> Hello, > > We have following environment > > Win2k AD with "endless" number of groups (should be more then 1000) , on > the other site solaris9 samba3.0.7 compiled with all relevant optins , > winbind , ads and so on , installations is ok , we joined AD domain w.o > problems , getent * shows all like expected > same for wbinfo > > The big problem remaining is , we want to restrict access to shares to > given AD groups that way: > > valid users = @ADDOMAIN+ADGROUP > > that doesnt work in any combination, the other way > > valid users = @ADDOMAIN+ADUSERNAME > > works without any probem > > there is no user or groupmapping at all > > -----------------------output from level 10 > log---------------------------------- > > 2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533) > user_in_list: checking user |WW300+atw113c9| against |admoss| > [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(533) > user_in_list: checking user |WW300+atw113c9| against |ww300+csi| > [2004/10/21 17:16:44, 10] lib/username.c:user_in_list(610) > user_in_list: checking if user |WW300+atw113c9| is in winbind group > |ww300+csi| > [2004/10/21 17:16:49, 10] lib/username.c:user_in_winbind_group_list(412) > user_in_winbind_group_list: using groups -- 30001 30002 30003 30004 > 30005 30006 30007 30008 30009 300 > 10 30011 30012 30013 30014 30015 30016 > [2004/10/21 17:16:49, 2] smbd/service.c:make_connection_snum(314) > user 'WW300+atw113c9' (from session setup) not permitted to access this > share (pst) > [2004/10/21 17:16:49, 3] smbd/error.c:error_packet(129) > -------------------------------------------------------------------------- > ------------------- > > > as i think winbind can only reflect to first 16 or 17 groups > user_in_list checks the right group name , in this case ww300+admoss , but > user_in_winbind_group_list shows only the first 16 mapped groups , as we > have more then 1000 or 2000 and nested groups i can never be authenticated > > my uid range is 100000-120000 > gid range is 30000-50000 > > Now my second question ; the only workaround in this siuations is to do a > valid user statement to every user who should connect > So is there a limitation to the string length of valid users = > I fear i need 4 to 500 users at all.... > > Any help or workaround is pretty appreciated > > > > kind regards martin schreiber > > > > > > > Siemens Business Services > CCN-ITS Betrieb Wien GUD > > Gudrunstrasse 11 > A-1101 Wien > > Martin Schreiber > Phone +43 5 1707 47565 > Server-Administration > Fax +43 5 1707 57560 > mailto:[EMAIL PROTECTED] > http://www.sbs.at > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
