[Samba] Permissions issue sharing data from multiple servers via multiple protocols

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Tue Oct 21 12:42:56 GMT 2003

Hi all,

I have several UNIX servers I'd like to configure Samba on but am having trouble working out the best way to achieve consistent user and group permission across the file systems on several file servers.
Basically I need to integrate the Samba server into our MS AD domain, using Kerberos for authentication which all works fine. My problem is achieving consistent permissioning with AD users and groups across multiple Samba servers while also maintaining useable permissions for non SMB clients.

What seems to be the best solution is to use winbind to map AD groups to UNIX uids/gids using LDAP backend to maintain the mapping database, is there any documentation on how to achieve this? I want to avoid having local winbind maps with different random mappings on different Samba servers. I have a Sunone LDAP server with which to host this mapping data.

This still leaves me with the problem of how these permissions might map to non-smb clients accessing the same data, ie UNIX client mounting the data via NFS. I guess this basically doesn't work unless I install winbind on every single unix client? Only other way to do this I can think of is to dump winbind and create standard UNIX groups on our LDAP server and use net groupmap to manually map these to AD groups but this is pretty unrealalistic for thousands of users/groups. If this is as difficult as I think it is then I may be forced to only allow SMB connections to my Samba servers.

	thanks in advance, Andy Smith.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list