Re: [Samba] valid users = +group doesn't work

This is a discussion on Re: [Samba] valid users = +group doesn't work within the Samba forums, part of the Networking and Network Related category; Hi Jerry, >> I guess my question now boils down to the following: when I access a >> ...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page Re: [Samba] valid users = +group doesn't work

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 04-22-2008
Leonid Zeitlin
 
Posts: n/a
Default Re: [Samba] valid users = +group doesn't work
Hi Jerry,

>> I guess my question now boils down to the following: when I access a
>> share as domain user DOMAIN\lz, is there a way to apply "valid users"
>> check based on the Unix group membership of the Unix user "lz". From
>> what you are saying I am getting the impression that the asnwer is no;
>> is this really so?
>
> If you setup a "username map" and define "lz = DOMAIN\lz", then
> when you login as DOMAIN\lz you should only be assigned the
> groups belonging to the local user "lz". But you will not
> get the domain user's group membership.

This doesn't seem to work. The log shows:

[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
contains 4 SIDs
SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-32-546
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 99
Primary group is 99 and contains 0 supplementary groups

The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend
= nss.

Actually, even if this works, it would be inconvenient to map every user
that needs to access the share.

I hoped Samba would treat local Unix group similar to how Windows treat
local groups. I wouldn't mind if a Unix group needed some "blessing" before
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?

Thanks,
Leonid


>
>
>
>
>
> cheers, jerry
> - --
> ================================================== ===================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPN mPszKSgwCgzbE/
> u8DONjtZc1zf+wXNTuCFHgM=
> =ti50
> -----END PGP SIGNATURE-----
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:09 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0