Probably a error with a variable asignment that makes the for example: valid users = @management not to work with Fedora Directory Server / LDAP against the ou attribute in the /etc/samba/smb.conf file
*** Bug 4185 has been marked as a duplicate of this bug. ***
We found that this is an issue only in the X86_64 versions of Samba, starting with 3.0.23 and continuing in 3.0.24. There was a note in one of the discussions somewhere on line that got us a workaround. The "@" before the group name means Samba should check first NIS groups then Unix group. But if the "@" is changed to a "+" then the NIS check is bypassed. In the i386 versions, all of this works as advertised, but in the X86_64 versions (FC5), it fails, always. We don't use NIS, so changing all of the "@"s to "+"s fixed the problem for us. I don't know if this means the NIS logic is broker, or if the switch from NIS to Unix groups is broken. This bug does not affect /home directories.
we are seeing the problem with" valid users" doesn't work at all after 3.0.22. not just the group. if "valid user" is specified, all attempt to map/mount will be denied. if we use winbind 3.0.22 with samba 3.0.24, it works, once we change to use samba 3.0.25, it stops working. any attempt to fix this?
This may be the same as bug 5260. I've added notes there also. We have the same problem. The problem for us is evidenced by using 'valid users = +UNIXGROUP'. We've tried all documented combinations of + / @ / &, and using 'Unix Group\group', which appear in various internet threads. No success. We have determined that Samba does not appear to care about the unix group. So for instance, if we do 'valid users = +DOMAIN\group' it works as expected, only permitting users of the indicated domain group to access the share. However, using 'valid users = +unixgroup' does not work as expected. What would be expected (as it has worked in the past), is that if a user is a member of 'unixgroup', either by way of their primary group or of their full grouplist, would be able to access the share. Instead, a user can access the share if their primary group is unixgroup, however supplementary grouplist membership is ignored. Also looking for a fix. Our platform is AIX 5.3 TL7 all maint patches. Heimdal krb5 ver 1.1 and openldap current stable. Thanks, Devin Nate
I cannot reproduce this problem with Samba 3.0.28a running on Linux. Can you ensure your Samba version is up to date ? Jeremy.
Created attachment 3258 [details] build info
I can confirm up to date build. It's 3.0.28a downloaded as the single source tarball. Test on (at least) AIX 5.2 w/ current patches and AIX 5.3 w/ current patches. Operates the same on both. krb5 is heimdal 1.1, openldap 2.3.39. I've reviewed the build config, and it appears configure properly finds initgroups, setgroups, and the other functions I'd expect to see for getting suplementary group info. winbindd is running on these hosts, in proxy-only mode. AIX servers are not using the NSS functionality of winbindd.
Next step: Your smb.conf and a full debug level 10 log of smbd failing. Volker
incoming shortly (as I assemble files) Thanks, Devin Nate
Testing setup as follows: smb.conf as attached shortly. Testing using user id 'nated' Attempting to use share 'debug' Attempting to restrict access to the 'debug' share to only users in the 'testgrp' Unix Group 'debug' share references the directory /home/debugshare, which is created as follows: # ls -ald /home/debugshare drwxrws--- 2 root testgrp 256 Apr 10 12:35 /home/debugshare unix group 'testgrp' has only 1 member, user 'nated' user nated has 'testgrp' as the primary group nated:!:227:243::/home/nated:/usr/bin/ksh UNLIKE my previous comment, having my primary group or supplementary group set to testgrp does not seem to help in any way. There's probably something more to this, because having the group be the primary group has worked sometimes. Test cases: A- Test without Valid Users line 1. stop samba services (smbd,nmbd,winbindd). 2. have smb.conf without a valid users line for share 'debug' 3. Start samba services. 4. Attempt to connect to debug. [ SUCCESS ] 5. Attempt to create a file in debug share [ SUCCESS ] 6. Attempt to rename file in debug share [ FAILURE ] ????????????????????? 7. chmod 777 /home/debugshare 8. Attempt to rename file (duplicate #6) [ SUCCESS ] B- Test with Valid Users: valid users = +testgrp 1. stop samba services (smbd,nmbd,winbindd). 2. have smb.conf with a valid users line for share 'debug' 3. Start samba services. 4. Attempt to connect to debug [ FAILURE, Win Vista asks for Username & Passwd ] 5. Connect to a different share [ SUCCESS ] C- Test with Valid Users: valid users = "+Unix Group\testgrp" 1. stop samba services (smbd,nmbd,winbindd). 2. have smb.conf with a valid users line for share 'debug' 3. Start samba services. 4. Attempt to connect to debug [ FAILURE, Win Vista asks for Username & Passwd ] 5. Connect to a different share [ SUCCESS ] Commentary: It's like samba just doesn't know about Unix Group testgrp at all. it cannot write to the directory if it's mode 770 with testgrp (except it can write to it, as a file/dir create succeeds-but a move/rename fails), even though the user should be able to write to it. And if valid users are used, it really doesn't work. smb.conf to be attached right away. Thanks, Devin Nate
Created attachment 3259 [details] testing smb.conf for tests - configured for the same as debug log to follow (i.e. with valid users = +testgrp)
Created attachment 3260 [details] log files of failure, per previously attached smb.conf file These are the logfiles. Test procedure: 1. shut down smb services. 2. update smb.conf with debug level = 10 and remove max log file size 3. delete all current samba log files 4. start samba 5. connect to server at \\qaserver, get a listing of shares [ success ] 6. attempt to connect to 'debug' share [ failure, get a windows username & password window ] 7. attempt #6 again 8. shut down samba services 9. tar files and submit
Created attachment 3261 [details] these are the logfiles of a semi-success, smb.conf identical except without valid users These are the logfiles of a (semi) success WITHOUT valid users line. Test procedure: 1. shut down smb services. 2. update smb.conf with debug level = 10 and remove max log file size 3. delete all current samba log files 4. start samba 5. connect to server at \\qaserver, get a listing of shares [ success ] 6. attempt to connect to 'debug' share [ success ] 7. attempt to create file [ success ] 8. attempt to rename file [ FAILURE ] ?????????????????????????? 9. shut down samba services 10. tar files and submit
This pretty much works as designed. You logged in as CLINICARE\nated who from Samba's point of view has nothing to do with the user nated in /etc/passwd except that the uid is used. This is the big change that came with 3.0.25, and it was necessary as more and more bugs and unexpected behaviour due to the ambiguities with names. SIDs are much more reliable. You have two options: Use a group in CLINICARE, or add local groups to group mapping using net sam createlocalgroup & friends. Volker
Hmm, a couple questions. I've played around with the net sam createlocalgroup, and net groupmap commands, etc., and couldn't find a way to accomplish what I was looking for. In particular, all I found I could do was create a local group, and then I still had to manually add users to to the local group (i.e. I couldn't create a local group and have the group membership inherited from /etc/group / /etc/passwd. To your point that CLINICARE\nated has nothing to do with the /etc/passwd entry of nated, I somewhat agree. But somewhere samba is figuring out to map CLINICARE\nated -> unix\nated because all files get created with that UID. I can conceptually understand that a domain user has nothing to do with a local user, except for the part where the local userid gets used. So my question is, if it already does a become_user(nated), why doesn't it handle the groups. (as a development shop, I can understand that things change- but if there's a possibility for this to work, then I'll try to ask ;) As an alternative interface, assuming your answer might have been what the answer was.. I was wondering about an alternative command. For example, use a different symbol to represent the unix group (e.g. valid users = %unixgrp). Furthermore, that was only 1 bug encountered in testing. User CLINICARE\nated. The share permissions itself prevented renaming a file, but creation and saving to the document were unaffected. That doesn't seem correct. Finally, I guess my question is: is this new model the direction of samba, or is it a temporary development situation? Is this the definitive answer for how samba >= 3.0.25 is going to operate. How about Samba 3.2.0? If this is the new model, it basically means that when using Samba+ADS, the Unix shares essentially need to be mode 777, or some use of force user/force group need to be employed. Both are rather ugly interfaces, almost making Samba+ADS without NSS a non-deployable option (yes, I realize that's my opinion). If this is the case, can I suggest at least a mention in the smb.conf(5) documentation indicating how valid users actually gets applied. Thanks, Devin Nate
You should be able to trigger access checks via /etc/group by mapping users with the username map option. If you put a mapping into the user name map for each user in /etc/passwd you will lose the domain groups, but you will gain the local nss groups. And generating the username map along the lines nated = DOMAIN\nated (or "nated = nated", just try it) should be a simple awk job. Hope that helps, Volker
comment #14 says: works as designed. closing out.