Authenticating NT Shares against Samba PDC users/groups

Jim Morris Jim at
Tue Mar 20 07:35:39 GMT 2001

Hello Samba gurus,

I've got a Samba 2.0.7 "psuedo" PDC configuration running very well in
a production environment consisting of about 100 Windows 98 clients.
An NT 4 Server system was recently added to this mix in order to run a
proprietary Windows-based software package that requires NT.
Ironically, the Samba PDC replaced the NT4 server 3 years ago, and the
NT4 Server license has been sitting unused this long!

Anyway, the NT4 server system is sucessfully joined to the domain, and
domain logons work from the NT system.  No problems there.  Now,
here's what I am trying to do, and coming up short on.  I have a LOT
of different user groups on the Linux server that are used to control
file access rights on the Samba shares (with SUID bits and stuff like
that in the create masks on the share).  Works great.  I would LIKE to
be able to have a share on the NT server that is restricted to access
to a certain user group, with that being one of the existing groups on
the Samba server.

I've actually gotten so far as to create a new user group on the NT
box using the USer Manager for Domains that has the same name as one
of the existing Unix groups on the Samba PDC.  I have then setup the
access rights for the share such that only that group has access to
the share (using "Full Control").  I can logon to the domain from a
Win98 client, using an account that is in that group, and am allowed
to connect to the share on the NT box. If I logon as a user who is NOT
in the group, the NT box will NOT allow me to connect to the share.
This all seems well and good.  BUT - the user account that can connect
to the share sees no files on it!  If I change the share permissions
to give "Everyone" full control on the share, then I see the files.

According to NT Explorer, the files and directories on this share,
including the shared folder itself, are all set to Full Control for
Everyone.  So it would seem that if I can connect to the share, I
*should* see the files.

Can anyone give me a clue as to what is going on here? Is it possible
to have the NT box authenticate share and file access using the users
and groups on the Samba PDC?  Or am I wasting my time?

I spent a while this afternoon looking through the online FAQ's and
HOWTO's for the upcoming Samba 2.2 release, and have not really found
any information that addresses this specific question...  so any
advice will be GREATLY appreciated.

Best regards,
 Jim Morris                          mailto:Jim at

More information about the samba-ntdom mailing list