On Tue, 2004-07-27 at 10:24, Chris wrote: > Okay... > > I guess I can find ways around that then... > > My thanks to those who read.
It is times like this I like to point out that Microsoft's POS (ADS with Kerberos) is highly undocumented. There are many caveats. I myself have experienced similar issues with what MS throws back at samba. Case in point, I have just completed a full-on integration with kerberos and ADS authentication from a pretty darn big Linux machine (Quad Opteron 10GB Memory and 40TB+ Clarion Disk subsystem) It is unexplainable. But, once you get it to work... it works. My problems always start when I have to shutoff error tables and stack smashing protection. It nearly ALWAYS ends up being a shared libraries issue. For winbind (what you are using) make sure the libraries it uses are put in place and/or replaces the existing ones. The "make install" for some reason wouldn't (couldn't) over write some libraries in /lib and /lib/security Hope this helps. > On Friday 23 July 2004 02:02 pm, Chris wrote: > > Hello. > > > > I have samba working with ADS and winbind (upgrading from nt4/samba-2.0.7 > > to w2k3/samba-3.0.4). Everything seems cool, but for one thing. > > > > My old homes share used to look like this: > > > > [homes] > > path=%H/sam > > valid users = +%G,%U > > force user = %U > > force group = %G > > write list = +%U > > create mask = 0770 > > directory mask = 0770 > > browseable=no > > read only = no > > > > It worked beautifully. But the whold valid users thing isn't working on > > the new system. To help troubleshoot, I used "root prexec" to dump the > > contents of %U, %u, %G, and %g to a file. > > > > The values of these variables when connecting to the [homes] share as me: > > > > <>%U = username without domain (e.g. chris) > > <>%u = username with domain name and domain seperator (e.g. DOMAIN+chris) > > <>%G = "users" --- always equal to the group "users" -- I have no clue > > why! Sometimes, however, %G = "%G" instead of "users". I think this is > > true for users who don't have a local unix account on the system. > > <>%g = groupname with domain name and domain seperator (e.g. DOMAIN+chris_) > > > > Here is where it gets weird. > > > > Because %u = DOMAIN+chris it seems I should be able to do this: > > valid users = %u > > > > But it doesn't work! Once I add that line, it denies me access to the > > share. If I comment it out, I once again have access. > > > > So, because %g = DOMAIN+primary_group I tried this: > > > > valid users = +%g (also tried valid users = @%g) > > > > Same thing. Doesn't grant me access. This makes absolutely no sense to > > me. > > > > > > > > The use of these variables are critical to maintaining the security of the > > server shares. Has this changed between versions? Is this a bug? Or am I > > missing something all together? How can I do this? I can't find anything > > on this in the books (I have 4 samba books...) or on line. It used to > > work... > > > > I appreciate any help. > > > > Thanks! > > > > Chris -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
