Hi Jerry, Thanks a lot for your quick reply. Please see below. >> Hi all, >> I seem to be having a problem identical to this bug: >> https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however >> the >> bug is supposed to be fixed by now. >> >> I have a Fedora 7 box joined as a member to Windows 2003 domain. All my >> Windows users have accounts on the Samba machine, with the same user name >> in >> Windows and in Unix. I have a share with valid users = +group, where >> group >> is a Unix group. Yet, when a user who is a member of that Unix group >> connects, access is denied. The messages in the log are as follows: >> >> [2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205) >> making a connection to 'normal' service www >> [2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223) >> string_to_sid: Sid +webdev does not start with 'S-'. >> [2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64) >> lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name) > > Is webdev in the local gtroup mapping table ?
If I understand your question correctly, initally it wasn't. Then I did "net sam mapunixgroup webdev", but this didn't seem to have any effect. >> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) >> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >> [2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358) >> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448) >> NT user token: (NULL) >> [2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474) >> UNIX token of user 0 >> Primary group is 0 and contains 0 supplementary groups >> [2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356) >> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211) >> User lz not in 'valid users' >> [2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616) >> user 'lz' (from session setup) not permitted to access this share (www) >> >> Interestingly, if I specify valid users = +DOMAIN\windows_group, it >> works. >> >> Maybe I need to configure something? Can I have valid users accept UNIX >> groups? > > yes. But there's some missing details in your original post. > Sounds like your server is configured as a domain member server. > is the user logging as a domain user ? Or a local user? I suppose as domain user. I am sitting at my Windows computer, logged in to domain as DOMAIN\lz and connecting to a share at the Unix computer. The user named "lz" also exists on the Unix computer. I was thinking that Samba would map DOMAIN\lz the Windows user to lz the Unix user and use this user's group membership. > The domain user will only get domain groups (and possible > local nested groups from winbindd) unless you explicitly > map the domain\user account to a specific local Unix account. I guess I am getting confused here. Are "local nested groups from winbindd" the Unix local groups? If yes, this is what I need, but I'm failing to grasp how to make them work. Thanks, Leonid > > > > > > cheers, jerry > - -- > ===================================================================== > Samba ------- http://www.samba.org > Likewise Software --------- http://www.likewisesoftware.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR > ETDDOlBflWi7oonxqQ2ptro= > =35qf > -----END PGP SIGNATURE----- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
