RE: [Samba] Winbind and groups
And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind and groups
You are welcome :-) On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote: And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind nested groups not working
On Jan 18, 2007, at 6:54 AM, Gerald (Jerry) Carter wrote: The nest group functionality is for a local BUILTIN\Administrators or MACHINE\localgrp type of group. The patch in question I was referring to was to expand local group membership in getgrnam(). These are different things. Not sure which one you are looking for if either. Hrm, then I'm not quite sure either. Here's the goal -- Samba is acting as a member file server in an AD domain. In addition to the domain containing Samba, there are two other domains in the AD forest. All three domains have full trust between them. Each domain has a Global Security Group called ACAD_ENGR. Samba sees them as DOM1 +ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR. I'd like members from all three groups to have write access to a particular directory. This needs to be done with filesystem permissions, not share permissions, because underneath each directory there are further subdirectories that have varying access rights matched to other groups in the three domains. Thoughts? Is this possible with Samba? Under Windows there would be two ways to achieve it: 1) Assign all three ACAD_ENGR groups rights to each folder. In theory, this could be achieved in Linux by using ACLs. But it is not an easily manageable solution - should we add a fourth domain, we would have to go back and add it to every folder. 2) In the domain where the files are actually hosted, create a Domain Local group and then add the ACAD_ENGR groups from each domain to it. Then assign rights on the filesystem to the single Domain Local group. This is considered the best practice - down the road, adding or removing access is as simple as a group membership change. Number 2 is what I'm trying to do, but Samba doesn't seem to allow it. I cannot see the Domain Local group through wbinfo -g. I *can* explicitly pull its ID with getent group DOM1+localgroup, but it shows as having no members. Since getent sees it, I can assign it as group owner of a directory, but Samba will not let any of the members have access. Am I just doing something wrong? -- Joshua Penixhttp://www.binarytribe.com Binary Tribe Linux Integration Services Network Consulting -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + nested groups in ssh = permission denied
so that anyone that is a member of one of the 4 groups should be able to create new files in the /data/workpapers directory. Getent group shows members of all groups, except the workpaper admins group You'll find that getent group doesn't list users within nested groups, but Samba should pick up nested groups and obey them with regard to filesystem permissions. Now the strange thing is, some members of the 4 groups can create new files in that folder, and some get permission denied. I can't find a pattern. When did you add the users to these groups? I have to completely shut down Samba and restart before any group changes are recognised, so if you added some users to this group after you started Samba that could explain why. Also make sure getent group works for all of the subgroups. I assume you have winbind nested groups = yes in smb.conf? Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Do you have a valid users line? It may override write list. I'd recommend: valid users = bob, @GILMAN+techs read only = yes write list = @GILMAN+techs (There is also a param: read list or some such) - -Tom Mark Carrara wrote: | Yes getent group shows all of my Windows groups and users. Also wbinfo | -g shows all of the Windows groups | | Mark | | At 07:11 PM 9/8/2003 -0400, you wrote: | | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | Does the command getent group work? | | You should see the group as a unix group with members. | | - -Tom | | Mark Carrara wrote: | | I am using Samba ver 2.2.8 as a domain member server. I am using | | Winbind for user authorization. I have my home shares working as they | | should but I am having trouble with a Share that should be read only | for | | most users and read write for members of the techs group | | (a NT group). | | | | in my smb.conf file I tired both: | | Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind | | sererator) | | and | | Write List = @techs | | | | neither worked. What am I doing incorrectly? | | | | Note, when I do a smbstatus the group is reported as GILMAN+techs | | | | Mark | | | | Mark Carrara | | Technology Coordinator | | School District of Gilman | | Gilman, WI | -BEGIN PGP SIGNATURE- | Version: GnuPG v1.2.1 (GNU/Linux) | Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org | | iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy | DegyFJTcHpCgT9vnZ5GwFaM= | =EzMZ | -END PGP SIGNATURE- | | | Mark Carrara | Technology Coordinator | School District of Gilman | Gilman, WI | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XlLjRliD/69byygRAh9/AJ9e3TeW3IkKdf6Dp+9m79DMUsL+VACdEws9 e7DHqUnRw9UE6dc0cif49jY= =2Uce -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does the command getent group work? You should see the group as a unix group with members. - -Tom Mark Carrara wrote: | I am using Samba ver 2.2.8 as a domain member server. I am using | Winbind for user authorization. I have my home shares working as they | should but I am having trouble with a Share that should be read only for | most users and read write for members of the techs group | (a NT group). | | in my smb.conf file I tired both: | Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind | sererator) | and | Write List = @techs | | neither worked. What am I doing incorrectly? | | Note, when I do a smbstatus the group is reported as GILMAN+techs | | Mark | | Mark Carrara | Technology Coordinator | School District of Gilman | Gilman, WI -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy DegyFJTcHpCgT9vnZ5GwFaM= =EzMZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
Hi! Actually I had a similar situation and was using winbind, which showed up to be unreliable and _very_ moody. Recently, I've decided to give up winbind and move to NIS and I'm really happy with it - no problems with groups, delicate wb's tdb files and other stuff. For further info read NIS-HOWTO which can be found at (eg.) http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/NIS-HOWTO.html cheers :) konik -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba