I am attempting to get a Debian box running Samba 3.0.23d (latest from debian testing) to work with our shiny new Windows 2003 server PDC.
I can join the domain. windbinds various wbinfo commands return all the groups and users, as does getent. I can access everything from the PDC. Effectively, everything works _except_ specifying a group to 'valid users'. My smb.conf[0] is run of the mill and I see nothing out of the ordinary. 'wbinfo -g' reports[1] all the right stuff. I made a share (accounting) and specified that the 'FOO+finance' group should have access by way of: valid users = +"FOO+finance" but it doesn't work. I can remove the valid users entry from smb.conf and it mounts. I can specify individual users (e.g. "FOO+cwatson") and it works when those users connect. It ONLY FAILS when I use a group. The users I test are in the groups. I can see this on both the PDC and on the Linux box via id(1). I've seen mention of this sporadically via google and searching the archives. My log files contain the following information that I think may be pertinent (valid users = +"FOO\finance"): 2007/01/10 14:52:43, 4] smbd/reply.c:reply_tcon_and_X(668) Client requested device type [?????] for share [ACCOUNTING] [2007/01/10 14:52:43, 5] smbd/service.c:make_connection(1125) making a connection to 'normal' service accounting [2007/01/10 14:52:43, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid +FOO+finance does not start with 'S-'. [2007/01/10 14:52:43, 10] passdb/lookup_sid.c:lookup_name(64) lookup_name: FOO\finance => FOO (domain), finance (name) [2007/01/10 14:52:43, 10] smbd/share_access.c:user_ok_token(208) User MAGAZINES+cwatson not in 'valid users' [2007/01/10 14:52:43, 2] smbd/service.c:make_connection_snum(580) user 'MAGAZINES+cwatson' (from session setup) not permitted to access this share (accounting) It doesn't seem to be checking if MAGAZINES\cwatson is even in a domain. Any ideas? I can happily provide more information... [0] - smb.conf [global] unix charset = US-ASCII workgroup = FOO realm = FOO.COM password server = dc1 server string = %h server (Samba %v) encrypt passwords = yes log level = 10 security = ADS log level = 1 syslog = 0 use spnego = yes domain master = no local master = no preferred master = no os level = 0 logfile = /var/log/samba/log.%m ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = + winbind nested groups = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/FOO/users/%U [accounting] valid users = +"FOO+finance" path = /home/MCI/accounting writeable = yes read only = No [1] wbinfo -g output BUILTIN+administrators BUILTIN+users domain computers domain controllers schema admins enterprise admins domain admins domain users domain guests group policy creator owners dnsupdateproxy technology finance pub relations marketing executives -- Cory 'G' Watson http://www.onemogin.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
