added/new functionality?

ccoupal at justice.gov.sk.ca ccoupal at justice.gov.sk.ca
Wed Mar 8 21:20:34 GMT 2000 

Greetings,

I am currently working on a land management system. We are using a typical
Microsoft three-tier development environment (MTS, SQL7.0). However, in the
midst of all this Microsoft influence, we are using samba as the back end
data store. We are using samba on a large IBM box to store images, with
image details stored on an SQL7.0 box. Transactional ability is preserved
for writing the images through MTS. An MTS component is given the location
of the file, and it them moves the file to the data store (samba) on behalf
of the user. We want the users to retrieve the file direct through a UNC.
Samba is configured as a member of the NT domain

Configuring samba and the component to allow writing is fairly easy; we have
a typical samba set up with one UNIX, Samaba, and NT account configured for
this purpose.
Configuring samba to allow read has been done through the use of a guest
account and guest ok priviledges on the shares.

Here is where samba's abilities seem to be falling short:

We would like to have read shares created (ie. RS1, RS2, RS3) with read
permissions for specific NT groups of users (ie. NTUG1, NTUG2, NTUG3). 
We would like user management to be done on the NT side with minimal
accounts on the samba/UNIX side.

Our thoughts:

- Samba knows how to authenticate with an NT domain.
- Samba suid's to the UNIX account before performing file operations, so
what if we map user groups to specific samba/unix accounts (removing the
requirement for individual user groups) through another map file

for example:

We map 1 NT user group to 1 samba account such that on a user's request for
access to a share, samba checks the user's group membership to see if the
user's membership includes a group which matches a mapping, and then all
access to the share is provided as that account. (Notice that with this,
there would be no authentication between the client and samba/unix).

If someone knows of current direction to this ends, or another way to
provide this functionality, please let me know, else I'll start fighting my
way through the source and see how difficult it would be to do (but I don't
really want to do this). 

Chris Coupal

More information about the samba-ntdom mailing list