Olivier BILHAUT
2012-Nov-20 10:05 UTC
[Samba] S3 - Valid users option and AD/Ldap primary group
Hi All, We wonder about the possibility to use the primary group of a user as argument in the "valid users" option, in the share section of the "smb.conf". I explain : In an AD schema, you're primary group could be, for example, 530 (Domain Users), you're not "memberof" the "Domain users" group in the LDAP schema. So winbind and/or NSS seems to have problems to retrieve the membership of a user when he belongs to the primary group. We use samba 3.5.6 joined to a samba 4 rc5 AD, and we would like to use the primary group of the users as argument for the option "valid users". But the level 10 log give us : Nov 19 12:37:06 localhost smbd[23716]: [2012/11/19 12:37:06.964523, 2] smbd/service.c:598(create_connection_server_info) Nov 19 12:37:06 localhost smbd[23716]: user 'DOMAIN/User' (from session setup) not permitted to access this share (TEST) Nov 19 12:37:06 localhost smbd[23716]: User DOMAIN/User not in 'valid users' For info : When we use wbinfo -r User, it return primary group AND other group membership. When we use "getent group", the primary group is shown but is empty. Is it simply possible? Cheers, -- ----------------------- *** OB *** Service Informatique
Olivier BILHAUT
2012-Nov-22 08:30 UTC
[Samba] S3 - Valid users option and AD/Ldap primary group
Dear samba list, We did more tests on this topic and I'd like to give more precisions. Here's a small tab illustrating our tests Samba version - AD Version - Usage of primary group with the valid users's option of a share 3.5.6 (debian stable) - Windows 2003 - Works 3.5.6 (debian stable) - Samba 4 rc 5 - Permission denied 3.6.3 (and higher - ubuntu LTS & debian backports tested) - Windows 2003 - Works 3.6.3 (and higher - ubuntu LTS & debian backports tested) - Samba 4 rc 5 - Works If somebody knows the source of this issue, we'll be pleased to have more information. If not, we'll use the workaround of the empty "valid users" option. Cheers, ----------------------- *** OB *** Service Informatique