-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leonid Zeitlin wrote:
>> DOMAIN\lz has a different SID and token than the local >> user "lz". Therefore the search for the local group SID >> of "webdev" will not be found in the domain user's (DOMAIN\lz) >> token. You can view the user's complete list of SIDs in the NT >> token in a level 10 smbd debug log. > > I see. I observe an interesting picture here. If I specify > valid users = +DOMAIN\windows_group, then I am able > to access the share, and in this case I see the following > in the log: > > [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454) > NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010 > contains 19 SIDs > SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010 > (... 18 more SIDs follow ... ) > SE_PRIV 0x0 0x0 0x0 0x0 > [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 500 > Primary group is 500 and contains 0 supplementary groups > [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273) > change_to_user uid=(500,500) gid=(0,500) > > The list of SIDs actually includes the SID to which the local group > webdev was mapped with "net sam mapunixgroup"! The only thing that is > somewhat strange here is "contains 0 supplementary groups", since my > user actually has a number of supplementary groups, however, so far so > good. Now, if I specify valid users = +webdev, I cannot access the share > and when I try the log has something quite different: The supplementary groups are determined by mapping the Windows group to a gid. I'm having to remember what we already convered so apoligies fotr asking again. Are you running winbindd? or just manually mapping groups to SIDs ? Seems to be the former. If so, I think I remember we made a change that group mapping really only honored groups in the local SAM domain of the machine which would explain why mapping to the domain group didn't work. But I'm a little fuzzy on when (or if we really made that change). >>> I guess I am getting confused here. Are "local nested groups from >>> winbindd" the Unix local groups? If yes, this is what I need, but I'm >>> failing to grasp how to make them work. >> >> No. See the "winbind nested groups" option for more details on >> local nested groups. These are the equivalent of Windows NT >> 4.0 local machine groups. > > I see. But it appears to me (correct me if I'm wrong) that > if a local Unix group is mapped with "net sam mapunixgroup", then > it becomes a local nested group and Samba could use > it in "valid users" - but apparently it doesn't, which confuses me. No. The nested group functionality is only served by Winbind. > BTW, I didn't mention this before, maybe it is relevant: I > am using NIS on the Samba machine. So, local user lz > and group webdev are not inlocal passwd and group files, > but come from NIS. I don't expect it to make a difference, > but mentioning this just in case. No difference. "Local" in this discussion is in relation to who is authoriative for the account: e.g. either Samba (local machine) or the Domain controller. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIDKAIIR7qMdg1EfYRAk+fAJ4zn2iWrkmyVMcfXv9O09rRGWAzPgCcDkA8 E1O1kHw1lM1LDcE2xRcJfWY= =ch5e -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
