Description of problem: After applying latest samba security update, "valid users = +groupname" doesn't properly detect group membership for a group in LDAP. nsswitch has: passwd: files ldap shadow: files group: files ldap If I su to my username: [root@docs log]# su - parsledl [parsledl@docs ~]$ groups Medicat Users ITDocs_Users network However, a share protected with "valid users = +ITDocs_Users" won't allow user parsledl to connect unless I comment out that line. This was working prior to this mornings' update. Version-Release number of selected component (if applicable): samba-3.0.25b-1.el4_6.4 How reproducible: Always Steps to Reproduce: 1. Configure groups in LDAP w/ nss_ldap and in nsswitch.conf 2. Add a user to an LDAP group, e.g. ITDocs_Users 3. Protect a share with "valid users = +ITDocs_Users" 4. Try connecting to the share Actual results: Permission denied Expected results: Connection allowed based on group membership. Additional info: If I look up the samba process with smbstatus, /proc/$pid/status only shows primary group membership from /etc/passwd, and no other groups. This is a security issue, since I have to comment out the valid users line to allow access.
As stated in the release notes the syntax of valid users and other options that lists users have been made stricter (it had also security implications). The syntax you are using was already discouraged but now it is mandatory to use a Fully qualified user/group name. It is required to use DOMAIN\<user/group> DOMAIN can also be the machine NETBIOS name in case of local groups.
This fixes it, sure enough, thanks! I guess this must be in the samba release notes? I don't see anything in the RHEL4.6 release notes. I tried to close this as NOTABUG (I'm the submitter), but it didn't let me...
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/release-notes/RELEASE-NOTES-U6-x86-en.html search for the paragraph named "samba" under "Feature Updates" I'll close the bug, thanks for confirming it works now.