[Samba] Domain-member and simple read and readwrite
file-permissions based on group-membership
Christian Rost
chr at baltic-online.de
Tue Jan 3 18:58:24 GMT 2006
Hi,
I'm pretty confused about using samba as domain-member and file-server.
Assuming i have a couple of windows-users on my active directory
server and there are
mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup.
On my samba-server there is one share which should be used by both
groups and i
want users in the WriteOnlyGroup to have the permission to modify/
delete all
files/directories and the users to in the ReadOnlyGroup to only read the
files/directories. To keep it simple I don't want any other acl's at
all.
I thought that this setup should be possible by using the read/write
list -, the
force group - and the mode - feature in the smb.conf.
Now i have 2 options to connect to my PDC.
Either I use security = ADS or I use security = domain.
For the first option as far as I know, I need to use kerberos.
Because i'm
forced to use aix as platform for the samba-server and there is no
kerberos-support
installed, i must use security = domain.
Runing with security = domain I think at first i'm now forced to
replicate all active-directory
user to unix-users on my samba-server to establish a mapping between
NT <-> Unix User ID's for the proper
ownership of files on the share's filesystem
Now my Questions:
1)
When i have done this, there is no need to use the "net groupmap" -
Feature, because
all users are mapped to Unix-User and these Unix-Users are belonging
to primary
unix-groups. The groupmap - Feature only makes sense if i run the
winbindd-daemon (on top of kerberos)
and there is no complete mapping of NT<->Unix User/Group. Is this
correct?
2)
Which kind of arguments are possible to: "read list" and "write list"?
Is it correct that only unix-users and unix-groups are possible?
Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the
Active-Directory?
If only unix-groups are possible I although have to replicate the
group-memberships
to the unix-system. Is this correct?
When this is correct, this is pretty painfull because I've to
administrate 2 userdatabases now.
3)
Is this simple setup only possible with acl's on the filesystem and
with running
winbindd?
Thank you for answers
Christian
More information about the samba
mailing list