ACLs by remote NT server *group*??

Luke Kenneth Casson Leighton lkcl at
Wed Nov 26 17:00:57 GMT 1997

On Thu, 27 Nov 1997, Chris Shenton wrote:

> We've got a document repository on a Samba system, v 1.9.17alpha3,
> Solaris 2.5.1. Or clients authenticate to an NT domain so we do auth
> on Samba using the construct:
> 	security                = server
>         password server         = HQBDC1
> What we'd like to do is allow one of our departments to get access to
> the docs but prevent all the other departments. I'd like to use the NT
> *group* in which the users belong to do access control but I can't
> figure a way to tell Samba to do this.  I really don't want to have to
> clone a password file in UNIX or enumerate usernames because they
> change so often -- I'd rather let the NT server boyz worry about that
> stuff. :-)

ok, thinks.  right.

1) create a group on the NT box with all the people that are allowed access 
to those document.  call it "Document Users"

2) use right-mouse-click, go to properties, on the documents directory.  
click on the "permissions" tab.  you will see that permission is granted 
"Full" to "Everyone".  you want:

- "Full" to "Domain Users"
- "Read-only" to "Document Users"

> Is there a way to do ACLs based on NT groups?

we haven't worked out ACLs yet :-)  it's on the hit-list.  unfortunately, 
we'd need to work out a unix->ACL mapping-system, first :-(
> Or perhaps I'm so clueless on NT domains and NT-style authentication
> to understand whether this is doable. But let me know one way or the
> other. 
> Thanks.
> (I just pulled down 1.9.18alpha11 and am looking into DOMAIN.txt,
>  NTDOMAIN.txt, etc, but my NT domain ignorance is preventing me from
>  understanding all of it; pointers to good books welcome; I've already
>  read the FAQs and docs on

ok, well feel free to ask me all kinds of questions: it will help me when 
it comes to actually writing up the NT domain docs.


<a href="mailto:lkcl at"  > Luke Kenneth Casson Leighton  </a>
<a href=""> Samba Consultancy and Support </a>

More information about the samba mailing list