Hi Jerry,
Please see below.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Leonid Zeitlin wrote:
Is webdev in the local gtroup mapping table ?
If I understand your question correctly, initally it
wasn't. Then I did "net sam mapunixgroup webdev", but
this didn't seem to have any effect.
Correct. That was my question. In 3.0.23 and later
Samba converts the name to a SID internally and then
compares for that SID in the user's NT token.
See below for why this matters.
Got you on this one, thanks.
Interestingly, if I specify valid users = +DOMAIN\windows_group, it
works.
Maybe I need to configure something? Can I have valid users accept UNIX
groups?
yes. But there's some missing details in your original post.
Sounds like your server is configured as a domain member server.
is the user logging as a domain user ? Or a local user?
I suppose as domain user. I am sitting at my Windows computer, logged in
to domain as DOMAIN\lz and connecting to a share at the Unix computer.
The user named "lz" also exists on the Unix computer. I was thinking
that Samba would map DOMAIN\lz the Windows user to lz the Unix user and
use this user's group membership.
DOMAIN\lz has a different SID and token than the local
user "lz". Therefore the search for the local group SID
of "webdev" will not be found in the domain user's (DOMAIN\lz)
token. You can view the user's complete list of SIDs in the NT
token in a level 10 smbd debug log.
I see. I observe an interesting picture here. If I specify valid users =
+DOMAIN\windows_group, then I am able to access the share, and in this case
I see the following in the log:
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-800801294-1190493330-1361462980-1010
contains 19 SIDs
SID[ 0]: S-1-5-21-800801294-1190493330-1361462980-1010
(... 18 more SIDs follow ... )
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 500
Primary group is 500 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_user(273)
change_to_user uid=(500,500) gid=(0,500)
The list of SIDs actually includes the SID to which the local group webdev
was mapped with "net sam mapunixgroup"! The only thing that is somewhat
strange here is "contains 0 supplementary groups", since my user actually
has a number of supplementary groups, however, so far so good. Now, if I
specify valid users = +webdev, I cannot access the share and when I try the
log has something quite different:
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2008/04/17 13:39:56, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/04/17 13:39:56, 5] smbd/uid.c:change_to_root_user(288)
change_to_root_user: now uid=(0,0) gid=(0,0)
Maybe I'm off base here, and this is normal, but this looks strange:
apparently Samba knows my user is a member of local webdev group, yet it
won't let me in based on this membership.
The domain user will only get domain groups (and possible
local nested groups from winbindd) unless you explicitly
map the domain\user account to a specific local Unix account.
I guess I am getting confused here. Are "local nested groups from
winbindd" the Unix local groups? If yes, this is what I need, but I'm
failing to grasp how to make them work.
No. See the "winbind nested groups" option for more details on
local nested groups. These are the equivalent of Windows NT
4.0 local machine groups.
I see. But it appears to me (correct me if I'm wrong) that if a local Unix
group is mapped with "net sam mapunixgroup", then it becomes a local nested
group and Samba could use it in "valid users" - but apparently it doesn't,
which confuses me.
BTW, I didn't mention this before, maybe it is relevant: I am using NIS on
the Samba machine. So, local user lz and group webdev are not in local
passwd and group files, but come from NIS. I don't expect it to make a
difference, but mentioning this just in case.
Thanks a lot,
Leonid
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
