Re: [Samba] valid users = +group doesn't work

Tue, 22 Apr 2008 06:03:11 -0700 

Hi Jerry,


I guess my question now boils down to the following: when I access a
share as domain user DOMAIN\lz, is there a way to apply "valid users"
check based on the Unix group membership of the Unix user "lz". From
what you are saying I am getting the impression that the asnwer is no;
is this really so?


If you setup a "username map" and define "lz = DOMAIN\lz", then
when you login as DOMAIN\lz you should only be assigned the
groups belonging to the local user "lz".  But you will not
get the domain user's group membership.


This doesn't seem to work. The log shows:

[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
 NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
 contains 4 SIDs
 SID[  0]: S-1-5-21-3395643079-1670520419-2869919353-501
 SID[  1]: S-1-1-0
 SID[  2]: S-1-5-2
 SID[  3]: S-1-5-32-546
 SE_PRIV  0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
 UNIX token of user 99
 Primary group is 99 and contains 0 supplementary groups


The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend 
= nss.



Actually, even if this works, it would be inconvenient to map every user 
that needs to access the share.



I hoped Samba would treat local Unix group similar to how Windows treat 
local groups. I wouldn't mind if a Unix group needed some "blessing" before 
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?


Thanks,
 Leonid








cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPNmPszKSgwCgzbE/
u8DONjtZc1zf+wXNTuCFHgM=
=ti50
-----END PGP SIGNATURE-----



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to