[Samba] workaround assigning domain group permissions on PDC clients

Ivan Sergio Borgonovo mail at webthatworks.it
Tue Oct 15 13:01:01 GMT 2002

This is far from being elegant but it works...

Target: assigning domain wide group permissions on members (client) of 
a Samba PDC.


1a  edit the file pointed by
    username map
    existing_Unix_group1 = "Domain Users"
2a  log on a client with administrative privileges
    assign to a dir/disk permission to the "Domain Users" being carefull to 
    select from the Domain list and not the local list
3a  reset the client (logging of is not enough)


if you'll check permissions on that dir/disk (after reset) they will be 
listed as

If you want further Domain wide groups:

1b  edit the file pointed by
    username map
    existing_Unix_group1= "Domain Users"
    existing_Unix_group1= "Domain Users"
2b  follow 2a...

while this is an administrative hell... you can assign Domain wide 
groups privileges on client filesystem.

Once you finished you can delete the line
any_existing_Unix_group = "Domain Users"
and the permissions on clients will still work

You can add several groups with the same mapping system using other 
default groups like SYSTEM, Domain Admins, etc... anyway I would 
suggest to use lower privilege groups even if they will just be 
temporarely mapped.

Use this trick at your own risk... I haven't had time to check if there 
are any drawbacks or security risk.

I'll try to publish a nicer, clearer, grammatically more correct 
version of this femtoHOWTO here:


including a script to make things easier on the Linux side, if I'll 
survive to the 3rd in a week HW failure of my workstation :(

Ivan Sergio Borgonovo
uniq life || sleep 24h

More information about the samba mailing list