added/new functionality?

[ccoupal at justice.gov.sk.ca]

Kevin,

I am looking to reduce the overhead of managing UNIX groups and UNIX users,
so your solution doesn't really help. The groups and users already exist on
the NT domain, so why do I have to create the user accounts and the groups
over again on the unix machine?

I want to, on connection, eval the connecting user's NT groups (get them
from the PDC/BDC) and based on the user's group membership, map the user to
one of the few defined Samba/Unix accounts for all file IO operations
(through a map file?)

This would mean the user never has to authenicate to the Samba box. After
the user has been authenicated by the authentication authority (PDC/BDC),
Samba would get the list of groups for the user, and just map across. No
account has to be created for the individual user on the Samba/Unix box,
they just have to be added to a group with access.

Perhaps... there is some functionality out there that does this already, but
I haven't found it. I could use work arounds that provide the same effect.

Chris

> -----Original Message-----
> From:	Kevin Colby [SMTP:kevinc at grainsystems.com]
> Sent:	Wednesday, March 08, 2000 4:20 PM
> To:	ccoupal at justice.gov.sk.ca
> Subject:	Re: added/new functionality?
> 
> 
> Perhaps I am missing the point here, but I would think that you
> could map your NT groups to Unix user groups, and then use
> normal unix file permission restrictions.
> 
> If it is share-wide, you can restrict by group in the share definition.
> 
> 	- Kevin Colby
> 	  kevinc at grainsystems.com
> 
> 
> ccoupal at justice.gov.sk.ca wrote:
> > 
> > Greetings,
> > 
> > I am currently working on a land management system. We are using a
> typical
> > Microsoft three-tier development environment (MTS, SQL7.0). However, in
> the
> > midst of all this Microsoft influence, we are using samba as the back
> end
> > data store. We are using samba on a large IBM box to store images, with
> > image details stored on an SQL7.0 box. Transactional ability is
> preserved
> > for writing the images through MTS. An MTS component is given the
> location
> > of the file, and it them moves the file to the data store (samba) on
> behalf
> > of the user. We want the users to retrieve the file direct through a
> UNC.
> > Samba is configured as a member of the NT domain
> > 
> > Configuring samba and the component to allow writing is fairly easy; we
> have
> > a typical samba set up with one UNIX, Samaba, and NT account configured
> for
> > this purpose.
> > Configuring samba to allow read has been done through the use of a guest
> > account and guest ok priviledges on the shares.
> > 
> > Here is where samba's abilities seem to be falling short:
> > 
> > We would like to have read shares created (ie. RS1, RS2, RS3) with read
> > permissions for specific NT groups of users (ie. NTUG1, NTUG2, NTUG3).
> > We would like user management to be done on the NT side with minimal
> > accounts on the samba/UNIX side.
> > 
> > Our thoughts:
> > 
> > - Samba knows how to authenticate with an NT domain.
> > - Samba suid's to the UNIX account before performing file operations, so
> > what if we map user groups to specific samba/unix accounts (removing the
> > requirement for individual user groups) through another map file
> > 
> > for example:
> > 
> > We map 1 NT user group to 1 samba account such that on a user's request
> for
> > access to a share, samba checks the user's group membership to see if
> the
> > user's membership includes a group which matches a mapping, and then all
> > access to the share is provided as that account. (Notice that with this,
> > there would be no authentication between the client and samba/unix).
> > 
> > If someone knows of current direction to this ends, or another way to
> > provide this functionality, please let me know, else I'll start fighting
> my
> > way through the source and see how difficult it would be to do (but I
> don't
> > really want to do this).
> > 
> > Chris Coupal