, i.e. only that use
can access the share, the others get a NT_STATUS_ACCESS_DENIED error.

But if I use +finance, access is denied:

[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANS\alberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANS\alberto' (from session setup) not permitted to access
this share (finance)
[2010/09/11 14:12:37, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2010/09/11 14:12:37, 5] lib/util.c:show_msg(506)
[2010/09/11 14:12:37, 5] lib/util.c:show_msg(516)

getent group:

finance:x:501:COGITANS\alberto

It seems like winbind cannot recognize finance as a local group. For the same
reason, I guess, 'force group = finance' does not work either (files are
created with 'domain users' group ownership).

My /etc/nsswitch.conf:

passwd: files winbind
shadow: files winbind
group: files winbind

Grants and ownership on the '/repositories/shared/finance' folder are

root:domain users with permissions 775

Any hints would be greatly appreciated.

Thanks in advance

Alberto

Reasonably Related Threads

Search for more apparently analagous threads

samba - Sep 2010 - Version 3.0.33-3.29.el5_5 + Winbind: UNIX group as valid users

[Samba] Version 3.0.33-3.29.el5_5 + Winbind: UNIX group as valid users

Reasonably Related Threads

Wisdom of the Ancients