ACLs by remote NT server *group*??

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed Nov 26 17:00:57 GMT 1997 

On Thu, 27 Nov 1997, Chris Shenton wrote:

> We've got a document repository on a Samba system, v 1.9.17alpha3,
> Solaris 2.5.1. Or clients authenticate to an NT domain so we do auth
> on Samba using the construct:
> 
> 	security                = server
>         password server         = HQBDC1
>         
> What we'd like to do is allow one of our departments to get access to
> the docs but prevent all the other departments. I'd like to use the NT
> *group* in which the users belong to do access control but I can't
> figure a way to tell Samba to do this.  I really don't want to have to
> clone a password file in UNIX or enumerate usernames because they
> change so often -- I'd rather let the NT server boyz worry about that
> stuff. :-)

ok, thinks.  right.

1) create a group on the NT box with all the people that are allowed access 
to those document.  call it "Document Users"

2) use right-mouse-click, go to properties, on the documents directory.  
click on the "permissions" tab.  you will see that permission is granted 
"Full" to "Everyone".  you want:

- "Full" to "Domain Users"
- "Read-only" to "Document Users"


> Is there a way to do ACLs based on NT groups?

we haven't worked out ACLs yet :-)  it's on the hit-list.  unfortunately, 
we'd need to work out a unix->ACL mapping-system, first :-(
 
> Or perhaps I'm so clueless on NT domains and NT-style authentication
> to understand whether this is doable. But let me know one way or the
> other. 
> 
> Thanks.
> 
> (I just pulled down 1.9.18alpha11 and am looking into DOMAIN.txt,
>  NTDOMAIN.txt, etc, but my NT domain ignorance is preventing me from
>  understanding all of it; pointers to good books welcome; I've already
>  read the FAQs and docs on samba.anu.edu.au...)

ok, well feel free to ask me all kinds of questions: it will help me when 
it comes to actually writing up the NT domain docs.

luke


<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and Support </a>

More information about the samba mailing list