Samba and NT Domain Group membership.

Mike Harris mike at
Thu Dec 2 18:41:48 GMT 1999

Am I correct in believing that Domain Group membership of users in NT makes
absolutely no difference to a Samba server?

For example:

I have a network with an NT PDC, a Samba 2.0.6 server and an NT Workstation.
The Samba server is configured with security=domain and password server=*.

With this setting, the actual user account on the Samba server does not need
to have a password set (as the authentication is passed-through to the NT
PDC) and has it's login shell set to /dev/null for security.  Home shares
work fine this way :)

I have a directory called /home/public which is my public share on my Samba
server and an smb.conf snippet for this is:

path = /home/public
valid users=@users
admin users=@admin

The directory /home/public is user=root, group=users with permissions set to

In my smbusers file, I have two entries:

users="Domain Users"
admin="Domain Admins"

with the hope that by adding a user account to the Domain Admins group on
the PDC will give it 'passed-through' group access to the share and give the
user super-user access, i.e.  write access.

Now this doesn't work, unless I add the user to the admin group in
This implies that Domain Group membership has absolutely no effect on Samba
as it's only interested in the UNIX group file.

I think I'm completely barking up the wrong tree with this one, but could
someone confirm this is the case for me?
Or is there a way to make this work?

Many thanks in advance,

Mike Harris,

More information about the samba-ntdom mailing list