This is a discussion on Re: [Samba] valid users = +group doesn't work - Samba ; Hi Jerry, >> I guess my question now boils down to the following: when I access a >> share as domain user DOMAIN\lz, is there a way to apply "valid users" >> check based on the Unix group membership of ...
>> I guess my question now boils down to the following: when I access a
>> share as domain user DOMAIN\lz, is there a way to apply "valid users"
>> check based on the Unix group membership of the Unix user "lz". From
>> what you are saying I am getting the impression that the asnwer is no;
>> is this really so?
> If you setup a "username map" and define "lz = DOMAIN\lz", then
> when you login as DOMAIN\lz you should only be assigned the
> groups belonging to the local user "lz". But you will not
> get the domain user's group membership.
This doesn't seem to work. The log shows:
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3395643079-1670520419-2869919353-501
contains 4 SIDs
SID[ 0]: S-1-5-21-3395643079-1670520419-2869919353-501
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-32-546
SE_PRIV 0x0 0x0 0x0 0x0
[2008/04/22 15:51:38, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 99
Primary group is 99 and contains 0 supplementary groups
The SID and uid 99 correspond to user nobody. BTW, I am using idmap backend
Actually, even if this works, it would be inconvenient to map every user
that needs to access the share.
I hoped Samba would treat local Unix group similar to how Windows treat
local groups. I wouldn't mind if a Unix group needed some "blessing" before
Samba uses it (i.e. a SID is somehow created for it). Is it not possible?
> cheers, jerry
> - --
> ================================================== ===================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFIDdvAIR7qMdg1EfYRAsudAJ0QyxaRDc+lnJH6VdOtPN mPszKSgwCgzbE/
> -----END PGP SIGNATURE-----
To unsubscribe from this list go to the following URL and read the