I've just setup a brand new Debian/Lenny machine with Samba 3.2.0 . Our old setup previously used Samba 3.0.14a (Debian/Etch). The problem is that we now are no longer able to restrict ie. cups printers to certain user group (in the printers.conf with @group). The problem is most certainly caused by the fact that we use "winbind use default domain". With the setting enabled things work ok for ie. "getent passwd", we get entries like: wassenaar:*:17456:10513:Wassenaar, R.:/mnt/data:/usr/bin/scponly weel:*:17457:10513:Weel, A. van der:/mnt/data:/usr/bin/scponly werf:*:17458:10513:Werf, R. van der:/mnt/data:/usr/bin/scponly wiegerinck:*:17459:10513:Wiegerinck, E.:/mnt/data:/usr/bin/scponly heuvelman:*:12868:10513:Heuvelman, J.L. Th. mw.:/mnt/data:/usr/bin/scponly But when we issue "getent group", we get entries like: manage_fmd_printers:x:11445:PHYSICS+Egmondr,PHYSICS+Verpoorten tekendocent:x:12910:PHYSICS+Fasseur,PHYSICS+Heuvelman,PHYSICS+Meerh,PHYSICS+Verpoorten,PHYSICS+Vos As you can see, the group name is without the domain name (PHYSICS+) but the users in the group are. This causes applications like cups to be confused as they don't understand user "Heuvelman" is in the group "tekendocent", so using @manage_fmd_printers in /etc/cups/printers.conf doesn't work as they names mismatch.
Oh, the relevant settings in my smb.conf look like this: idmap domains = PHYSICS idmap config PHYSICS:default = yes idmap config PHYSICS:backend = rid idmap config PHYSICS:base_rid = 0 idmap config PHYSICS:range =10000-60000 allow trusted domains = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = no winbind separator = + winbind offline logon = true winbind refresh tickets = true template homedir = /mnt/data template shell = /usr/bin/scponly
I've got this one.
As a workaround I moved the group policies from cups to smb.conf (until this gets fixed) but now I've stumbled onto another bug which is (I guess) also related to this problem. When using the "valid users" option in smb.conf using just "valid users = @windows_group" doesn't work, you MUST use "valid users = @"DOMAIN\windows_group". IMHO when "use default domain = yes" one should never be forced to use the "DOMAIN\" in front of usernames & groups, right?
(In reply to comment #3) > IMHO when "use default domain = yes" one should never > be forced to use the "DOMAIN\" in front of usernames & groups, right? > No. "Winbind use default domain" only applies to pam logins and should be reported back from NSS. Always use fully qualified names in smb.conf. This has been a documented recommendation since Samba 3.0.8.
*** This bug has been marked as a duplicate of 5571 ***