[Samba] linux groups & NT global groups with winbindd

Doug Aldridge doug at aldridge.net
Wed Feb 13 14:59:03 GMT 2002 

I think I figured out another way. It's not as granular as NT but it works.
I just list my domain global groups in the "valid users = " parameter and
then use a force group in the same share. That way any allowed domain global
group will have access under the name of one global group. Did that make any
sense? :-)

Oh well...tested and works. Thanks for everyones' help. And Don, I will look
into the ACLs also.

Thanks,
Doug

----- Original Message -----
From: "MCCALL,DON (HP-USA,ex1)" <don_mccall at hp.com>
To: "'Doug Aldridge'" <doug at aldridge.net>; <samba at lists.samba.org>
Sent: Tuesday, February 12, 2002 5:13 PM
Subject: RE: [Samba] linux groups & NT global groups with winbindd


>
> Hi Doug,
> Well, that's sticky.  If your U*IX version supports posix acls,
> you should be able to do something like the following (assuming you have
> a domain named wt1, and a couple of global groups named testgroup1 and
> testgroup2):
> (you may have a different commandline on your unix box for setting acl's -
> this is
> specifically for HP-UX):
>
> # setacl -m group:wt1/testgroup1:rwx /home/ddmc/junk
> # setacl -m group:wt1/testgroup2:rw /home/ddmc/junk
>
> # getacl /home/ddmc/junk
>
> # file: /home/ddmc/junk
> # owner: WT1/ddmc
> # group: WT1/Doma
> user::rwx
> group::r-x
> group:WT1/test:rwx
> group:WT1/test:rw
> class:rwx
> other:r-x
>
> (Note that the two group ace's are indistinguishable in the getacl
listing,
> as it expects
> (on HP-UX) a groupname to be no more than 8 characters long - but it's the
> GID that's actually
> kept in the ace, so it DOES know the difference)...
>
> THEORETICALLY, you should be able to rightclick on the folder/filename
from
> your windows client
> and choose security and add group permissions in that manner, but I
havent'
> gotten that to work,
> myself - probably my bad...
>
> Hope this helps,
> Don
> -----Original Message-----
> From: Doug Aldridge [mailto:doug at aldridge.net]
> Sent: Tuesday, February 12, 2002 4:49 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] linux groups & NT global groups with winbindd
>
>
> Don,
>
> That makes sense. At least my situation is not unique. However, since you
> cannot add domain global groups to linux local groups then how would one
> assign rights to a linux file or dir to multiple NT domain groups? Any
> thoughts?
>
> Thanks again!!
>
> ----- Original Message -----
> From: "MCCALL,DON (HP-USA,ex1)" <don_mccall at hp.com>
> To: "'Doug Aldridge'" <doug at aldridge.net>; <samba at lists.samba.org>
> Sent: Tuesday, February 12, 2002 4:32 PM
> Subject: RE: [Samba] linux groups & NT global groups with winbindd
>
>
> > Hi Doug,
> > I'm going to make an educated guess: NO.
> > at least on HP-UX, the entries in the /etc/group file
> > are of the form
> > groupname:...:gid:username,username.....
> >
> > NOTE the "username"....
> > Unix (afaik) does not support the concept of 'nested' groups.
> > a Unix group contains names that resolve to UIDS, not GIDS.
> > On top of this, there is also the fact that when you authenticate
> > via winbindd, you are authenticating as the NT user, and will
> > be bounded by the NT groups you are a member of.  So when samba
> > is checking to see what groups you are a member of, it's not looking
> > in the /etc/group file at all.  I'm NOT looking at the code while I'm
> > writing this, so I could be wrong - I graciously accept corrections,
> > if any one knows different...
> > So I wouldn't expect this to work.
> > Hope this helps,
> > Don
> >
> >
> > -----Original Message-----
> > From: Doug Aldridge [mailto:doug at aldridge.net]
> > Sent: Tuesday, February 12, 2002 4:20 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] linux groups & NT global groups with winbindd
> >
> >
> > I posed this question earlier but it was with another question and I
think
> > it got lost.
> >
> > I have winbindd up and running and working great.
> >
> > If I add NT domain users to an NT domain global group, add that group to
a
> > local linux group in /etc/group, and then assign that local linux group
> > ownership of an object (file or dir) should this work? In other words,
can
> > you still use local linux groups as you would local groups on an NT
member
> > server once winbindd is running?
> >
> > Doug
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list