Hi Jerry,
Thanks a lot for your quick reply. Please see below.
Hi all,
I seem to be having a problem identical to this bug:
https://bugzilla.samba.org/show_bug.cgi?id=3940 in Samba 3.0.28, however
the
bug is supposed to be fixed by now.
I have a Fedora 7 box joined as a member to Windows 2003 domain. All my
Windows users have accounts on the Samba machine, with the same user name
in
Windows and in Unix. I have a share with valid users = +group, where
group
is a Unix group. Yet, when a user who is a member of that Unix group
connects, access is denied. The messages in the log are as follows:
[2008/04/16 15:09:07, 5] smbd/service.c:make_connection(1205)
making a connection to 'normal' service www
[2008/04/16 15:09:07, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid +webdev does not start with 'S-'.
[2008/04/16 15:09:07, 10] passdb/lookup_sid.c:lookup_name(64)
lookup_name: UNIXBOX\webdev => UNIXBOX (domain), webdev (name)
Is webdev in the local gtroup mapping table ?
If I understand your question correctly, initally it wasn't. Then I did "net
sam mapunixgroup webdev", but this didn't seem to have any effect.
[2008/04/16 15:09:07, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/04/16 15:09:07, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/04/16 15:09:07, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/04/16 15:09:07, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2008/04/16 15:09:07, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/04/16 15:09:07, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/04/16 15:09:07, 10] smbd/share_access.c:user_ok_token(211)
User lz not in 'valid users'
[2008/04/16 15:09:07, 2] smbd/service.c:make_connection_snum(616)
user 'lz' (from session setup) not permitted to access this share (www)
Interestingly, if I specify valid users = +DOMAIN\windows_group, it
works.
Maybe I need to configure something? Can I have valid users accept UNIX
groups?
yes. But there's some missing details in your original post.
Sounds like your server is configured as a domain member server.
is the user logging as a domain user ? Or a local user?
I suppose as domain user. I am sitting at my Windows computer, logged in to
domain as DOMAIN\lz and connecting to a share at the Unix computer. The user
named "lz" also exists on the Unix computer. I was thinking that Samba would
map DOMAIN\lz the Windows user to lz the Unix user and use this user's group
membership.
The domain user will only get domain groups (and possible
local nested groups from winbindd) unless you explicitly
map the domain\user account to a specific local Unix account.
I guess I am getting confused here. Are "local nested groups from winbindd"
the Unix local groups? If yes, this is what I need, but I'm failing to grasp
how to make them work.
Thanks,
Leonid
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIBfPuIR7qMdg1EfYRAhQyAJ4k+OEz7EaNr4P1K/L6E6GLg0TafgCeJubR
ETDDOlBflWi7oonxqQ2ptro=
=35qf
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
