[Samba] Active directory groups and shares.
Gavin Davenport
gavdav at gavdav.demon.co.uk
Sun Oct 12 09:01:12 GMT 2003
Hi there
I don't think I completely understand how to configure the shares to honour
and use domain groups - I don't think it is at the moment.
I don't know how to get samba to show me the domain information being used
to work out share permissions. In this case, my userid is in the Domain
Admins group and I want write access to the software share.
smbstatus appears to be showing me login credentials that look like the unix
id/group on the host. I also have a local (unix) machine account (&
group)using the same login name, which it appears to be using:
smbstatus:
[root at potato /root]# smbstatus
Processing section "[homes]"
Processing section "[Software]"
Samba version 3.0.1pre1
PID Username Group Machine
-------------------------------------------------------------------
2136 gavdav gavdav 10.0.0.28 (10.0.0.28)
Service pid machine Connected at
-------------------------------------------------------
gavdav 2136 10.0.0.28 Sun Oct 12 09:45:41 2003
Locked files:
Pid DenyMode Access R/W Oplock Name
--------------------------------------------------------------
2136 DENY_WRITE 0x2019f RDWR EXCLUSIVE+BATCH
/home/gavdav/pstfile.pst Sun Oct 12 09:46:30 2003
smbstatus is listing (I think) my unix account. Why doesn't it say my
primary group is 'Domain Admins' ??
What have I forgotten ?
Also, how does samba decide whether to write logfiles as
$logdir/log.ip.add.re.ss or as $logdir/log.hostname ?
Gavin Davenport
****************************************************************************
*********************************
My smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Linux Samba Server
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 445
announce as = NT Workstation
name resolve order = host bcast
wins server = 10.0.0.104
client signing = Yes
server signing = Yes
client use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
# winbind separator = +
winbind cache time = 2
# winbind use default domain = Yes
comment = Redhat 7.1 Samba
hosts allow = 127., 10.0.0.
[homes]
comment = Home Directories
read only = No
browseable = No
[Software]
comment = Software Library
path = /mnt/largeprimary/software
valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
Admin users = @MYNETWORK.ISP.CO.UK\"Domain Admins"
*************************************************************************
I was working from these hints :)
In order to make it work, I had to take out the lines "winbind use default
domain = yes", and "winbind seperator = +" and then fully specify the domain
group in my share definition as such:
[shared]
path = /svr/shared
valid users = @TESTSYS\shared (or @TESTSYS\"Domain Users" if there are
spaces in the group)
writeable = yes
browseable = yes
force group = TESTSYS\shared
I think this could be a bug that it does not accept only "valid users =
shared" while "winbind use default domain = yes". It appears that samba is
not correctly matching the group the domain controllers group.
The + is not a good seperator because if you read about the "valid users"
directive, it uses a + to specify a unix group.
Hope this helps someone!
Rich
More information about the samba
mailing list