Discussion:
[Samba] adding users to group with net rpc
Leandro Tracchia
2008-05-20 00:30:57 UTC
Permalink
section 13.3.2 of the HOWTO shows that i can add a user to a group with the
following command:

root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot

when i execute this command (replaced with my server specific values, of
course), i get a NT_STATUS_NO_SUCH_USER error.

i can verify that my user DOES exist and that he belongs to the posix group
account. i can also verify that the posix group account is mapped to the
windows group account.

is the syntax for this command correct? (the net manpage shows no 'addmem'
option), or am i doing something wrong??

when i run the following i get an empty list:

root# net rpc group members "Domain Users" -Uroot
John H Terpstra
2008-05-20 00:41:00 UTC
Permalink
Post by Leandro Tracchia
section 13.3.2 of the HOWTO shows that i can add a user to a group with the
root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot
when i execute this command (replaced with my server specific values, of
course), i get a NT_STATUS_NO_SUCH_USER error.
i can verify that my user DOES exist and that he belongs to the posix group
account. i can also verify that the posix group account is mapped to the
windows group account.
is the syntax for this command correct? (the net manpage shows no 'addmem'
option), or am i doing something wrong??
root# net rpc group members "Domain Users" -Uroot
What version of Samba are you running?

- John T.
Leandro Tracchia
2008-05-20 00:47:03 UTC
Permalink
executing the following command for all users will show their correct group:

root# net rpc user info billybob

but, like i said the following command shows nothing:

root# net rpc group members "Domain Users" -Uroot

and i still can't get this command to work:

root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot

however, i'm wondering i do i even need this last command... all my users
seem to be already mapped...
Post by Leandro Tracchia
section 13.3.2 of the HOWTO shows that i can add a user to a group with the
root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot
when i execute this command (replaced with my server specific values, of
course), i get a NT_STATUS_NO_SUCH_USER error.
i can verify that my user DOES exist and that he belongs to the posix group
account. i can also verify that the posix group account is mapped to the
windows group account.
is the syntax for this command correct? (the net manpage shows no 'addmem'
option), or am i doing something wrong??
root# net rpc group members "Domain Users" -Uroot
John H Terpstra
2008-05-20 01:17:01 UTC
Permalink
Post by Leandro Tracchia
root# net rpc user info billybob
root# net rpc group members "Domain Users" -Uroot
OK. What is the output of?:

pdbedit -Lw root
Post by Leandro Tracchia
root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot
I just validated that this command works on Samba-3.0.28.
Post by Leandro Tracchia
however, i'm wondering i do i even need this last command... all my users
seem to be already mapped...
What do you mean by this? How did you do this?

- John T.
Post by Leandro Tracchia
Post by Leandro Tracchia
section 13.3.2 of the HOWTO shows that i can add a user to a group with
root# net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot
when i execute this command (replaced with my server specific values, of
course), i get a NT_STATUS_NO_SUCH_USER error.
i can verify that my user DOES exist and that he belongs to the posix
group account. i can also verify that the posix group account is mapped
to the windows group account.
is the syntax for this command correct? (the net manpage shows no
'addmem' option), or am i doing something wrong??
root# net rpc group members "Domain Users" -Uroot
--
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
Julian Pace Ross
2008-05-20 03:28:27 UTC
Permalink
Dear List,

I have successfully deployed my first Samba 3 PDC with LDAP, and I have
several XP pro workstations successfully joined to the domain. There are
some other XP pro workstations that are not joined to the domain yet, but
are on the same network.

Now I have another Linux (Suse 9.2) PC (separate from the PDC) that is
acting as a file server, with it's own shares.
This PC has no local user accounts, and I set this with security = domain,
passwd server = SambaPDC and successfully joined it to the domain with net
rpc join etc..

On each share I specify which users can access that share (valid users = )

My question is somewhat conceptual (and i suspect, rather basic):
Once the file server is joined to the domain and is authenticating
everything with the Samba3 PDC, should security = domain mean that only
workstations already joined to the domain can have access to the file server
shares?
I would imagine this to be the concept behind security = domain, but until
now, I can still access the shares even from the non-domain workstations).

In other words, can a Samba3 domain member limit access to its shares only
to other PCs that are also domain members?
Or, even better, can this be specified specifically per share?

Thanks and regards
Julian
Julian Pace Ross
2008-05-20 22:17:48 UTC
Permalink
I apologise for re-posting, but I'll try summarise just in case my original
message was confusing...

I have successfully deployed my first Samba 3 PDC with LDAP.

I have another Linux PC (separate from the PDC) that is acting as a file
server, with it's own shares.

This PC has no local user accounts, and I set this with security = domain,
passwd server = SambaPDC.
It successfully joined it to the domain with net rpc join etc..

On each share I specify which users can access that share (valid users = )

Should security = domain mean that only workstations already joined to the
domain can have access to the file server shares?
Until now, I can still access the shares even from the non-domain
workstations.
In other words, can a Samba3 domain member limit access to its shares only
to other PCs that are also domain members?
Or, even better, can this be specified specifically per share?

Thanks and regards
Julian
Jason Waters
2008-05-20 22:49:54 UTC
Permalink
I think security = domain just has that samba box look at the PDC for
authentication. I don't think accessing a share has anything to do with
if the workstation is a part of the domain or not. If you try to connect
to that share \\sambafileserver\testshare it should prompt you for a
username and password. If it doesn't that means you are logged in with a
valid username already. You can check smsbstatus to see how you are
connected. If you have two domain users, user1, user2, you can make a
share on available to one user by doing valid users = user1

Are you trying to restrict machine from accessing a share? I'm not sure
if you can use the hosts allow per share. Am I understanding you
correctly?

Jason Waters


-----Original Message-----
From: samba-bounces+jwaters=***@lists.samba.org
[mailto:samba-bounces+jwaters=***@lists.samba.org] On Behalf Of
Julian Pace Ross
Sent: Tuesday, May 20, 2008 1:18 PM
To: ***@lists.samba.org
Subject: Re: [Samba] domain memership and security=domain


I apologise for re-posting, but I'll try summarise just in case my
original
message was confusing...

I have successfully deployed my first Samba 3 PDC with LDAP.

I have another Linux PC (separate from the PDC) that is acting as a file
server, with it's own shares.

This PC has no local user accounts, and I set this with security = domain,

passwd server = SambaPDC.
It successfully joined it to the domain with net rpc join etc..

On each share I specify which users can access that share (valid users = )

Should security = domain mean that only workstations already joined to
the
domain can have access to the file server shares?
Until now, I can still access the shares even from the non-domain
workstations.
In other words, can a Samba3 domain member limit access to its shares only

to other PCs that are also domain members?
Or, even better, can this be specified specifically per share?

Thanks and regards
Julian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Julian Pace Ross
2008-05-20 23:15:06 UTC
Permalink
RE: [Samba] domain memership and security=domainThanks guys, it is clearer now and the behaviour now makes sense to me.

I was actually already using host allow/deny, but with IP's and globally. Now i'm doing:
[share]
hosts allow = mymachinename
hosts deny = all

..and it works exactly as i want it to.

Thanks again
Julian

Leandro Tracchia
2008-05-20 03:10:16 UTC
Permalink
Post by John H Terpstra
What version of Samba are you running?
I don't even know how to check that ashamed to say...
Post by John H Terpstra
What do you mean by this? How did you do this?
well, i gather this because of the following 3 reasons:

1) the following command shows the correct Windows groups mapped
to their corresponding posix group accounts.

root# net rpc groupmap list

2) the Windows Domain Users group is mapped to the posix users
group which is shown with the above command. all my user accounts
belong to the users group.

3) the following commands shows the correct Windows group (Domain
Users) for each particular user (as i already stated).

root# net rpc user info billybob

4) posix user accounts all correspond to their smbpasswd accounts.
Post by John H Terpstra
pdbedit -Lw root
i'll answer this tomorrow when i'm back at work

thanks for you help and please bear with me, i'm new at this
John H Terpstra
2008-05-20 03:58:35 UTC
Permalink
Post by Leandro Tracchia
Post by John H Terpstra
What version of Samba are you running?
I don't even know how to check that ashamed to say...
smbd -V

- John T.
Post by Leandro Tracchia
Post by John H Terpstra
What do you mean by this? How did you do this?
1) the following command shows the correct Windows groups mapped
to their corresponding posix group accounts.
root# net rpc groupmap list
2) the Windows Domain Users group is mapped to the posix users
group which is shown with the above command. all my user accounts
belong to the users group.
3) the following commands shows the correct Windows group (Domain
Users) for each particular user (as i already stated).
root# net rpc user info billybob
4) posix user accounts all correspond to their smbpasswd accounts.
Post by John H Terpstra
pdbedit -Lw root
i'll answer this tomorrow when i'm back at work
thanks for you help and please bear with me, i'm new at this
--
John H Terpstra
Samba-Team Member


Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
Leandro Tracchia
2008-05-20 17:40:32 UTC
Permalink
John,

here is the information you requested.... hopes this helps you help me.
Post by John H Terpstra
pdbedit -Lw root
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:FD11C5234188D996BAF50904399221E6:[U
Post by John H Terpstra
What version of Samba are you running?
Version 3.0.28a
Continue reading on narkive:
Loading...