[Samba] Using Domain Groups for share access control

João Alexandre - Pluridata/LI J.Alexandre at pluridata.com
Mon Apr 8 03:00:02 GMT 2002

Hi Tim,

This is a compilation from the help that I received from this great
community. If I understood it well you want to see/use from the Unix machine
the existent groups/users from the NT domain. This is done via Winbind and
easiest way that I discovered (I didn't discovered, I had big help from a
great bunch of guys) to implement this was to use the latest distro from
Mandrake (8.2 - All 3 CDs, this one have the latest samba stable release)
and applying this steps:

1 Do a minimal install (select security = standard), select "ReiserFS XFS"
for your partitions, unselect all the packages (ALL OF THEM)
2 It then ask you if you want to do a minimal install and if you don't want
"urpmi" (you do want "urpmi", so choose the suggested option and do not
choose the last one as it won't install "urpmi".
3 After the installation has finished and the PC rebooted, go to the console
as "root" and install the following packages using this command (this
command will check dependencies and ask you for the MDK 8.2 CDs witch ever
it needs):
	"urpmi samba"
	"  "   samba-client"
	"  "   nss_wins"
	"  "   samba-swat"
	"  "   samba-doc"
	"  "   samba-winbind" (I found that for winbind to start
automatically after the system starts and had to write "chkconfig winbind
	"  "   webmin" (if you want a web based administration, watch out
editing the smb.conf via webmin, it doesn't handle very good NT users/groups
with special characters/spaces in name)
	"  "   ntlogon"
	"  "   openssh-server" (I found this a good choice for having a
secure remote console of the server using a utility like "PuTTY". Also I had
to type some additional commands "chkconfig --add sshd" (add sshd service)
and "chkconfig sshd on" (start automatically))

Read the following documentation:

Edit the "smb.conf" appropriately and revise "nsswitch.conf" (it should be
OK) but above all read the above documentation to understand all of this.
After this (if this will work OK for you) you'll have a nice clean Samba
server and a member of your existent NT domain. Next start creating a
directory (if you have winbind running and capturing data from the NT
domain) you can give permissions choosing a user/group from the NT domain.
Next define the share in the "smb.conf" and you're done.

After spending more than a week trying to put my Samba server belonging my
NT domain using "winbind", a joined this mailing list and got all the help
that I needed so that after compiling this help it took me a couple of hours
to set up my Samba Server (I even can make a console logon using a user from
the NT domain).

I didn't yet looked/tried sharing a printer, but that should be easy.

Hope this helps,
Joao Alexandre

> -----Original Message-----
> From: dj [mailto:dj at walhalla.sin.khk.be]
> Sent: domingo, 7 de Abril de 2002 22:48
> To: samba at lists.samba.org
> Subject: [Samba] Using Domain Groups for share access control
> Hello everybody,
> I'm going to transfer a couple of Windows file/print server to a large
> Linux machine running Samba. I'm currently using a test system to figure
> out what works and what not. For the most part everything works fine. But
> I'm still left with a question I can't find a answer for.
> For easy administration, I will not be in charge of the admin only setup,
> I would like to control access to the shares using domain groups. The
> PDC/BDC machines will still be Windows.
> I'm a correct that you can't enter a domain group in the valid users
> group? Only unix groups?
> What is the easiest way to implement domain group based access control?
> I'm a right in thinking that this has to be done using winbind? Winbind
> will make unix groups out of the Windows groups wich I then can use for
> the valid/invalid users fields?
> And if I have to use winbind, is it already ok for use in larger
> environments?
> I know, thats a lot of questions, but I really would like to use Samba, so
> I really appreciate your help.
> Thanks,
> Tim Verhoeven
> --
> ==========================================================================
> ====
> Tim Verhoeven
>                                Music Services - Michel Stoffels
> GSM : 0496 / 693 453                          + Deejayteam
> Email : dj at sin.khk.be                         + Sound & Light rentals
> URL : www.sin.khk.be/~dj/                     + P.A. services
> =========Public PGP-Key at :
> http://www.sin.khk.be/~dj/publickey.txt==========
>           Member of Student Information Networking (www.sin.khk.be)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list