[Samba] Re: domain users in local groups with Winbind/Samba/Redhat
Chris de Vidal
cdevidal at yahoo.com
Thu Feb 20 15:43:39 GMT 2003
--- Matthias Rutzki <mrutzki at gmx.de> wrote:
> Unfortunately the group members still can not access
> the shares.
I'm sorry, I'd tested this some time back and should
have told you. Winbind doesn't appear to obey local
group membership for domain users on the Samba box.
We worked around this by creating an NT global group
and added members to that. Then we chgrp all files
and directories, then chmod g+rw on all files and
directories, then chmod g+xs all directories like so:
chgrp -R G_servername /path/to/share
chmod -R g+rw /path/to/share
find /path/to/share -type d -print0 | xargs -0 chgrp
g+xs
It is important NOT to set files g+xs. It is
important to use s (set group id) so files created in
the future in that share always have the same group.
> I have done it in this way:
> 1. stop smbd & nmbd
> 2. add "winbind use default domain = yes" to the
> smb.conf
> 3. create a testgroup with "groupadd test1"
Instead, open User Manager for Domains and add an NT
global group. I like to use something like
G_<servername> so we A.) know it is a global group and
B.) know that if a user can't access a server he just
needs to be in that global group.
> 4. add my domain user (without the domain (domain+))
> to this group with
> "gpasswd -a rutzki.matthias test1"
Instead, use User Manager to add users to this group.
> 5. create a share called testshare with "valid users
> = @test1" in smb
Use the NT global group here instead.
> 6. start smbd nmbd
> 7. logged in domain on a WIN98 System
> 8. try to access the testshare
> 9. System asks me for a password.....
Should be fine now. I tested it this morning with a
user with a dot in his name and he could access the
share.
I don't know how a Samba PDC reacts to local groups.
Also, if you apply ACLs, your group memberships can be
more flexible and you won't need a global group for
each server.. a file or directory can have multiple
groups.
I hope local group membership will be recognized in
Samba 3.0. Perhaps it is an engineering impossibility
and will never be recognized?
Sorry to mislead you, but I hope you're on the right
track now.
/dev/idal
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
More information about the samba
mailing list