The Samba-Bugzilla – Bug 5689
"Use default domain" not applied for users with "getent group"
Last modified: 2008-09-29 13:59:57 UTC
I've just setup a brand new Debian/Lenny machine with Samba 3.2.0 . Our old setup previously used Samba 3.0.14a (Debian/Etch). The problem is that we now are no longer able to restrict ie. cups printers to certain user group (in the printers.conf with @group). The problem is most certainly caused by the fact that we use "winbind use default domain". With the setting enabled things work ok for ie. "getent passwd", we get entries like:
weel:*:17457:10513:Weel, A. van der:/mnt/data:/usr/bin/scponly
werf:*:17458:10513:Werf, R. van der:/mnt/data:/usr/bin/scponly
heuvelman:*:12868:10513:Heuvelman, J.L. Th. mw.:/mnt/data:/usr/bin/scponly
But when we issue "getent group", we get entries like:
As you can see, the group name is without the domain name (PHYSICS+) but the users in the group are. This causes applications like cups to be confused as they don't understand user "Heuvelman" is in the group "tekendocent", so using @manage_fmd_printers in /etc/cups/printers.conf doesn't work as they names mismatch.
Oh, the relevant settings in my smb.conf look like this:
idmap domains = PHYSICS
idmap config PHYSICS:default = yes
idmap config PHYSICS:backend = rid
idmap config PHYSICS:base_rid = 0
idmap config PHYSICS:range =10000-60000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = no
winbind separator = +
winbind offline logon = true
winbind refresh tickets = true
template homedir = /mnt/data
template shell = /usr/bin/scponly
I've got this one.
As a workaround I moved the group policies from cups to smb.conf (until this gets fixed) but now I've stumbled onto another bug which is (I guess) also related to this problem. When using the "valid users" option in smb.conf using just "valid users = @windows_group" doesn't work, you MUST use "valid users = @"DOMAIN\windows_group". IMHO when "use default domain = yes" one should never be forced to use the "DOMAIN\" in front of usernames & groups, right?
(In reply to comment #3)
> IMHO when "use default domain = yes" one should never
> be forced to use the "DOMAIN\" in front of usernames & groups, right?
No. "Winbind use default domain" only applies to pam logins and should be
reported back from NSS. Always use fully qualified names in smb.conf. This has been a
documented recommendation since Samba 3.0.8.
*** This bug has been marked as a duplicate of 5571 ***