samba - Jan 2013 - security = ads, username map and valid users

I would like to use Samba (3.5.10 as supplied with RHEL6 if possible) to 
make some directories accessible as a filesystem to (some of) our developers. 
However, those directories are read and written by a web server, and all files 
and  directories in there should belong to www-data:www-data.

The obvious solution is a username map - just map everyone to www-data - but
then "valid users" or "user only" doesn't work anymore,
since those are
evaluated against the mapped user, not the username that was used to
authenticate
against ADS. I have found no combination of username map, force user/force
group,
valid users and/or username + only user that would do exactly what I want.

The closest thing so far is a username map plus a (locked) local Unix user and 
UID of www-data. However I'd prefer not to add local users.

Is there any switch that allows meaningful "valid users" together with
a
username map such as "www-data = *" ?

Thanks,


rainer

Hi there,

On Thu, 24 Jan 2013, Rainer Canavan wrote:
> I would like to use Samba (3.5.10 as supplied with RHEL6 if possible) to 
> make some directories accessible as a filesystem to (some of) our
developers.
> However, those directories are read and written by a web server, and all
files
> and  directories in there should belong to www-data:www-data.
> 
> The obvious solution is a username map ...
The username map feature is broken in current Samba 3 (although
possibly not in your preferred version) and AFAICT it is likely to
remain so for the forseeable future:

https://bugzilla.samba.org/show_bug.cgi?id=8881

My recommendation would be to avoid relying on the feature, which I
know is a royal pain because that's what I'm having to do, but if you
do find that you have to upgrade from your currently preferred version
then you might get bitten by the bug.

If enough people subscribe to the CC list on the bugzilla page maybe
it will get onto the radar screen of someone who is capable of doing
something about it.

--

73,
Ged.