Red Hat Bugzilla – Bug 419901
Regression: "valid users = +groupname" broke for ldap group
Last modified: 2007-12-11 11:57:42 EST
Description of problem:
After applying latest samba security update, "valid users = +groupname" doesn't
properly detect group membership for a group in LDAP.
passwd: files ldap
group: files ldap
If I su to my username:
[root@docs log]# su - parsledl
[parsledl@docs ~]$ groups
Medicat Users ITDocs_Users network
However, a share protected with "valid users = +ITDocs_Users" won't allow user
parsledl to connect unless I comment out that line. This was working prior to
this mornings' update.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure groups in LDAP w/ nss_ldap and in nsswitch.conf
2. Add a user to an LDAP group, e.g. ITDocs_Users
3. Protect a share with "valid users = +ITDocs_Users"
4. Try connecting to the share
Connection allowed based on group membership.
If I look up the samba process with smbstatus, /proc/$pid/status only shows
primary group membership from /etc/passwd, and no other groups.
This is a security issue, since I have to comment out the valid users line to
As stated in the release notes the syntax of valid users and other options that
lists users have been made stricter (it had also security implications).
The syntax you are using was already discouraged but now it is mandatory to use
a Fully qualified user/group name.
It is required to use DOMAIN\<user/group>
DOMAIN can also be the machine NETBIOS name in case of local groups.
This fixes it, sure enough, thanks! I guess this must be in the samba release
notes? I don't see anything in the RHEL4.6 release notes. I tried to close
this as NOTABUG (I'm the submitter), but it didn't let me...
search for the paragraph named "samba" under "Feature Updates"
I'll close the bug, thanks for confirming it works now.