NT Groups - ACL

Richard Sharpe rsharpe at ns.aus.com
Mon Jul 15 14:47:30 GMT 2002

On Mon, 15 Jul 2002, FLASSE Damien wrote:

> I'm just trying to integrate a SAMBA/Linux/XFS/winbind Box into a NT/2000 
>network. Everything is just fine but the NT group recognition: if a user 
>is part of 2 groups (e.g. Domain users + domain admins), it looks like
>SAMBA only sees ONE default group (Domain Users) which is a trouble in 
>term of administration: if a user belonging to Domain admin has Admin 
>ACL on a file but domain user is denied on this file, the user is seen 
>by SAMBA as 'Domain user' user. The result is that this user is denied
> evn if he is part of the domain admin group.
> This is a very common situation and the real life is often even more 
>complex. Is there any trick to get around this 'default group'. Why 
>doesn't SAMBA dig deeper into user's groups?

Samba does. 

Do you have a copy of the log file from running this? Specifically, when 
the user logged on.

Also, what version of Samba. Also, do you have the config.cache from when 
you built Samba?

Samba should map domain admins to a local group number from winbindd, and 
should use that. 

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list