Re: [Samba] valid users = +group doesn't work
This is a discussion on Re: [Samba] valid users = +group doesn't work within the Samba forums, part of the Networking and Network Related category; Hi Jerry, Please see below. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Leonid Zeitlin wrote: > >&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-17-2008
|
|||
|
|||
Re: [Samba] valid users = +group doesn't work
Hi Jerry,
Please see below. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Leonid Zeitlin wrote: > >>> Is webdev in the local gtroup mapping table ? >> >> If I understand your question correctly, initally it >> wasn't. Then I did "net sam mapunixgroup webdev", but >> this didn't seem to have any effect. > > Correct. That was my question. In 3.0.23 and later > Samba converts the name to a SID internally and then > compares for that SID in the user's NT token. > > See below for why this matters. Got you on this one, thanks. >>>> Interestingly, if I specify valid users = +DOMAIN\windows_group, it >>>> works. >>>> >>>> Maybe I need to configure something? Can I have valid users accept UNIX >>>> groups? >>> >>> yes. But there's some missing details in your original post. >>> Sounds like your server is configured as a domain member server. >>> is the user logging as a domain user ? Or a local user? >> >> I suppose as domain user. I am sitting at my Windows computer, logged in >> to domain as DOMAIN\lz and connecting to a share at the Unix computer. >> The user named "lz" also exists on the Unix computer. I was thinking >> that Samba would map DOMAIN\lz the Windows user to lz the Unix user and >> use this user's group membership. > > DOMAIN\lz has a different SID and token than the local > user "lz". Therefore the search for the local group SID > of "webdev" will not be found in the domain user's (DOMAIN\lz) > token. You can view the user's complete list of SIDs in the NT > token in a level 10 smbd debug log. I see. I observe an interesting picture here. If I specify valid users = +DOMAIN\windows_group, then I am able to access the share, and in this case I see the following in the log: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010 contains 19 SIDs SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010 (... 18 more SIDs follow ... ) SE_PRIV 0x0 0x0 0x0 0x0 [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 500 Primary group is 500 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273) change_to_user uid=(500,500) gid=(0,500) The list of SIDs actually includes the SID to which the local group webdev was mapped with "net sam mapunixgroup"! The only thing that is somewhat strange here is "contains 0 supplementary groups", since my user actually has a number of supplementary groups, however, so far so good. Now, if I specify valid users = +webdev, I cannot access the share and when I try the log has something quite different: [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288) change_to_root_user: now uid=(0,0) gid=(0,0) Maybe I'm off base here, and this is normal, but this looks strange: apparently Samba knows my user is a member of local webdev group, yet it won't let me in based on this membership. >>> The domain user will only get domain groups (and possible >>> local nested groups from winbindd) unless you explicitly >>> map the domain\user account to a specific local Unix account. >> >> I guess I am getting confused here. Are "local nested groups from >> winbindd" the Unix local groups? If yes, this is what I need, but I'm >> failing to grasp how to make them work. > > No. See the "winbind nested groups" option for more details on > local nested groups. These are the equivalent of Windows NT > 4.0 local machine groups. I see. But it appears to me (correct me if I'm wrong) that if a local Unix group is mapped with "net sam mapunixgroup", then it becomes a local nested group and Samba could use it in "valid users" - but apparently it doesn't, which confuses me. BTW, I didn't mention this before, maybe it is relevant: I am using NIS on the Samba machine. So, local user lz and group webdev are not in local passwd and group files, but come from NIS. I don't expect it to make a difference, but mentioning this just in case. Thanks a lot, Leonid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
